Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response

Breach Roundup: How to Spot North Korean IT Workers

Also: Ransomware Surged in 2023, MoneyGram Back in Service After Cyberattack
Breach Roundup: How to Spot North Korean IT Workers
Image: Shutterstock

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, advice on spotting North Korean staff; ransomware attacks rose; MoneyGram back online; FCC fined political operative; CISA warned of water system attacks; Ukraine restricted Telegram use; North Korean hackers used new malware; U.K. arrested alleged hacker; PSNI is in data leak talks.

See Also: OnDemand | 2023 OT Cybersecurity Year in Review: Lessons Learned from the Frontlines

How to Avoid Hiring North Korean IT Workers

Companies building a remote workforce who don't want to accidentally hire someone from the world's most bonkers and sanctioned totalitarian regime should take a few basic steps, advised Google-owned threat intel company Mandiant.

The steps include requiring all applicants to turn on cameras during interviews "to ensure visual appearance matches online profiles," Mandiant said in a blog post based on work with companies that hired North Korean nationals. Companies should check that the interviewee matches the provided identification and "ask questions to establish the consistency of a candidate's responses in line with their purported background."

The U.S. federal government has warned since at least 2022 that remote North Korean workers may not only collect an illicit paycheck but use their programming positions to facilitate Pyongyang hacking campaigns. Federal prosecutors this year have racked up multiple criminal indictments against individuals accused of aiding the Hermit Kingdom in circumventing sanctions by running laptop farms inside the U.S. through which North Korean nationals obtain IT work for Fortune 500 companies.

One telltale sign that a new recruit is shoveling hard currency into the beleaguered North Korean economy is a laptop using an IP-based keyboard video mouse as well as the installation of remote management tools such as AnyDesk or Chrome Remote Desktop. "Connections to these remote management solutions primarily originated from IP addresses associated with Astrill VPN, likely originating from China or North Korea," Mandiant said.

Other tells: high reluctance to join video calls, telephone numbers that are Voice over Internet Protocol numbers, multiple remote admin tools installed on a single system as well as "mouse jiggling" software that keeps laptops active. "Keeping laptops on and running are key for the DPRK IT workers who often hold many jobs at once and need to appear online," Mandiant said.

The company also described the quality of the North Korean workers' coding as "below average."

Ransomware Attacks Surge 73% in 2023

The Institute for Security and Technology's Ransomware Task Force reported a 73% increase in recorded ransomware incidents worldwide in 2023 compared to the previous year, with 6,670 attacks recorded.

A Thursday report from the task force attributes the trend to big game hunting, where cybercriminals target high-value organizations for maximum payouts. Most notably, the Clop group exploited vulnerabilities in MOVEit file transfer software, contributing to approximately 666 incidents (see: Data Breach Toll Tied to Clop Group's MOVEit Attack Surges).

Healthcare and construction sectors were the most targeted, and hospitals experienced nearly double the number of attacks, from 89 incidents in 2022 to 177 in 2023. The average recovery cost for hospitals reached $2.2 million, and ransomware payments skyrocketed, exceeding $1 billion in 2023 (see: CMS Now Says 3.1 Million Affected by MOVEit Hack).

Despite increased government and industry efforts to combat ransomware, the profitability of the ransomware-as-a-service model continues to incentivize attackers, the report says.

MoneyGram Recovers From Cyberattack

MoneyGram International came back online Thursday after a cyberattack on the money transfer system forced it to yank services offline on Monday.

Headquartered in Dallas, Texas, MoneyGram processes more than $200 billion in transactions annually in more than 200 countries. A survey report published by MoneyGram earlier this month says that of those who use the service to send money abroad, nearly half said they do so to cover family food costs while more than one-third said the money is to cover emergency expenses. More than one-third reported using the service to cover housing expenses.

US FCC Fines Political Operative for Biden Deepfake

The political consultant who generated an artificial intelligence deepfake of U.S. President Joe Biden's voice in February must pay a $6 million fine to federal regulators. The U.S. Federal Communications Commission imposed the penalty on Democratic operative Steven Kramer on Thursday. "It is now cheap and easy to use artificial intelligence to clone voices and flood us with fake sounds and images," said FCC Chairwoman Jessica Rosenworcel. "We need to call it out when we see it and use every tool at our disposal to stop this fraud."

Kramer told The Associated Press in February that the calls were his attempt at a wake-up call about the dangers of AI-powered deepfakes. Then working for Biden primary challenger Rep. Dean Phillips - who denounced the calls - Kramer paid $500 to transmit a false message to nearly 4,000 potential New Hampshire voters on Jan. 21, who heard a voice they thought was Biden's urging them not to participate in the Democratic primary.

The FCC said Kramer has 30 days to pay the fine or face collections from the Department of Justice. U.S. telecom company Lingo Telecom has already agreed to a $1 million fine for transmitting the calls. Kramer still faces criminal charges in New Hampshire tied to alleged voter suppression.

US CISA Warns of Cyberattacks on Critical Infrastructure

The U.S Cybersecurity and Infrastructure Security Agency on Wednesday published a warning about cyberattacks targeting critical infrastructure networks, specifically focusing on water and wastewater systems. Attackers don't need to be uber-hackers since "unsophisticated" methods such as brute force attacks and using default credentials continue to let attackers access internet-exposed operational technology, the agency said.

CISA advised operators to strengthen defenses by changing default passwords, enabling multifactor authentication, securing human-machine interfaces behind firewalls, hardening VNC installations and applying latest patches.

CISA's warning follows a Sunday cyberattack on the Arkansas City, Kansas, water treatment facility (see: FBI, US Homeland Security Investigate Water Facility Cyberattack).

Ukraine Restricts Telegram Use Over Security Concerns

Ukraine's National Cybersecurity Coordination Center banned the use of Telegram within government agencies, military units and critical infrastructure due to national security concerns amid the ongoing war with Russia.

Secretary of the National Security and Defense Council Oleksandr Lytvynenko highlighted Telegram's security risks in a Sept. 19 meeting. Ukraine Defense Intelligence Chief Kyrylo Budanov warned that Russian intelligence could potentially access user data, including deleted messages, making Telegram a serious security threat.

Officials from Ukraine's Security Service and Armed Forces said that Russia actively uses Telegram for cyberattacks, phishing, malware distribution and missile strike coordination. The NCCC as a result restricted the app on official devices used by government, military and critical infrastructure personnel, except where specifically required.

The ban does not extend to ordinary citizens, and the app remains widely used for communication and news updates, including alerts on Russian airstrikes.

North Korean Hackers Deploy New Malware Strains

North Korean-linked threat group Kimsuky, also known as APT43, is using two new malware strains dubbed KLogEXE and FPSpy, according to researchers from Palo Alto Networks' Unit 42. These additions bolster the capabilities of the group, which has been active since 2012 and is notorious for spear-phishing attacks.

KLogEXE is a C++ version of InfoKey, a keylogger previously linked to Kimsuky’s campaigns targeting Japanese organizations. It tracks keystrokes and mouse clicks and collects information about running applications.

FPSpy, a variant of malware previously exposed by AhnLab in 2022, enhances Kimsuky's ability to gather system information, run commands, download additional payloads and enumerate drives and files.

UK Police Arrest Alleged Railway Station Hacker

Hackers targeted the Wi-Fi systems of the U.K.'s biggest national rail network to intercept captive logon pages to display Islamophobic messages.

The Wednesday evening attack affected Wi-Fi logon pages at 19 stations managed by Network Rail, changing the logon page to read "We love you, Europe" along with information about terror incidents. The Manchester Evening News reported Thursday that police arrested an employee of Wi-Fi contractor Global Reach Technology.

Affected stations include London's Liverpool Street, Paddington and Waterloo, the busiest rail stations in the United Kingdom.

PSNI Mediation Begins Over Data Leak Compensation

A mediation process involving the Police Service of Northern Ireland has begun to determine compensation for nearly 10,000 staff* affected by an August 2023 data leak that occurred when agency accidentally posted online a spreadsheet containing the first initials, surnames, roles and locations of all officers and staff.

Lingering sectarian tensions in Northern Ireland have led many police officers and civilian employees to publicly hide their employment - especially members of the Catholic community, who might not even tell family members (see: Northern Ireland Police at Risk After Serious Data Breach). Although the spreadsheet was online only for a few hours, investigators found that dissident republicans who reject the British-Irish power-sharing arrangement that brought peace to Northern Ireland managed to obtain a copy.

The final payout could reach 240 million pounds, reported the BBC.

PSNI has already accepted liability and apologized for the breach. Mediation will aim to establish a "universal offer" for compensation, although individuals are not required to accept it.

Earlier this year, the U.K. Information Commissioner's Office suggested that PSNI could face a 750,000-pound fine for the breach. Eight employees, including one officer, resigned, citing the data leak as a key factor in their decision.

Other Coverage From Last Week

*Correction Oct. 2 2024 11:50 UTC: Corrected to report that the Police Service consists of close to 10,000 officers and staff, not the lower number earlier reported.

With reporting from Information Security Media Group's Akshaya Asokan in Southern England and David Perera in Washington, D.C.


About the Author

Anviksha More

Anviksha More

Senior Subeditor, ISMG Global News Desk

More has seven years of experience in journalism, writing and editing. She previously worked with Janes Defense and the Bangalore Mirror.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.