North Korean state sponsors hackers are victimizing cryptocurrency workers with a new phishing campaign on LinkedIn and Indeed to plagiarize resumes and other people’s profiles to land remote work at crypto firms, security researchers at Mandiant said.
Malwarebytes cyber security researcher, Hossein Jazi, published details of the attack on Twitter. Research analysis shows that the hackers leveraged a PDF containing information about the non-existent role of “engineering manager, product security” at crypto giant Coinbase.
The objective behind this campaign is to get access to these firms’ internal operations, and projects and gather data about upcoming trends, including Ethereum network development, potential security lapses, and non-fungible tokens (NFTs).
This information reportedly serves North Korean threat actors to launder cryptocurrencies that can later be used by the Pyongyang government to answer Western sanctions.
Joe Dobson, a principal analyst at Mandiant, told the press that “It comes down to insider threats If someone gets hired onto a crypto project, and they become a core developer, that allows them to influence things, whether for good or not.”
This phishing campaign also shares similarities with Operation In(ter)caption, in which hackers used LinkedIn phishing messages that were containing job offers for target working audiences in relevant sectors. Malicious files and data were sent either via email or LinkedIn in a OneDrive link, it was first exposed by ESET in June 2020.
“Once the recipient opened the file, a seemingly innocent PDF document with salary information related to the fake job offer was displayed. Meanwhile, the malware was silently deployed on the victim’s computer. In this way, the attackers established an initial foothold and reached a solid persistence on the system,” ESET reported.
Although, the government of North Korea denied its involvement in any cyber-related theft, however, the U.S. government federal agencies, such as the Department of State and the FBI, earlier this year released warnings to the organizations against randomly hiring freelancers from North Korea, as they were potentially misleading businesses with their true identities and state's (DPRK) backing in their activities.