CrowdStrike Exposes North Korea’s Covert Workforce In U.S. Tech

A recent report from CrowdStrike reveals that North Korean nation-state attackers have successfully infiltrated more than 100 covert team members into U.S.-based aerospace, defense, retail, and technology companies by posing as job applicants.

The report exposes how the North Korea-linked adversary group FAMOUS CHOLLIMA has been using falsified and stolen identity documents to secure employment as remote I.T. personnel, allowing them to carry out espionage activities and data exfiltration unnoticed.

Associated with North Korea’s advanced cyberwarfare organizations, the Reconnaissance General Bureau (RGB) and Bureau 75, FAMOUS CHOLLIMA specializes in insider threats at scale, using their positions to earn salaries funneled back to North Korea for weapons programs while conducting espionage operations.

“The most concerning aspect of FAMOUS CHOLLIMA’s campaign is the extensive insider threat it poses. CrowdStrike has identified over a hundred victims, mostly from U.S. companies that unknowingly hired North Korean operatives,” said Adam Meyers, head of counter adversary operations at CrowdStrike.

These individuals infiltrate organizations, particularly in the tech sector, not to contribute but to divert stolen funds to the regime’s weapons program,” Meyers added.

North Korea Seizes Opportunity to Exploit Trust

“The increase in North Korean remote work schemes highlights how adversaries are taking advantage of the trust in our remote work environment,” noted Meyers in an interview with VentureBeat.

With remote work becoming the norm post-COVID, North Korea saw an opportunity to exploit the lack of verification and security in remote hiring processes. Targeting over 100 companies with malicious insiders, FAMOUS CHOLLIMA orchestrated a coordinated campaign to infiltrate organizations and lead insider attacks.

“After COVID, remote onboarding became the norm, and thus we’ve seen stolen identities being used to pass security checks and land jobs and then used to exfiltrate data or steal funds. Fifty percent of the cases CrowdStrike observed were used for data exfiltration. The processes created to facilitate remote work are being weaponized against us,” Meyers explained.

Anatomy of North Korea’s Insider Threat Attack

“Many underestimate North Korea’s cyber capabilities, dismissing them as a ‘hermit kingdom.’ However, they have been investing in cyber talent since the late 1990s, focusing on STEM education from a young age. This sophisticated campaign shows they are a sophisticated adversary that must be taken seriously,” Meyers emphasized.

Starting in 2023, FAMOUS CHOLLIMA targeted 30 U.S.-based companies in aerospace, defense, retail, and technology, posing as U.S. residents applying for remote IT positions. Once hired, they carried out minimal job tasks while attempting to exfiltrate data using various tools like Git, SharePoint, and OneDrive.

Malicious insiders also installed Remote Monitoring and Management (RMM) tools to maintain persistence within compromised networks, enabling them to execute commands, establish footholds, and move laterally without detection. CrowdStrike’s report highlighted a 70% year-over-year increase in adversary use of RMM tools.

In April 2024, CrowdStrike Services responded to incidents where FAMOUS CHOLLIMA insiders targeted more than 30 U.S.-based companies, ultimately uncovering a coordinated campaign across multiple sectors.

FBI and DOJ Response to Insider Threats

The FBI issued an alert warning businesses about North Korea’s activities, while the Department of Justice swiftly acted against individuals involved in facilitating the schemes. Indictments revealed how North Korean operatives gained access to IT firms and ran laptop farms to funnel funds to North Korea’s weapons program.

“The Justice Department arrested a Tennessee man for running a laptop farm scheme that helped North Korean I.T. workers secure remote jobs at Fortune 500 companies. This aligns with CrowdStrike’s findings on FAMOUS CHOLLIMA’s activities,” Meyers concluded.