Microsoft Shuts Down Approximately 3,000 Accounts Linked to North Korea in Global IT Fraud Operation
In a significant development, the Democratic People's Republic of Korea (DPRK) has been found to support a sophisticated cyber fraud scheme involving North Korean IT workers posing as remote employees for global companies. This operation, codenamed "Jasper Sleet" by Microsoft's Threat Intelligence Center, has been using advanced technologies such as artificial intelligence (AI) to enhance its tactics.
The scheme begins with the creation of fake identities using stolen or rented information. AI tools are employed to refine these identities, replacing images in stolen documents and refining worker photos to appear more professional. AI is also used to generate flawless resumes, cover letters, and project portfolios, reducing grammar and formatting errors. Voice-changing software is used to mask identities during communications, making interview processes more deceptive.
Fake personas are supported by meticulously curated digital footprints on platforms like LinkedIn and GitHub. Entire fake identities are built with consistent online profiles to avoid detection. Virtual Private Networks (VPNs), Virtual Private Servers (VPSs), and remote monitoring and management (RMM) tools like TeamViewer and AnyDesk are used to conceal true locations. Facilitators are involved in creating bank accounts and purchasing mobile phone numbers or SIM cards for the IT workers.
The fake employees use these stolen or forged identities to secure lucrative remote positions. The DPRK-supported operation leverages a manpower network of trained operatives, some located in China and Russia.
Microsoft has developed a custom machine learning solution to identify suspicious accounts exhibiting behaviours aligned with known DPRK tactics. The FBI has conducted raids on "laptop farms" used by foreign IT workers to remotely log in and hide their real locations. As part of their collaboration with Microsoft, the US Department of Justice has seized hundreds of laptops and knocked offline about 29 financial accounts and almost two dozen websites.
Jeremy Dallman, Senior Director of Microsoft Threat Intelligence, stated that Microsoft is committed to ongoing monitoring and dismantling of the Jasper Sleet network. Funds from the Jasper Sleet network are reportedly channeled directly into Kim Jong Un's nuclear weapons program. North Korean IT workers might conduct interviews directly without intermediaries.
Microsoft warns that North Korean actors are now employing AI software to remain undetected, including grammar checks for resumes, FaceSwap technology for editing profile pictures, and voice changers for navigating remote interviews. The machine-learning software developed by Microsoft is designed to counter the developing tactics of North Korean actors, including potential use of AI-created voice and video deepfakes in interviews.
The United Nations estimates that the Jasper Sleet network generates as much as $600 million annually, making it a significant threat to national security. The scheme has infiltrated hundreds of US and foreign companies for several years. Microsoft has blocked over 3,000 Outlook and Hotmail accounts linked to North Korean IT professionals. The Jasper Sleet network is evolving quickly, according to Jeremy Dallman.
The cyber fraud scheme is also used to fund overall cybercrime operations, including cryptocurrency theft. Microsoft is strengthening ID protection and collaborating with US agencies to exchange intelligence and deploy real-time risk-detection systems. The fight against this sophisticated cyber fraud scheme is ongoing, with both Microsoft and law enforcement agencies working tirelessly to protect global businesses and national security.
In the evolving landscape of cybercrime, the use of advanced technologies such as AI is not limited to enhancing the tactics of the Jasper Sleet network, but also in the development of countermeasures by Microsoft. TheAI tools employed by the DPRK-supported operation extend beyond refining fake identities and generating flawless resumes, they are also incorporated by Microsoft to detect suspicious accounts and counter the developing tactics of North Korean actors, including potential use of AI-created voice and video deepfakes in interviews.
The scheme, involving North Korean IT workers posing as remote employees for global companies, is not confined to cybersecurity but also encompasses politics, general-news, and crime-and-justice, as it threatens national security and has been found to fund Kim Jong Un's nuclear weapons program, as well as overall cybercrime operations, including cryptocurrency theft.
