From Colombo to Pyongyang

The issue of North Korean IT workers infiltrating Western companies is becoming a serious international concern. These operations serve as both a source of income for the regime and a way to conduct espionage, often in violation of international sanctions. A recent blog post from Cisco Talos Intelligence sheds new light on the matter, revealing that the DPRK’s latest operation, called “Famous Chollima,” targets Indian job seekers in the cryptocurrency and blockchain sectors by using fake job offers to compromise their devices.

This discovery prompted further investigation, especially regarding Sri Lanka. The research uncovered alarming evidence showing that Sri Lanka is also affected by this serious and widespread threat.

DPRK conducts these campaigns through two main approaches.

The first approach involves individuals posing as job applicants seeking employment opportunities with organizations in the West. Their goal is to get recruited and, once inside, enable the next phase of DPRK’s operations. These individuals typically present themselves as highly skilled software engineers primarily based in China, Russia, and the United Arab Emirates (UAE). They often use false identities to secure employment with U.S. and other Western organizations, particularly in sectors such as blockchain and decentralized finance (DeFi). It has been identified that payments to these individuals are often made in USDC and USDT, which are then routed through laundering networks and eventually end up in cryptocurrency wallets controlled by DPRK entities.

According to security researchers, DPRK’s IT Workers Operations primarily fall under the Workers’ Party of Korea’s Munitions Industry Department. Researchers also believe that IT workers and APT groups operate closely against the same targets, particularly when those targets are known to possess large amounts of cryptocurrency or sensitive information valuable to the regime.

Below are some resumes of North Korean IT workers.

The second approach involves DPRK actors posing as recruiters to target legitimate job seekers. During the interview process, the fake recruiter instructs the candidate to download and run a supposed assessment or software tool. In reality, this tool contains malware, which is installed under the guise of a task or problem-solving exercise.

Through this article, I aim to raise awareness for organizations and job seekers in Sri Lanka about the critical importance of exercising vigilance during the hiring process, particularly during the interview stage. It's equally important for job seekers to carefully assess the legitimacy of the employers offering them opportunities. Understanding these methods can empower organizations and job seekers to detect attacks at an early stage and take preventive measures to avoid potential compromises.

Who are North Korean recruiters?

DPRK cyber operations are highly sophisticated and continually evolving, showcasing the capabilities of the North Korean regime. These cyber-offensive activities are particularly notable for their financially motivated attacks targeting financial institutions, cryptocurrency companies, and gambling platforms. They demonstrate increasing adaptability and complexity, frequently targeting high-tech companies and developing tailored malware for multiple platforms.

The proceeds from these operations are believed to fund several key areas. Espionage activities are thought to support North Korea’s economic and military development plans, which include its Weapons of Mass Destruction (WMD) program. Additional priorities include counterintelligence and surveillance, revenue generation, and foreign intelligence collection—particularly targeting the United States and the Republic of Korea (South Korea).

The IT worker mission originally began as a means of revenue generation and sanctions evasion, particularly following the implementation of U.S. and U.N. sanctions. However, it has since expanded into widespread malicious cyber activities.

Among all the groups, there is one in particular that primarily conducts malicious campaigns targeting skilled developers to gain initial access to companies. This group, known as Famous Chollima or UNC5342, is the focal point of this article and is directly linked to operations targeting developers in Sri Lanka. Famous Chollima, however, hasn’t been linked to any groups or organizational hierarchy released by security researchers so far.

According to Palo Alto's Unit 42 team, a campaign known as "Contagious Interviews" typically starts with a fake job interview and deceptive job offers. Victims are tricked into downloading software that includes BeaverTail malware (an infostealer), InvisibleFerret (a Python-based cross-platform backdoor), and OttherCookie (a persistence tool). In 2024, this campaign targeted several cryptocurrency-related organizations, including an online casino, a market-making company, and a software development firm.

Threat actors increasingly pose as freelance clients or recruiters, approaching job seekers through platforms like LinkedIn and X (formerly Twitter). Victims are invited to online interviews and sometimes asked to complete coding challenges.

In one tactic, candidates clone a project from a trusted code repositories like Bitbucket and GitHub. However, the repository is controlled by threat actors and contains concealed malware such as BeaverTail, which silently installs and attempts to download a second-stage payload, InvisibleFerret.

One individual reported being contacted by a fake recruiter who asked him to execute code during an interview. When he ran it in a virtual machine, the recruiter became frustrated, having intended for it to be executed on the host machine. Subsequent analysis confirmed the code was malware resembling BeaverTail. Notably, the recruiter’s X (Twitter) profile remained active, continuing to advertise positions such as Smart Contract Developer and Blockchain Developer.

In another scenario—a commonly reported tactic—threat actors pose as clients offering temporary freelance work, often claiming the main development team is unavailable due to vacation and that urgent bug fixes are needed. These short-term tasks are typically offered with a payment of up to 500 USDT. One individual, fully aware that the operation was being run by an APT group, intentionally engaged and confirmed experiencing this exact approach. The following example illustrates a case where a threat actor contacts a candidate on LinkedIn, offering freelance work.

A third tactic involves arranging a video interview, during which malware is disguised and delivered as a legitimate video conferencing application. Research by Group-IB and The Object-See Foundation indicates that MiroTalk and FreeConference platforms embedded with BeaverTail malware have been used to target developers, luring them into joining fake video conference calls.

Why Sri Lanka ?

Sri Lanka is known for producing highly skilled software developers. For many years, the country successfully retained its talent, with numerous global companies establishing offshore operations there. However, in recent years, the economic crisis has made it increasingly difficult to retain this talent. In an effort to stabilize the economy, the Sri Lankan government introduced various economic policies. However, earnings from local employment have often proven insufficient for a comfortable standard of living—particularly following the decision to implement high taxes. This has driven more professionals to seek opportunities abroad, with a significant number already having left the country in search of better prospects. Additionally, some talented individuals pursue freelance opportunities to generate extra income while maintaining their primary employment.

With an increasing number of talented developers seeking opportunities abroad, the number of applicants for job openings has risen. Some of these developers work for global organizations that have offshore regional offices in Sri Lanka. This situation has been seen as an opportunity by DPRK actors to potentially gain access to these organizations and pivot toward their objectives. They have targeted these applicants by luring them into fake interviews.

How was this trend identified?

Following the release of the Cisco Talos Intelligence blog on the Famous Chollima operation targeting Indian developers, an investigation revealed significant command and control traffic to BeaverTail servers originating from Indian IP addresses. This suggests that a substantial number of Indian applicants have been drawn into the fake interview process. The investigation then pivoted to Sri Lanka, where traffic to BeaverTail command and control servers was also observed. Although the volume was lower than in India, it remains considerable and has the potential to increase if job seekers are not aware of the threat and fail to exercise caution when dealing with organizations or recruiters during interviews.

The following chart shows the limited number of potential victims from Sri Lanka who have communicated with the BeaverTail C2 servers. For privacy reasons, the last octet of their IP addresses has been removed.

The four vertices of the following Diamond Model framework break down how the attacks against job applicants were carried out by interconnecting four core components, helping to better understand the dynamics of these cyberattacks.

• Victim: This section identifies job-seekers known to use internet connections from Sri Lanka’s primary internet service providers—Dialog, Sri Lanka Telecom, and Mobitel.

• Tool: This highlights the primary malware used to gain access, with BeaverTail being the most commonly observed.

• Infrastructure: This outlines the digital assets the adversary uses to deliver or control the attack, including command and control servers.

• Adversary: This section identifies Famous Chollima as the main threat actor behind the attack.

  
  

Attack Chain

The following is a simplified overview of the attack chains observed by various security researchers. One attack chain begins with BeaverTail malware, which can be delivered as an NPM module, through code hosted on platforms like GitHub or Bitbucket, or via cross-platform desktop applications such as Electron. In cases involving Electron, the malware is packaged to ultimately deploy InvisibleFerret as the next stage, which exfiltrates data from victims.

A more recent attack chain involves the deployment of OtterCookie, a stealer malware designed to harvest sensitive information.

Key Takeaways

While this article does not delve into the technical details of how these different malware operate or how the attack chains are executed, it is designed to help organizations and individuals protect themselves against North Korean IT workers and recruitment scams. These fraudulent interview processes continue to evolve, supported by a diverse and sophisticated malware portfolio.

As the desire for better opportunities abroad grows, there will likely be more scenarios where job applicants are lured into fake interviews. Therefore, it is crucial to pay close attention to the nature of the job and the recruiters when applying. Job seekers should not get carried away by the excitement of a potential offer but must exercise due diligence and remain vigilant.