North Korean Hackers Pose as IT Workers to Infiltrate Cloud Systems
In a concerning development, Microsoft has identified a North Korean state-sponsored cyber group, known as Jasper Sleet, employing sophisticated tactics to infiltrate corporate cloud environments. By creating fake professional identities, these hackers secure legitimate remote IT positions, granting them direct access to sensitive internal data and systems.
Exploiting Remote Work Trends
The widespread adoption of remote and hybrid work models post-COVID-19 has transformed hiring practices, with companies increasingly relying on virtual interviews and digital onboarding processes. Jasper Sleet exploits this shift by fabricating identities and utilizing AI-driven techniques to convincingly pose as qualified job candidates. This strategy enables them to bypass traditional security measures and embed themselves within target organizations.
Targeting HR Platforms
Microsoft’s Threat Intelligence team has observed Jasper Sleet systematically targeting companies that utilize popular human resources software, such as Workday. The group accesses external career sites to identify open positions and employs generative AI to analyze job postings, extract required skills, and craft tailored digital personas. These meticulously designed applications are intended to deceive hiring teams and secure employment within the organization.
Infiltration and Data Access
Upon successful hiring, Jasper Sleet completes standard onboarding procedures, sets up payroll accounts, and gains access to internal tools like Microsoft Teams, SharePoint, OneDrive, and Exchange Online. Microsoft has noted an increase in impossible travel alerts associated with new hires during the initial months post-onboarding, indicating suspicious remote activity. Once inside, the group can navigate the organization’s cloud environment, access sensitive files, and, in some instances, engage in data theft or extortion.
Broader Implications
The threat posed by Jasper Sleet extends beyond specific industries; any organization employing remote workers and utilizing cloud-connected HR platforms is potentially at risk. Microsoft’s research aims to assist security and HR teams in identifying and mitigating such threats early in the recruitment process, preventing unauthorized access before it occurs.
Manipulating HR Software Workflows
A critical aspect of Jasper Sleet’s strategy is their exploitation of HR software workflows. During the pre-recruitment phase, Microsoft observed the group making programmatic API calls to Workday’s Recruiting Web Service endpoints via external career sites. These calls accessed data about job postings, active applications, and questionnaires, revealing suspicious API call patterns from known Jasper Sleet infrastructure.
Unusual Application Patterns
Unlike typical job seekers, Jasper Sleet exhibits repetitive behavior, using multiple external accounts to access the same API endpoints consistently. This pattern deviates from normal applicant interactions with hiring portals, signaling potential malicious intent.
Communication and Onboarding
During the recruitment phase, Jasper Sleet engages with hiring teams through email and video conferencing tools like Microsoft Teams, Zoom, and Cisco Webex. After securing employment, the threat actor signs into the newly created Workday account and updates payroll details from known Jasper Sleet infrastructure, capturing post-onboarding sign-in activity from flagged IP addresses.
Recommendations for Organizations
To defend against such sophisticated infiltration tactics, organizations should implement the following measures:
1. Enhanced Verification Processes: Strengthen identity verification during the hiring process by incorporating multi-factor authentication and thorough background checks.
2. Monitor Unusual Activity: Utilize security tools to detect anomalies such as impossible travel alerts and unusual API call patterns.
3. Educate HR and IT Teams: Provide training on recognizing social engineering tactics and the importance of verifying candidate information.
4. Limit Access: Implement the principle of least privilege, ensuring employees have access only to the resources necessary for their roles.
5. Regular Audits: Conduct periodic reviews of user activities and access logs to identify and respond to potential security breaches promptly.
By adopting these proactive measures, organizations can better protect themselves against the evolving tactics of threat actors like Jasper Sleet, safeguarding their cloud environments and sensitive data.
