North Korean state-sponsored hackers have successfully infiltrated over 100 companies in the U.S., predominantly in the aerospace, defense, retail, and technology sectors, by posing as job applicants.
CrowdStrike’s 2024 Threat Hunting Report reveals that the North Korean adversary known as FAMOUS CHOLLIMA is using forged and stolen identity documents to gain remote IT positions. This tactic allows them to exfiltrate sensitive data and engage in espionage without detection.
Affiliated with North Korea's elite Reconnaissance General Bureau (RGB) and Bureau 75, FAMOUS CHOLLIMA specializes in large-scale insider threats. Their strategy involves obtaining freelance or full-time positions, funneling the salaries into North Korea’s weapons programs while simultaneously conducting ongoing surveillance.
“The concerning aspect of FAMOUS CHOLLIMA's campaign is the sheer scale of this insider threat. CrowdStrike has alerted over 100 victims, mostly U.S. companies, that unwittingly hired North Korean operatives,” said Adam Meyers, head of counter adversary operations at CrowdStrike.
Meyers emphasizes that these individuals infiltrate tech organizations, not to contribute but to redirect stolen funds to the regime's weapons initiatives.
North Korea has adeptly capitalized on the trust inherent in remote work environments. “This rise in North Korean remote work schemes highlights how adversaries are taking advantage of our reliance on remote staffing,” noted Meyers. In a landscape where I.T. teams operate remotely, North Korea seized the opportunity to exploit inadequate verification and security measures.
By systematically targeting over 100 companies, FAMOUS CHOLLIMA's strategy of deploying elite attackers to orchestrate insider attacks signifies a pivotal moment in cyber warfare, urging businesses engaged in remote hiring to reevaluate their security protocols.
“Post-COVID, remote onboarding became standard, leading to an uptick in the use of stolen identities to pass security checks. Half of CrowdStrike's observed cases involved data exfiltration. The very processes designed to facilitate remote work are being weaponized against us,” Meyers stated.
FAMOUS CHOLLIMA initially targeted 30 U.S.-based companies in 2023, claiming to be U.S. residents applying for remote IT roles. Once employed, the attackers engaged in minimal job-related tasks while attempting to steal data using tools like Git, SharePoint, and OneDrive.
These malicious insiders quickly installed Remote Monitoring and Management (RMM) tools such as RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, and Google Chrome Remote Desktop, ensuring lasting access to compromised networks. By utilizing multiple IP addresses, they blended into regular network activity, gaining footholds and executing commands without raising suspicions.
CrowdStrike's report indicates a 70% year-over-year increase in RMM tool exploitation, accounting for 27% of all hands-on-keyboard intrusions. This alarming trend was particularly evident in FAMOUS CHOLLIMA's extensive insider threat operation affecting numerous top technology firms.
In April 2024, CrowdStrike began investigating multiple incidents where FAMOUS CHOLLIMA operatives targeted over 30 U.S.-based companies, employing false identities to secure remote IT jobs.
This year, federal investigations into North Korean work schemes revealed that CrowdStrike had identified FAMOUS CHOLLIMA insiders applying to or actively working at more than 100 unique companies, particularly U.S. tech entities. The discovery of similar tactics and procedures across incidents indicated a coordinated approach.
On May 16, the FBI alerted American businesses that “North Korea is circumventing U.S. and U.N. sanctions by targeting private firms to generate illicit revenue for the regime.” The Department of Justice swiftly pursued action against operations identified as part of FAMOUS CHOLLIMA's efforts. The first indictment found that an Arizona woman aided North Korea in accessing 300 IT firms, while a second indictment accused a Nashville resident of running a laptop farm that allowed FAMOUS CHOLLIMA members to work undetected for months, with salaries funneled to support North Korea’s weapons program. The indictments highlighted the group's extensive reach across 17 nations and various industries.
“Just last week, the Justice Department arrested a Tennessee man for operating a laptop farm scheme that enabled North Korean IT workers to secure remote positions at Fortune 500 companies, consistent with activities CrowdStrike has tracked under FAMOUS CHOLLIMA,” Meyers reported.