Ketman Activity Statement - February 2025
Contents
We can’t publish the full data collection. The reasons are two-fold. Sometimes, it’s the privacy that the affected company requires or asks us to grant. Other times, entities involved are still part of ongoing investigative work. Even further, it could lead actors to significantly adapt and make it extremely hard to be spotted. Although, the data publication rules may change in the future.
At the same time, we do try to share any relevant data (like payroll data) with the security community through private channels.
This is the first official monthly summary, so the format will most likely change too. This time, we’ll be more qualitative than quantitative to give a better overview of how threat intelligence, incident response, IOCs, and TTPs have worked thus far in the real-life cases we encountered.
Companies Affected
We count a project as affected if:
- A DPRK IT Worker successfully merged code.
- A DPRK IT Worker got paid …
At the same time, we do try to share any relevant data (like payroll data) with the security community through private channels.
This is the first official monthly summary, so the format will most likely change too. This time, we’ll be more qualitative than quantitative to give a better overview of how threat intelligence, incident response, IOCs, and TTPs have worked thus far in the real-life cases we encountered.
Companies Affected
We count a project as affected if:
- A DPRK IT Worker successfully merged code.
- A DPRK IT Worker got paid …