Staying a Step Ahead: Mitigating the DPRK IT Worker Threat
Contents
Staying a Step Ahead: Mitigating the DPRK IT Worker Threat
Mandiant
Written by: Codi Starks, Michael Barnhart, Taylor Long, Mike Lombardi, Joseph Pisano, Alice Revelli
Strategic Overview of IT Workers
Since 2022, Mandiant has tracked and reported on IT workers operating on behalf of the Democratic People's Republic of North Korea (DPRK). These workers pose as non-North Korean nationals to gain employment with organizations across a wide range of industries in order to generate revenue for the North Korean regime, particularly to evade sanctions and fund its weapons of mass destruction (WMD) and ballistic missile programs. A U.S. government advisory in 2022 noted that these workers have also leveraged privileged access obtained through their employment in order to enable malicious cyber intrusions, an observation corroborated by Mandiant and other organizations.
IT workers employ various methods for evading detection. We have observed the operators leverage front companies to disguise their true identities; additionally, U.S. government indictments …
Mandiant
Written by: Codi Starks, Michael Barnhart, Taylor Long, Mike Lombardi, Joseph Pisano, Alice Revelli
Strategic Overview of IT Workers
Since 2022, Mandiant has tracked and reported on IT workers operating on behalf of the Democratic People's Republic of North Korea (DPRK). These workers pose as non-North Korean nationals to gain employment with organizations across a wide range of industries in order to generate revenue for the North Korean regime, particularly to evade sanctions and fund its weapons of mass destruction (WMD) and ballistic missile programs. A U.S. government advisory in 2022 noted that these workers have also leveraged privileged access obtained through their employment in order to enable malicious cyber intrusions, an observation corroborated by Mandiant and other organizations.
IT workers employ various methods for evading detection. We have observed the operators leverage front companies to disguise their true identities; additionally, U.S. government indictments …
IoC
103.244.174.154
104.129.55.3
104.206.40.138
104.223.97.2
104.223.98.2
104.243.33.74
104.250.148.58
109.82.113.75
113.227.237.46
119.155.190.202
123.190.56.214
155.94.255.2
174.128.251.99
18.144.99.240
184.12.141.109
192.119.10.67
192.119.11.250
192.74.247.161
198.135.49.154
198.2.228.20
198.23.148.18
199.115.99.34
204.188.232.195
207.126.89.11
208.68.173.244
23.105.155.2
23.237.32.34
3.15.4.158
37.19.199.133
37.19.221.228
37.43.225.43
38.140.49.92
38.42.94.148
42.84.228.232
5.244.93.199
50.39.182.185
51.39.228.134
54.200.217.128
60.20.1.234
66.115.157.242
67.129.13.170
67.82.9.140
68.197.75.194
70.39.103.3
71.112.196.114
71.112.196.115
72.193.13.228
74.222.20.18
74.63.233.50
98.179.96.75
https://daniel-ayala.netlify.app
104.129.55.3
104.206.40.138
104.223.97.2
104.223.98.2
104.243.33.74
104.250.148.58
109.82.113.75
113.227.237.46
119.155.190.202
123.190.56.214
155.94.255.2
174.128.251.99
18.144.99.240
184.12.141.109
192.119.10.67
192.119.11.250
192.74.247.161
198.135.49.154
198.2.228.20
198.23.148.18
199.115.99.34
204.188.232.195
207.126.89.11
208.68.173.244
23.105.155.2
23.237.32.34
3.15.4.158
37.19.199.133
37.19.221.228
37.43.225.43
38.140.49.92
38.42.94.148
42.84.228.232
5.244.93.199
50.39.182.185
51.39.228.134
54.200.217.128
60.20.1.234
66.115.157.242
67.129.13.170
67.82.9.140
68.197.75.194
70.39.103.3
71.112.196.114
71.112.196.115
72.193.13.228
74.222.20.18
74.63.233.50
98.179.96.75
https://daniel-ayala.netlify.app