Enterprise cybersecurity solutions provider SentinelOne has shared some information on the types of threat actors that have targeted the company recently.
It’s not uncommon for cybersecurity firms to be targeted by threat actors. Companies such as Avast, Dragos, Doctor Web, FireEye, Kaspersky, and Zscaler confirmed being attacked in the past.
SentinelOne reported this week that it too is regularly targeted by threat actors, including North Korean IT workers, ransomware groups, and state-sponsored cyberspies.
North Korean fake IT workers have been a growing problem. In this type of scheme, North Korean individuals use fake identities to get jobs at Western companies, enabling them to make money for the Pyongyang regime and in some cases to obtain valuable data from the organizations that hire them.
Security awareness firm KnowBe4 was famously targeted in such a scheme last year, with the hired North Korean operative attempting to plant malware on the company’s systems.
SentinelOne says it too has been targeted by North Korean IT workers. An analysis conducted by the company revealed approximately 360 fake personas and more than 1,000 job applications for roles at SentinelOne, including its intelligence engineering team.
The security firm does not appear to have hired any North Korean IT workers, but it has not completely ignored them either. It interacted with them in the early stages of the hiring process in an effort to collect valuable intelligence on their techniques that can be useful for recruiters to identify these fake IT workers.
SentinelOne says it has also been targeted by profit-driven cybercriminals, including ransomware groups, whose objective is to gain access not to the company’s systems but to its products, which can enable them to evade detection.
Hackers can gain access to enterprise security tools for testing purposes by renting access from specialized threat actors, or they can rely on credentials stolen by malware to gain access to enterprise environments that could host security tools. They can also rely on insiders (who are being offered upwards of $20,000 in some cases). Some groups, such as Nitrogen, are impersonating real companies to acquire security product licenses.
“Privileged access to administrative interfaces or agent installers for endpoint security products provides tangible advantages for adversaries seeking to advance their operations. Console access can be used to disable protections, manipulate configurations, or suppress detections,” SentinelOne explained.
“Direct, unmonitored access to the endpoint agent offers opportunities to test malware efficacy, explore bypass or tampering techniques, and suppress forensic visibility critical for investigations. In the wrong hands, these capabilities represent a significant threat to both the integrity of security products and the environments they protect,” it added.
SentinelOne was recently also targeted by Chinese state-sponsored hackers as part of a campaign it tracks as PurpleHaze, with the company finding technical overlaps with multiple Chinese APTs.
An investigation into an attack targeting an organization responsible for managing hardware logistics for SentinelOne employees led to the discovery of reconnaissance attempts aimed at SentinelOne infrastructure and some high-value organizations defended by the security firm.
“A detailed investigation into SentinelOne’s infrastructure, software, and hardware assets found no evidence of secondary compromise. Nevertheless, this case underscores the fragility of the larger supplier ecosystem that organizations depend upon and the persistent threat posed by suspected Chinese threat actors, who continuously seek to establish strategic footholds to potentially compromise downstream entities,” the company said.
SentinelOne noted that the attacks of both financially motivated hackers and state-sponsored actors — just like in the case of fake North Korean IT workers — have provided valuable lessons.
Related: SentinelOne’s Purple AI Athena Brings Autonomous Decision-Making to the SOC
Related: Krebs Exits SentinelOne After Security Clearance Pulled
Related: France Blames Russia for Cyberattacks on Dozen Entities
