I read a recent Google Intelligence Report which highlighted a case uncovered last year involving a single North Korean worker deploying at least 12 personae across Europe and the US. The IT worker was seeking jobs within the defense industry and government sectors. Using this new tactic, bogus IT professionals have been threatening to release sensitive company data that they have exfiltrated before being fired.
According to the report, North Korea has now turned to Europe, and the UK, after it became more difficult to implement its fake worker ploy in the US. As a result, companies are being urged to carry out job interviews for IT workers on video, or better still in-person, to head off the risk of giving jobs to fake North Korean employees.
Carrying out job interviews in-person or via video would disrupt these tactics, but the crux of the problem is that many HR Departments don’t have the experience of dealing with a covert state adversary and need better cybersecurity education and training on the importance of doing background checks, while also checking physical identities, and ensuring the person they are talking to is who they claim to be.
Spotting fakes and fraudulent activity is not easy
These fraudulent schemes usually break down when the actor is asked to go on camera or come into the office for an interview. But spotting fake workers and fraudulent threat actors is no easy task and often requires an understanding of Cyber Threat Intelligence (CTI), a specialized field within cybersecurity that focuses on collecting, analyzing, and disseminating information about potential or existing cyber threats. CTI provides insights that help organizations anticipate, prevent, and respond to cyberattacks effectively. However, often, this type of reconnaissance is carried out by SOC analysts and cybersecurity teams who collaborate on the intelligence they gather but don’t always share this information outside their department with the wider business.
CTI gathers information from various sources, including open-source intelligence, social media, device logs, and the dark web to understand behaviors and predict future attacks. It helps to inform decisions about mitigating risks and strengthening defenses and is crucial for organizations aiming to stay ahead of evolving cyber threats. As the Google Report highlights, this has become increasingly important in our digital age when most organization’s digital assets need protection.
Digital footprints continue to expand
Today, consumers expect tailored digital experiences across multimedia channels that speak to their core needs. But the digital assets that cultivate these positive brand experiences – high-traffic websites, engaging social media presences, user-friendly mobile apps, and more – are all prime targets for threat actors.
As companies’ digital footprints expand exponentially, so too do their attack surfaces. And since most phishing attacks can be carried out by even the least sophisticated hackers due to the prevalence of phishing kits sold in cybercrime forums, it has never been harder for security teams to plug all the holes, let alone other departments who might be undertaking online initiatives which leave them vulnerable.
CTI, digital brand protection and other cyber risk initiatives shouldn’t only be utilized by security and cyber teams. Think about legal teams, looking to protect IP and brand identities, marketing teams looking to drive website traffic or demand generation campaigns. They might need to implement digital brand protection to safeguard their organization’s online presence against threats like phishing websites, spoofed domains, malicious mobile apps, social engineering, and malware.
In fact, deepfakes targeting customers and employees now rank as the most frequently observed threat by banks, according to Accenture’s Cyber Threat Intelligence Research. For example, there have even been instances where hackers are tricking large language models into creating malware that can be used to hack customers’ passwords.
Phishing attacks are more sophisticated
Likewise, phishing attacks are now much more sophisticated, with cybercriminals leveraging new methods such as quishing (using QR codes for phishing attacks) and multi-channel attacks. The growing complexity is evident with a 10% increase in complaints, including phishing/spoofing, filed with the FBI’s Internet Crime Complaint Center (IC3).
The Egress Email Security Risk Report and both volumes of the Egress Phishing Threat Trends 2024 Report, highlight critical phishing trends and threats businesses should be aware of including the five most impersonated brands: Microsoft, DocuSign, PayPal, DHL and Facebook as well as the five most targeted job titles: CEO, CFO, CPO, CISO and CRO.
One example in the report highlights how UPS branding is used to deliver malicious payloads. The email mimics UPS’s authentic branding, including logos and design elements, to appear legitimate. This builds trust and lowers the recipient’s guard. The email was sent from a randomized ‘onmicrosoft.com’ domain and consisted of a single image, often a fake notification about a failed delivery, that links to a malicious domain. This phishing attack cleverly exploits trusted branding to deceive recipients.
Today, there are many underground communities collaborating across various communication platforms to carry out fraudulent activity. And it is not only HR, legal and marketing departments who need to be vigilant, there are also targeted attacks against corporate executives and VIPs, so there is a need to safeguard the most critical members of the organization – and the sensitive data they harbor.
Sharing information in the right way
There will be different types of information that will be useful in different scenarios, and it is important that sharing threat intelligence is undertaken in the right way. When people talk about threat intelligence sharing, the default assumption is sharing across an industry or across different companies. However, we also need to view sharing as internal sharing amongst teams and functions. Undoubtedly there will be some data sets that will benefit the HR, marketing, legal and leadership teams, and threat intelligence analysts need to think about how best to share information within and across the company.
I talked in a previous article about the importance of moving from an inside-out to an outside-in approach and really understanding both internal and external risks. For example, understanding what is behind a ransomware attack and elevating the information through collaboration and sharing, so it is understood more widely across the business and the risk it presents.
Today we need threat intelligence to take a cross-functional journey. In the North Korea instance, it is HR teams that need to know about the threat and how it is being executed. Building broader threat awareness across the company is critical in our modern digital world and encouraging every department to think about how their function might be compromised.
