Listen to this Post
2025-01-15
In the shadowy world of cybercrime, state-sponsored threat actors are constantly evolving their tactics to exploit global systems for financial gain. Recent research from Secureworks Counter Threat Unit (CTU) has uncovered a fascinating link between North Korea’s notorious fake IT worker schemes and an earlier, lesser-known crowdfunding scam. This discovery sheds light on how North Korean threat actors have been experimenting with various money-making strategies long before their more sophisticated operations came to light.
The investigation reveals the involvement of a threat group known as Nickle Tapestry, which has been orchestrating cyber scams on behalf of North Korean interests. From fraudulent crowdfunding campaigns to the deployment of deepfake technology, this group’s activities highlight the adaptability and persistence of state-sponsored cybercriminals.
—
of the Findings
1. Nickle Tapestry’s Crowdfunding Scam: Secureworks CTU linked the North Korean threat group Nickle Tapestry to a 2016 IndieGoGo crowdfunding campaign for a product called the Kratos portable wireless memory device. The campaign, which raised around $20,000, was later exposed as a scam when backers reported never receiving the product or a refund.
2. Evolution of North Korean Cybercrime: The crowdfunding scam represents an early example of North Korean threat actors testing money-making schemes. Over time, these efforts evolved into more sophisticated operations, such as the deployment of fake IT workers who use deepfake technology and AI to deceive employers.
3. Network Infrastructure Overlap: Secureworks CTU identified shared network infrastructure between the crowdfunding scam and later IT worker schemes, confirming a direct link between the IndieGoGo campaign operators and Nickle Tapestry.
4. Front Companies and Sanctions Violations: Two IT companies—China-based Yanbian Silverstar Network Technology Co. and Russia-based Volasys Silver Star—were found to be involved in the scam. Both companies were sanctioned by the US in 2018 for violating sanctions, and their CEO, Jong Song Hwa, is a North Korean national.
5. Digital Footprints: Investigators traced domain registrations, email addresses, and IP addresses to connect the crowdfunding scam to the North Korean threat group. For example, the domain kratosmemory.com was linked to the IndieGoGo campaign, and its registrant details matched the persona used in the scam.
6. Geolocation and Operational Hubs: The IP address 36.97.143.26, used by Yanbian Silverstar freelancers, was traced to Jilin, China, where the company is believed to be based. This location aligns with evidence that North Korean IT workers were operating from China.
7. Seized Domains and Exposed Identities: In 2024, a domain associated with the front companies (silverstarchina.com) was seized, revealing registrant details that matched the reported location of Yanbian Silverstar’s offices.
—
What Undercode Say:
The revelations from Secureworks CTU’s research underscore the ingenuity and persistence of North Korea’s state-sponsored cybercriminal operations. Nickle Tapestry’s activities, from crowdfunding scams to fake IT worker schemes, demonstrate a clear pattern of experimentation and adaptation.
Key Insights:
1. Early Experimentation: The 2016 IndieGoGo campaign highlights how North Korean threat actors have been testing low-effort, low-return scams as a precursor to more elaborate schemes. This early experimentation laid the groundwork for the sophisticated operations seen today.
2. Adaptation to Technology: The use of deepfakes and AI in recent IT worker schemes shows how North Korean cybercriminals are leveraging cutting-edge technology to enhance their tradecraft. This adaptability makes them a formidable threat in the cyber landscape.
3. Global Network of Front Companies: The involvement of front companies in China and Russia highlights the global reach of North Korea’s cyber operations. These companies serve as critical nodes in the network, enabling the group to bypass sanctions and operate under the radar.
4. Digital Forensics as a Tool: The meticulous tracing of domain registrations, email addresses, and IP addresses by Secureworks CTU demonstrates the power of digital forensics in unmasking cybercriminal operations. This approach is essential for countering state-sponsored threats.
5. Implications for Cybersecurity: The findings emphasize the need for heightened vigilance in online platforms, particularly crowdfunding sites and freelance job markets. Enhanced verification processes and collaboration between cybersecurity firms and law enforcement are crucial to mitigating these threats.
Broader Implications:
North Korea’s cybercriminal activities are not just about financial gain; they are a critical component of the regime’s strategy to circumvent international sanctions and fund its operations. The evolution from simple scams to complex, technology-driven schemes reflects the regime’s commitment to refining its cyber capabilities.
For businesses and individuals, the rise of deepfake technology and AI-driven scams poses significant risks. The ability of threat actors to create convincing fake identities and personas makes it increasingly difficult to distinguish between legitimate and fraudulent activities.
Recommendations:
– Enhanced Due Diligence: Companies should implement rigorous verification processes for remote workers and crowdfunding campaigns.
– Collaboration: Cybersecurity firms, governments, and online platforms must work together to share intelligence and disrupt threat actor networks.
– Public Awareness: Educating the public about the risks of online scams and the tactics used by cybercriminals can help reduce the success rate of these schemes.
—
In conclusion, the story of Nickle Tapestry is a stark reminder of the evolving nature of cyber threats. As North Korean threat actors continue to refine their tactics, the global community must remain vigilant and proactive in countering their efforts. The battle against state-sponsored cybercrime is far from over, but with continued research, collaboration, and innovation, it is a battle that can be won.
References:
Reported By: Infosecurity-magazine.com
https://www.reddit.com/r/AskReddit
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help
