- Microsoft Threat Intelligence announced it wiped thousands of accounts created by North Korean IT workers as part of its moves to stymie the global fraud scheme. The IT worker conspiracy has infiltrated hundreds of Coins2Day 500 companies in recent years and law enforcement has partnered with cybersecurity experts to help identify and eliminate the threat.
Microsoft has come out swinging against the elaborate North Korean IT worker conspiracy, suspending 3,000 known Outlook and Hotmail accounts created by the workers as part of its sweeping moves to disrupt the operation.
The $3.7 trillion tech giant’s Threat Intelligence arm, which refers to the IT worker scheme as “Jasper Sleet,” detailed its efforts to hunt down scammers in a lengthy post this week. The Department of Justice also announced a coordinated takedown in the IT worker scheme, seizing hundreds of laptops, 29 financial accounts, and shutting down nearly two dozen websites. Law enforcement also searched 29 “laptop farms” across the U.S. The laptop farms are sites where accomplices—including Americans—agree to take care of laptops shipped by companies that have unwittingly hired North Koreans for remote jobs. They install software so that the IT workers can log in from overseas or they ship the laptops to other locations, including Russia and China.
Some Americans have also rented their identities for the IT workers to use in applying for jobs. A nail salon employee in Maryland will be sentenced in August after he was found to be holding 13 jobs remotely that were handled by North Korean IT workers located in China. His 13 jobs paid nearly $1 million.
The North Korean IT worker scheme is a global conspiracy in which trained workers from the Democratic People’s Republic of Korea (DPRK) are sent around the world to get jobs in tech using fabricated or stolen identities. The workers are legitimate; Microsoft noted some companies that have been victims of the scheme reported that the remote IT workers “were some of their most talented employees.”
The scheme generates up to $600 million a year, according to UN estimates, and the IT workers share information with more malicious cyber attackers that have stolen billions in crypto. The revenue generated by the scheme and the illicitly heisted crypto are used to fund DPRK authoritarian ruler Kim Jong Un’s nuclear weapons program, according to the FBI and the DOJ.
According to Microsoft, the workers are increasingly improving their tactics through the use of AI—eliminating grammatical errors, polishing up photos, and experimenting with voice-changing software.
Jasper Sleet is constantly changing and evolving their profiles across a wide variety of consumer email accounts, senior director of Microsoft Threat Intelligence Center Jeremy Dallman told Coins2Day in a statement.
“Beyond the 3,000 consumer email accounts that were recently taken down, in our efforts to disrupt the actor activity and protect our customers from this threat, Microsoft has continued to takedown persona accounts as they are identified and track the actor’s use of AI,” said Dallman.
At this point, Microsoft hasn’t seen the IT workers using combined AI voice and video just yet, the company said in its warning.
“We do recognize that combining these technologies could allow future threat actor campaigns to trick interviewers into thinking they aren’t communicating with a North Korean IT worker,” Microsoft warned. “If successful, this tactic could allow the North Korean IT workers to do interviews directly and no longer rely on facilitators standing in for them on interviews or selling them account access.”
The IT workers often use the same names and email addresses over and over in crafting their fake personas, using fraudulent profiles on job-networking sites and open-source coding platforms. Microsoft reported the IT workers have also started using AI tools like Faceswap to “move their pictures over to the stolen employment and identity documents” and to generally spruce up their profile pics.
Beyond the account suspensions, Microsoft said it has launched an array of methods to detect IT worker activity through ID protection and other tools. The company has also developed a custom machine-learning solution that uses “impossible time travel risk detections, most commonly between a Western nation and China or Russia” to identify suspect accounts.