Unicorn Hunter Wesley Chan Shares Secrets to Success
Wesley Chan, investor in Plaid, Gusto, and Canva, reveals his approach to finding the next big thing at TechCrunch Disrupt 2024.
Jordan Vega
A venture capitalist, a recruiter from a big company, and a newly hired remote IT worker might not seem to have much in common, but all have been caught as imposters secretly working for the North Korean regime, according to security researchers. At the annual Cyberwarcon conference in Washington DC, researchers warned of a sustained attempt by North Korean hackers to pose as prospective employees seeking work at multinational corporations, with the aim of earning money for the North Korean regime and stealing corporate secrets that benefit its weapons program.
These imposters have raked in billions of dollars in stolen cryptocurrency over the past decade to fund the country's nuclear weapons program, dodging a raft of international sanctions. Microsoft security researcher James Elliott said in a Cyberwarcon talk that North Korean IT workers have already infiltrated "hundreds" of organizations around the world by creating false identities, while relying on U.S.-based facilitators to handle their company-issued workstations and earnings to skirt the financial sanctions that apply to North Koreans.
Researchers investigating the country's cyber capabilities see the rising threat from North Korea today as a nebulous mass of different hacking groups with varying tactics and techniques, but with the collective goal of cryptocurrency theft. The regime faces little risk for its hacks — the country is already beset by sanctions. One group of North Korean hackers, dubbed "Ruby Sleet" by Microsoft, compromised aerospace and defense companies with the aim of stealing industry secrets that could help further develop its weapons and navigation systems.
Another group, known as "Sapphire Sleet," masqueraded as recruiters and venture capitalists in campaigns aimed at stealing cryptocurrency from individuals and companies. The hackers would set up virtual meetings, which would intentionally fail, and then pressure victims into downloading malware disguised as a tool to fix the broken meeting. In the fake-recruiter campaign, the imposters would ask prospective candidates to download and complete a skills assessment, which actually contained malware. Once installed, the malware could access other material on the computer, including cryptocurrency wallets. Microsoft said the hackers stole at least $10 million in cryptocurrency over a six-month period alone.
But by far the most persistent and difficult campaign to combat is the effort by North Korean hackers to get hired as remote workers at big companies, piggybacking off the remote-working boom that began during the Covid-19 pandemic. Microsoft called out North Korea's IT workers as a "triple threat" for their ability to deceptively gain employment with big companies and earn money for the North Korean regime, while also stealing company secrets and intellectual property, then extorting the companies with threats of revealing the information.
Of the hundreds of companies that have inadvertently hired a North Korean spy, only a handful of companies have publicly come forward as victims. Security company KnowBe4 said earlier this year that it was tricked into hiring a North Korean employee, but the company blocked the worker's remote access once it realized it had been duped, and it said no company data was taken.
A typical North Korean IT worker campaign creates a series of online accounts, like a LinkedIn profile and GitHub page, to establish a level of professional credibility. The IT worker can generate false identities using AI, including using face-swapping and voice-changing technology. Once hired, the company ships off the employee's new laptop to a home address in the United States that, unbeknownst to the company, is run by a facilitator, who is tasked with setting up farms of company-issued laptops. The facilitator also installs remote access software on the laptops, allowing the North Korean spies on the other side of the world to remotely log in without revealing their true location.
Microsoft said it's also observed the country's spies operating not only out of North Korea but also Russia and China, two close allies of the breakaway nation, making it more difficult for companies to identify suspected North Korean spies in their networks. Microsoft's Elliott said the company caught a lucky break when it received an inadvertently public repository belonging to a North Korean IT worker, containing spreadsheets and documents that broke down the campaign in detail, including the dossiers of false identities and resumes that the North Korean IT workers were using to get hired and the amount of money made during the operation.
The North Koreans would also use tricks that could expose them as fakes, like immediately verifying their false identities' LinkedIn accounts as soon as they got a company email address to give the accounts a greater perception of legitimacy. A security researcher who goes by the handle SttyK said they identified suspected North Korean IT workers, in part by contacting them to reveal holes in their false identities, which are not always constructed carefully. In their Cyberwarcon talk, SttyK said they spoke with one suspected North Korean IT worker who claimed to be Japanese, but would make linguistic mistakes in their messages, such as using words or phrases that don't inherently exist within the Japanese language.
The U.S. government has already levied sanctions against North Korean-linked organizations in recent years in response to the IT workers scheme. The FBI has also warned that malicious actors are frequently using AI-generated imagery, or "deepfakes," often sourced from stolen identities, to land tech jobs. In 2024, U.S. prosecutors brought charges against multiple individuals with running the laptop farms that facilitate skirting sanctions.
But companies also have to do better vetting their would-be employees, the researchers urged. "They're not going away," said Elliott. "They're gonna be here for a long time." As the threat from North Korean hackers continues to evolve, it's essential for multinational corporations to remain vigilant and take proactive measures to protect themselves from these sophisticated attacks.
Wesley Chan, investor in Plaid, Gusto, and Canva, reveals his approach to finding the next big thing at TechCrunch Disrupt 2024.
The company aims to expand its identity beyond its original cryptocurrency mission and scale up its human verification services
Google showcases its vision for AR glasses with AI-powered features, but concrete details on product release and pricing remain scarce
Copyright © 2024 Starfolk. All rights reserved.