CrowdStrike identifies North Korean state-sponsored actors, primarily the FAMOUS CHOLLIMA cluster, as responsible for approximately 47% of all "hands-on-keyboard" operations targeting the U.S. technology sector [1]. The threat actors utilize fraudulent remote employment personas, augmented by AI-generated resumes and stolen PII, to circumvent remote KYC and background checks. To maintain stealthy persistence, operatives deploy U.S.-based "laptop farms" utilizing PiKVM hardware for BIOS-level control and Tailscale mesh VPNs for encrypted C2 communication [2]. These operations focus on high-value intellectual property exfiltration and cryptocurrency theft to finance DPRK weapons development.
-
Threat Actor Profile: FAMOUS CHOLLIMA
- Identified as the most active DPRK unit targeting the tech sector via manual, human-led intrusions.
- Operates alongside clusters such as LABYRINTH CHOLLIMA and STARDUST CHOLLIMA to target global firms.
- Strategically targets high-salary remote software developer and AI architect roles to maximize financial yield.
-
Attack Vector: Identity Fraud and Social Engineering
- Employs AI tools to mirror job descriptions in resumes and provide real-time answers during video interviews.
- Utilizes stolen PII (Social Security numbers, passports) to bypass traditional pre-employment background checks.
- Orchestrates large-scale application campaigns, with single cells submitting over 166,000 applications.
-
Technical Execution: Laptop Farms and Persistence
- Employs U.S.-based facilitators to host "laptop farms," providing a domestic IP presence to bypass geographic access controls.
- Deploys PiKVM (Pi Keyboard Video Mouse) hardware to control corporate laptops at the BIOS level, evading most EDR tools.
- Utilizes Tailscale mesh VPNs and Astrill VPN to create encrypted, obfuscated tunnels between operative nodes.
-
Operational Objectives: Revenue and Espionage
- Targets blockchain and cryptocurrency firms to facilitate direct theft of digital assets.
- Conducts industrial espionage to exfiltrate sensitive source code for the Reconnaissance General Bureau (RGB).
- Implements data extortion tactics, threatening to leak proprietary code following discovery.
-
Defensive Strategy: Mitigation and Detection
- Implement Zero Trust Architecture (ZTA) and strict Principle of Least Privilege (PoLP) for all remote hires.
- Enhance vetting through non-scripted "cultural" interviews and rigorous verification of hardware shipping addresses.
- Monitor for anomalous network patterns, specifically unauthorized RDP or the presence of mesh VPN software.
Related posts
- techcrunch.com — North Koreans behind nearly half of US tech industry hacks, says CrowdStrike
- Cloud
- Youtube
- Prnewswire
- Thearabianpost
- Investorshangout
- Wired Security — The UK Will Scan Asylum-Seekers’ Faces for Age Checks—Despite Knowing the Tech Is Flawed
- Securityboulevard
- Infosecurity-magazine
- Prnewswire
- Fbi
- Fbi
- Ic3
- En
- Ic3
- Techtarget
- Crowdstrike
- Skadden
- Cyberscoop
- Blog
- Chosun
- Theguardian
- Crowell
- Bankinfosecurity
- techjacksolutions.com — Technology Sector Under Sustained Nation-State and Criminal Siege: China, DPRK, and eCrime Actors Converge on AI, IP, and Supply Chains
- techjacksolutions.com — Multi-Vector State and Criminal Campaign Targets Technology Sector: China, DPRK, and eCrime Groups Drive 2025-2026 Intrusion Surge