GitLab Details North Korean Threat Actor Tactics
GitLab's threat intelligence team published research on recent North Korean tradecraft. The campaigns reportedly involve social engineering through fake interviews and the use of North Korean IT workers to compromise supply chains. The findings underscore the persistence of state-sponsored actors in targeting software development and deployment pipelines.
- The social engineering campaign is known in the security industry as "Contagious Interview" and has been active since at least 2022. - A specific tactic involves tricking developers into cloning a malicious code repository and opening it in Visual Studio Code, which uses task configuration files to automatically execute malware. - The threat actor is tracked under various names, including UNC4899 and TraderTraitor, and is assessed with high confidence to be a cryptocurrency-focused unit within North Korea's Reconnaissance General Bureau (RGB). - In at least one instance, an operational security mistake by the group revealed their true origin when a VPN connection failed, exposing an IP address in Pyongyang. - Illicitly employed North Korean IT workers can reportedly earn around $300,000 annually for the regime, with coordinated teams generating over $3 million. - These remote IT workers have begun using AI to generate fake profile pictures, create deepfakes for video interviews, and use writing tools to bypass language barriers during their application processes. - The group, also identified as InkySquid or APT37, has been known to deploy malware such as RoKRAT, a remote access trojan that has a version for macOS, and another custom malware family called BLUELIGHT.
