Sapphire Sleet APT
The North Korea-affiliated threat group identified as the Sapphire Sleet has reportedly harvested over $10 million in cryptocurrency through social engineering schemes conducted over a six-month timeframe. Research findings indicate that various threat clusters connected to North Korea have been creating fraudulent LinkedIn profiles. These profiles, designed to mimic both recruiters and job seekers, aim to facilitate illicit activities and generate financial support for the heavily sanctioned regime.
Active since at least 2020, the Sapphire Sleet shares connections with other hacking entities, such as APT38 and BlueNoroff. In November 2023, researchers uncovered that the group had set up infrastructure mimicking skills assessment platforms, leveraging these sites to execute its social engineering tactics.
Table of Contents
Deceptive Tactics Employed by the Sapphire Sleet
Over the past year, the group has primarily employed a strategy of impersonating venture capitalists, feigning interest in a target's business to arrange an online meeting. When targets attempt to join the meeting, they encounter error messages instructing them to contact the meeting administrator or support team for assistance.
If the victim complies, the attackers provide an AppleScript (.scpt) file or a Visual Basic Script (.vbs) file tailored to the victim's operating system under the guise of resolving the issue. Behind the scenes, these scripts are designed to deploy malicious software on the victim's macOS or Windows device, enabling the attackers to harvest credentials and access cryptocurrency wallets for subsequent theft.
Impersonating Legitimate Entitiy to Fool Targets
The Sapphire Sleet has been observed impersonating recruiters for prominent financial institutions, such as Goldman Sachs, on LinkedIn. This tactic involves contacting potential targets and inviting them to complete a skills assessment hosted on a website controlled by the threat actors.
Victims are provided with a sign-in account and password to access the fraudulent site. Upon logging in and downloading files related to the supposed assessment, they inadvertently install malware on their devices, granting attackers unauthorized access to their systems.
Additionally, cybersecurity analysts have highlighted North Korea's deployment of thousands of IT workers abroad as part of a multifaceted strategy. These workers generate revenue for the regime through legitimate employment, exploit their access to steal intellectual property and engage in data theft for ransom demands.
Due to restrictions within North Korea, such as the inability to open bank accounts or obtain phone numbers, these IT operatives rely on intermediaries to gain access to platforms where they can secure remote jobs. These facilitators assist with tasks like creating accounts on freelance job sites and setting up fake profiles and portfolios on platforms such as GitHub and LinkedIn to interact with recruiters and apply for employment opportunities.
Cybercriminals Are Adopting AI-Technologies in Their Operations
In some cases, the group has been found leveraging artificial intelligence (AI) tools, such as Faceswap, to alter photos and documents obtained from victims. These modified images, often placed in professional settings, are then used on resumes or profiles—sometimes under multiple identities—submitted for job applications.
Beyond image manipulation for job applications, North Korean IT workers are also exploring other AI technologies, including voice-changing software, to enhance their deceptive efforts.
The North Korean IT workers appear to maintain a well-organized system for tracking the payments they receive. Their combined efforts are estimated to have generated at least $370,000 in revenue.
