North Korean group infiltrated 100-plus companies with imposter IT pros: CrowdStrike report

Cybersecurity giant CrowdStrike has been caught in a torrent of bad news since an errant content configuration update on July 19 sparked a massive IT outage that affected thousands of organizations worldwide.

Financial losses from the event could top $15 billion, Delta Airlines CEO Ed Bastian said he would seek $500 million in damages from CrowdStrike despite CrowdStrike’s claims that Delta rejected its help, and company shareholders are suing, alleging CrowdStrike defrauded them by concealing how its inadequate software testing could cause such a massive outage.

Amid the maelstrom, CrowdStrike has continued doing what gave it such an expansive footprint in the first place: detecting cyber threats and protecting its clients from them. Along those lines, the company is releasing its 2024 Threat Hunting Report at the Black Hat conference today, offering insights, metrics, and case studies on the trends and top threat actors emerging from its threat-hunting operations.

CSO caught up with Adam Meyers, CrowdStrike’s SVP of counter adversary operations, whose team produced the report, for an exclusive interview on the report’s findings. (Questions regarding the “Channel File 291 incident” were directed to CrowdStrike’s Remediation and Guidance Hub, where the company is providing continuous information and updates, including an FAQ.)

[For more Black Hat USA coverage, see “Black Hat: Latest news and insights.”]

Famous Chollima’s shocking insider threats

Of seven case studies presented in the report, the most daring is that of a group CrowdStrike calls Famous Chollima, an alleged DPRK-nexus group. Starting with a single incident in April 2024, CrowdStrike discovered that a group of North Koreans, posing as American workers, had been hired for multiple remote IT worker jobs in early 2023 at more than thirty US-based companies, including aerospace, defense, retail, and technology organizations.

CrowdStrike’s threat hunters discovered that after obtaining employee-level access to victim networks, the phony workers performed at minimal enough levels to keep their jobs while attempting to exfiltrate data using Git, SharePoint, and OneDrive and installing remote monitoring and management (RMM) tools RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, and Google Chrome Remote Desktop.

The workers leveraged these RMM tools with company network credentials, enabling numerous IP addresses to connect to victims’ systems. CrowdStrike’s OverWatch hunters, a team of experts conducting analysis, hunted for RMM tooling combined with suspicious connections surfaced by the company’s Falcon Identity Protection module to find more personas and additional indicators of compromise.

CrowdStrike ultimately found that over 100 companies, most US-based technology entities, had hired Famous Chollima workers. The OverWatch team contacted victimized companies to inform them about potential insider threats and quickly corroborated its findings.

“Famous Chollima was one of the more shocking cases we worked on this year,” Meyers says. “The threat-hunting team that wrote this report initially came to me and said, ‘Hey, we have this idea; we think we can do insider threat hunting.’”

The next day, CrowdStrike picked up a services and incident response engagement to work with law enforcement on what looked like a malicious insider tied to an external threat actor. Meyers told his team, “Prove that we could find this malicious insider, which we think could be a foreign intelligence officer. See if you could replicate that in this engagement and show me that you would’ve caught them. Then, we could discuss whatever investment you’re looking for to build this capability.”

“That was on a Thursday. By Friday, this Australian guy who ran the effort came back to me and said, ‘Hey, we found 30 more victims.’”

The power of cross-domain analysis

The Famous Chollima case illustrates what CrowdStrike calls the power of cross-domain analysis, combining human-level skill and discernment with automated tools to spot threat actors who use clever methods to evade detection. “Cross-domain threat hunting has become essential as threat actors target multiple domains across an organization’s infrastructure,” CrowdStrike’s report states. “These cross-domain threats pose a challenge to threat hunters because they often generate fewer detections in a single domain or product, making the activity difficult to recognize as malicious.”

Meyers emphasizes that threat actors are becoming increasingly sophisticated as the old ways of infiltrating organizations, such as sending a spreadsheet with macros, don’t cut it anymore due to the prevalence of endpoint detection and response (EDR). “What we’ve seen is that the adversaries continue to move towards and gravitate to identity-based attacks [that use human identities to infiltrate data and networks],” he says.

“Almost every attack we see has some identity component. What we are trying to do here is make a strong case for cross-domain threat hunting, which is something that many people don’t understand,” he adds.

Hunting for threats across domains makes these kinds of attacks easier to see. “When you do cross-domain threat hunting, you’re looking at a 20,000-foot view, 50,000-foot view of the battlefield, and you’re able to see the little clue on the identity side,” Meyers says.

“And you can tie that to a little clue on the cloud control point side. And you can tie that to another little clue, like a remote monitoring and management tool being deployed on an endpoint,” and so forth. “You pull those strands together, and that’s how you can better catch one of these intrusions.”

Scattered Spider also caught skipping across domains

Another case study in the report that centers on cross-domain threat hunting is Scattered Spider, a loose, continually problematic collective of young hackers best known for posing as a help desk employee to gain access to MGM Resorts’ internal systems during a major casino hacking spree in September 2023.

In May 2024, the OverWatch team observed Scattered Spider establishing a foothold on a cloud-hosted virtual machine (VM) instance via a cloud service VM management agent. According to CrowdStrike’s report, they achieved this intrusion by compromising existing credentials to authenticate to the cloud control plane via an identified phishing campaign.

The group then executed commands to verify their presence on the machine and to identify domain controllers and installed programs. Detecting the attack would have been difficult because it occurred across three operating domains: email, cloud management, and within a VM.

But CrowdStrike combined its extensive body of threat intelligence on Scattered Spider with telemetry of the control plane, and correlated its findings against detections from within the virtual machine to successfully recognize an intrusion under way.

The biggest threat season is around the corner

CrowdStrike is warning that the kinds of threats it calls interactive intrusions, those that involve human threat actors and not automated attacks, are on the upswing. According to CrowdStrike’s report, interactive intrusions spiked by 55% over the past year.

The report also notes an increase in what CrowdStrike calls eCrime activity, or financially motivated crime, with 86% of the total interactive intrusions composed of eCrime. “We’re seeing more activity year over year, and if you take a look at some of the charts, you’ll notice that every year there’s a spike at Q3 and Q4, and then it stays level for Q1 and Q2, and then there’s a spike again,” Meyers says. “I suspect that pattern will continue.”

Meyers says the pattern can be explained because “after the summer and then around Christmas time, they tend to kind of peak out, and then they don’t really come back online until typically January, February,” and they slow roll until after their summer vacations.

“From a nation-state perspective and a financial perspective, there’s a lot of money to be made,” he says. “Until that economic incentive goes away, the threat actors will get more emboldened and keep operating. It is ultimately incumbent on all companies to get the right technology and to use that technology to go out and look for threat actors and not wait for things to pop up.”

[For more Black Hat USA coverage, see “Black Hat: Latest news and insights.”]