\n<\/p>\n
The tables show the potential target jobs for IT workers. One sheet, which seemingly includes daily updates, lists job descriptions (\u201cneed a new react and web3 developer\u201d), the companies advertising them, and their locations. It also links to the vacancies on freelance websites or contact details for those conducting the hiring. One \u201cstatus\u201d column says whether they are \u201cwaiting\u201d or if there has been \u201ccontact.\u201d<\/p>\n
Screenshots of one spreadsheet seen by WIRED appears to list the potential real-world names of the IT workers themselves. Alongside each name is a register of the make and model of computer they allegedly have, as well as monitors, hard drives, and serial numbers for each device. The \u201cmaster boss,\u201d who does not have a name listed, is apparently using a 34-inch monitor and two 500GB hard drives.<\/p>\n
One \u201canalysis\u201d page in the data seen by SttyK, the security researcher, shows a list of types of work the group of fraudsters are involved in: AI, blockchain, web scraping, bot development, mobile app and web development, trading, CMS development, desktop app development, and \u201cothers.\u201d Each category has a potential budget listed and a \u201ctotal paid\u201d field. A dozen graphs in one spreadsheet claim to track how much they have been paid, the most lucrative regions to make money from, and whether getting paid weekly, monthly, or as a fixed sum is the most successful.<\/p>\n
\u201cIt\u2019s professionally run,\u201d says Michael \u201cBarni\u201d Barnhart, a leading North Korean hacking and threat researcher who works for insider threat security firm DTEX. \u201cEveryone has to make their quotas. Everything needs to be jotted down. Everything needs to be noted,\u201d he says. The researcher adds that he has seen similar levels of record keeping with North Korea\u2019s sophisticated hacking groups, which have stolen billions in cryptocurrency in recent years, and are largely separate to IT worker schemes. Barnhart has viewed the data obtained by SttyK and says it overlaps with what he and other researchers were tracking.<\/p>\n
\u201cI do think this data is very real,\u201d says Evan Gordenker, a consulting senior manager at the Unit 42 threat intelligence team of cybersecurity company Palo Alto Networks, who has also seen the data SttyK obtained. Gordenker says the firm had been tracking multiple accounts in the data and that one of the prominent GitHub accounts was previously exposing the IT workers\u2019 files publicly. None of the DPRK-linked email addresses responded to WIRED\u2019s requests for comment.<\/p>\n
GitHub removed three developer accounts after WIRED got in touch, with Raj Laud, the company\u2019s head of cybersecurity and online safety, saying they have been suspended in line with its \u201cspam and inauthentic activity\u201d rules. \u201cThe prevalence of such nation-state threat activity is an industry-wide challenge and a complex issue that we take seriously,\u201d Laud says.<\/p>\n
Google declined to comment on specific accounts WIRED provided, citing policies around account privacy and security. \u201cWe have processes and policies in place to detect these operations and report them to law enforcement,\u201d says Mike Sinno, director of detection and response at Google. \u201cThese processes include taking action against fraudulent activity, proactively notifying targeted organizations, and working with public and private partnerships to share threat intelligence that strengthens defenses against these campaigns.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"
The tables show the potential target jobs for IT workers. One sheet, which seemingly includes daily updates, lists job descriptions (\u201cneed a new react and web3 developer\u201d), the companies advertising them, and their locations. It also links to the vacancies on freelance websites or contact details for those conducting the hiring. One \u201cstatus\u201d column says<\/p>\n","protected":false},"author":1,"featured_media":14615,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[52],"tags":[685,4208,3948,242,572,8232,8231],"class_list":{"0":"post-14614","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technology","8":"tag-korean","9":"tag-leak","10":"tag-lives","11":"tag-north","12":"tag-reveals","13":"tag-scammers","14":"tag-workaday"},"_links":{"self":[{"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/posts\/14614","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14614"}],"version-history":[{"count":0,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/posts\/14614\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/media\/14615"}],"wp:attachment":[{"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14614"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14614"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14614"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}