North Korean Group Infiltrated 100-plus Firms With Imposter IT pros

snydeq writes: The DPRK group’s attempts to exfiltrate data and install RMM tools by posing as US IT workers was discovered by CrowdStrike’s counter adversary team, which recently published a report on this and other findings. 'Famous Chollima was one of the more shocking cases we worked on this year,' said Adam Meyers, CrowdStrike’s SVP of counter adversary operations, who told his team after they found the first instance, 'Prove that we could find this malicious insider, which we think could be a foreign intelligence officer. ... That was on a Thursday. By Friday, this Australian guy who ran the effort came back to me and said, "Hey, we found 30 more victims."' CrowdStrike ultimately found that over 100 companies, most US-based technology entities, had hired Famous Chollima workers. CrowdStrike’s threat hunters discovered that after obtaining employee-level access to victim networks, the phony workers performed at minimal enough levels to keep their jobs while attempting to exfiltrate data using Git, SharePoint, and OneDrive and installing remote monitoring and management (RMM) tools RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, and Google Chrome Remote Desktop.