.png){kind=small}
These are the IP addresses the North Koreans are using to connect to American companies via remote desktop software like Anydesk. The North Koreans also use trusted platforms like Webex, Microsoft Teams, etc to take control of the device without setting off EDR systems. They do this using "take control" features or plugins built into these tools. These pseudo-remote desktop control apps need to be stripped of their remote desktop control features in corporate environments as they cannot be easily detected via EDR systems.
IoC's:
155.94.255.2 – Rustdesk logs
104.223.97.2 – Rustdesk logs
83.234.227.35 – Rustdesk logs
83.234.227.37 – Rustdesk logs
83.234.227.38 – Rustdesk logs
104.223.98.2 – Rustdesk logs
83.234.227.33 – Rustdesk logs
83.234.227.34 – Rustdesk logs
173.205.94.156 – Rustdesk logs
83.234.227.36 – Rustdesk logs
38.170.181.10 – Rustdesk logs
209.127.228.186 – Rustdesk logs
51.195.140.214 – Rustdesk logs
207.126.86.121 – Rustdesk logs
51.161.196.51 – Rustdesk logs
Recommendations for detection/prevention:
Hand out company laptops instead of allowing employee's to bring their own device.
Secure company devices and endpoints with EDR software and instruct your security team to add filters to detect usage of the above IP's as well as the other known AstrilVPN IP's from Spur: https://storage.googleapis.com/spur-astrill-vpn/ips.txt
Add filters to your EDR software to detect incoming IP addresses to endpoints from Russia, China, etc that consistently connect to devices during work hours.
Perform a thorough background check that looks for any inconsistencies in what is on their submitted resume and what their actual job history shows. A simple background check from Checkr or other well-known services is not going to cut it anymore. We recommend you reach out to us for our advanced personnel due diligence reports that go beyond just the typical job history, education verification, criminal records check, etc and checks the applicants own digital footprint to find inconsistencies in what they claim and what is shown in the data and their own digital footprint. We have access to over one trillion digital data-points that we scour for the truth for our clients.
Perform online video interviews that allow you to see the participant as they respond.
Instruct applicants to show you the space they are conducting the interview in before you start. Look for things like: multiple laptops in one room, video calls or online meeting software visible on other screens than the one the meeting is taking place in, multiple sets of keyboards or mouses, multiple headsets, multiple camera's, etc.
Instruction applicants to share their entire screen during interviews and if possible have their hands visible during the interview.
During video interviews pay attention to the candidates eyes, look for them to be going back and fourth as if they are reading from something. If they are, simply drill down on answers that seemed prepared from something they read. Try to catch them by asking specific or technical questions in that area/subject that they might not have answers prepared for ahead of time or that might be difficult to answer promptly if they are lieing, making something up, etc.
Perform in-person interviews whenever possible.
Require employee's to document the environment that they work in from home, such as regularly taking a picture of the space they keep their laptop in and work from.
Require employee's to attend regular meetings on video, especially during the mornings where other jobs could conflict.
Insure employee's participate during regular meetings and thoroughly understand the work that they have submitted to you recently.
Instruct managers to look for inconsistencies in their employee's, such as their voices sounding different between meetings, their English suddenly being very broken, or them not being able to explain or talk about the work they performed very well; as if they were not the one's who performed it.
Require employee's to submit in-person tests/processes such as physicals, drug tests, notarized documents, or fingerprinting services; even if you don't care about the results of the tests it adds a layer of difficulty for the North Koreans. This is especially important for highly sensitive positions with access to critical data or systems.
Require employee's to attend in-person company events, retreats, meetings, conferences, etc at least once a year.
(1).png){kind=small}
Subscribe to our newsletter to get our news delivered to you.