While threat actors across the board struggle to meaningfully upgrade their cyberattacks with artificial intelligence (AI), North Korean threat actors are making more practical use of the same technology to perpetuate their classic IT worker scams.<\/p>\n\n\n\n
In a new report, Microsoft’s threat intelligence team described how two clusters of malicious actors tied to the Democratic People’s Republic of Korea (DPRK) \u2014 “Jasper Sleet” and “Coral Sleet” \u2014 use AI<\/a> in a variety of ways to improve the scale and precision of their fraudulent campaigns<\/a>, enabling “sustained, large-scale misuse of legitimate access” to organizations that don’t know better. They’re using it to more effectively fabricate their identities, maintain those identities, and socially engineer their prospective employers in all kinds of small but meaningful ways.<\/p>\n\n\n\n None of the tactics, techniques, and procedures (TTPs) described in the report are novel. Still, they’re useful for organizations to know about, as the same old shtick has continued to bring the bad guys success for years now, despite more widespread awareness and law enforcement counteraction<\/a>.<\/p>\n\n\n\n There’s no stage of an IT worker scam that isn’t touched by \u2014 if not entirely enabled by \u2014 AI technology.<\/p>\n\n\n\n Long before a company receives a fake r\u00e9sum\u00e9 and cover letter in its inbox, threat actors use AI tools to research the jobs they want to target on platforms like Upwork, and how to most effectively apply for them. They use them to extract useful terminology from job postings, and identify the requirements that might make a fake application look good, such as certifications, skills, or tools applicants are expected to possess.<\/p>\n\n\n\n Working with a linguistic and cultural gap, the threat actors within a group like Jasper Sleet will then prompt large language model (LLM) chatbots<\/a> for fake names, email addresses, and social media handles that might appear convincing to their intended victims. It goes without saying that they also use chatbots to write their r\u00e9sum\u00e9s and cover letters.<\/p>\n\n\n\n Finally, threat actors bring all of this information together to create convincing digital personas mimicking IT talent. These personas can be used repeatedly to apply for various jobs across different employers.<\/p>\n\n\n\n Sometimes these personas are AI-generated, from the details of a r\u00e9sum\u00e9 through the polished headshot used at the top. In other cases, Jasper Sleet has used a commercial face swapping app called Faceswap to insert their own chosen faces into real individuals’ stolen identity documents. And in interviews with prospective employers, it supplements fake visuals with voice-changing software.<\/p>\n\n\n\n Securing a gig is just phase one of the attack. AI remains essential when fake IT workers actually have to do their jobs.<\/p>\n\n\n\n Part of it is about keeping up the ruse. Having initially presented as a certain kind of person, with certain qualifications and a certain character of speech, the threat actors then have to perform the actions and maintain the tone of voice their employer expects. That could mean successfully fulfilling tasks handed to them by their employer, or presenting consistently across email and chat platforms used for daily communication.<\/p>\n\n\n\n In a lot of ways, though their intent is different, DPRK threat actors also use AI just like your average business user. They ask it to help them respond to emails, generate snippets of code, and carry out any number of other little tasks<\/a>. And like those users, Microsoft has also observed threat actors experimenting with agentic AI. <\/p>\n\n\n\n “Although not yet observed at scale and limited by reliability and operational risk, these efforts point to a potential shift toward more adaptive threat actor tradecraft that could complicate detection and response,” the researchers wrote.<\/p>\n\n\n\nHow AI Helps Fake IT Workers Apply for Jobs<\/h2>\n\n\n\n
How AI Helps Fake IT Workers Do their Jobs<\/h2>\n\n\n\n