CrowdStrike Alert: 40% of Affected Companies Were Victims of North Korean APT Group

When CrowdStrike alerted 200 customers last summer that its OverWatch managed threat hunting service discovered endpoint telemetry indicating they may have at least one fake IT employee working for them, many were initially doubtful that they were among those affected.

Further Investigation Reveals North Korean APT Group Involvement

Upon further investigation, however, it turned out that 40% of them were victims of a North Korean APT (Advanced Persistent Threat) group. This group recruits people to apply for open tech jobs, and when hired, uses their access to deploy malware and steal data. The spike in activity by the group, known as "Famous Chollima," was a significant concern for CrowdStrike.

Insider Threats Remain a Risk

The spike in activity by Famous Chollima was off from last year’s peak, although CrowdStrike expects variations in this insider threat type to continue. "It’s not out of the realm of possibilities for other threat actors to try to either mimic or come up with another creative way to try to infiltrate companies," says Etheridge.

Forrester Agrees: Insider Threats Will Continue to be a Risk

Forrester’s Blankenship agrees. "I believe threat actors like Famous Chollima will continue to be a risk," he says. "Without measures in place to confirm the identities of employees and contractors, organizations will continue to be vulnerable to threat actors posing as legitimate workers. Ongoing monitoring for suspicious insider behavior is also necessary to detect these threat actors."

Conclusion

The alert from CrowdStrike highlights the ongoing risk of insider threats, particularly those posed by North Korean APT groups. Organizations must remain vigilant and implement measures to detect and prevent these types of threats, including ongoing monitoring for suspicious insider behavior.