🚨 New Research Drop:
🇰🇵 DPRK IT Workers | A Network of Active Front Companies and Their Links to China
Summary:
⚪ Newly Disrupted Front Companies by USG
⚪ Impersonating US based software and tech orgs
⚪ Links to still-active front orgs, CN association
Report:
https://www.sentinelone.com/labs/dprk-it-workers-a-network-of-active-front-companies-and-their-links-to-china/
🇰🇵 DPRK IT Workers | A Network of Active Front Companies and Their Links to China
Summary:
⚪ Newly Disrupted Front Companies by USG
⚪ Impersonating US based software and tech orgs
⚪ Links to still-active front orgs, CN association
Report:
https://www.sentinelone.com/labs/dprk-it-workers-a-network-of-active-front-companies-and-their-links-to-china/
Comments
For ambitious out there, here are some bonus pivots and additional findings worth exploring! h/t @kennethkinion.bsky.social
In Validin, take one of our domains (inditechlab[.]com in this case), pivot on the seconds the registration was changed by actor. Check out 2024-04-10T17:14:08Z
Look at matching registration results tab, and filter by NameCheap (commonly used as noted in the blog).
Results show two interesting domains, one of which certainly fits our profile of tech orgs -- sunlotustech[.]com
Sunlotustech resolving to 103.103.128[.]165. Live but struggling to function, however the content lines up with Softiba IT Solutions, a legitimate organization based in Istanbul.
So, some additional work required here, but sunlotustech overall fits the profile. Happy hunting!