Full Report
The North Korea-linked threat actor known as Sapphire Sleet is estimated to have stolen more than $10 million worth of cryptocurrency as part of social engineering campaigns orchestrated over a six-month period. These findings come from Microsoft, which said that multiple threat activity clusters with ties to the country have been observed creating fake profiles on LinkedIn, posing as both
Analysis Summary
# North Korean Cryptocurrency Theft via LinkedIn Social Engineering
The North Korea-linked threat actor known as Sapphire Sleet is estimated to have stolen over $10 million in cryptocurrency across a six-month period using sophisticated social engineering campaigns primarily leveraging the LinkedIn platform.
## Key Points
- **Financial Impact:** Over $10 million in cryptocurrency stolen.
- **Reporting Source:** Findings attributed to Microsoft.
- **Campaign Duration:** Orchestrated over a six-month period.
- **Goal:** Generate illicit revenue for the sanction-hit nation.
## Threat Actors
- **Primary Actor:** Sapphire Sleet (active since at least 2020).
- **Attribution Overlaps:** Overlaps with groups tracked as APT38 and BlueNoroff.
- **Motivation:** Financial gain for North Korea.
## TTPs
- **Initial Access Vector:** Creating fake profiles on LinkedIn.
- **Impersonation:** Posing as both recruiters and job seekers.
- **Venture Capitalist Impersonation (Method 1):** Posing as VCs to express interest in a target company, leading to a planned online meeting.
- **Meeting Hook:** If the connection fails, victims are urged to contact a fake support/administrator via error messages.
- **Malicious Payload Delivery:** Victims contacting support are sent malicious files (.scpt for macOS or .vbs for Windows) disguised as connection fixes.
- **Recruiter Impersonation (Method 2):** Posing as recruiters for financial firms (e.g., Goldman Sachs) to trick targets into completing "skills assessments."
- **Assessment Hook:** Targets receive a sign-in account/password to access a controlled website.
- **Malicious Payload Delivery:** Upon signing in and downloading the required "skills assessment code," malware is installed.
- **Objective:** Obtain credentials and cryptocurrency wallets for subsequent theft.
## Affected Systems
- **Operating Systems:** macOS (via .scpt files) and Windows (via .vbs files).
- **Platform Used for Luring:** LinkedIn.
## Mitigations
*Since the provided text focuses on the threat and TTPs but does not explicitly list Microsoft's recommended mitigations, this section will be based on the inferred defensive necessities against the described TTPs.*
- **Endpoint Detection & Response (EDR):** Enhance monitoring and blocking capabilities for suspicious script execution (.vbs, .scpt) initiated by user interaction.
- **Social Engineering Awareness:** Conduct regular training emphasizing caution regarding unsolicited contact on professional networking sites (like LinkedIn) promoting external assessments or meeting links.
- **File Trust:** Restrict execution of downloaded scripts (.vbs, .scpt) originating from untrusted sources or delivered via unsolicited communications.
- **Zero Trust Principles:** Verify the authenticity of individuals and organizations claiming roles (like VC or recruiter) independently of their communication on professional platforms.
## Conclusion
Sapphire Sleet demonstrates a continued focus on blending sophisticated social engineering with targeted malware delivery observed both through fake job roles and VC interactions on LinkedIn. The $10M haul underscores the significant financial success of these campaigns. Defenses must prioritize scrutinizing unsolicited file downloads and unusual requests originating from professional networking scenarios.
***
*Note: No concrete IoCs (URLs, hashes) were present in the provided context to include in a defanged format.*