crowdstrike-2024-threat-hunting-report.pdf (21 MB)

CrowdStrike reports that FAMOUS CHOLLIMA malicious insiders obtained remote IT roles at more than 100 companies, mostly U.S. technology organizations, and affected sectors including aerospace, defense, retail, and technology. After gaining employee level access, the insiders did little normal job work and in some cases tried to exfiltrate data through Git, SharePoint, and OneDrive. CrowdStrike hunters found use of RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, and Google Chrome Remote Desktop alongside company credentials and suspicious source IP ranges. The activity overlapped with the DPRK IT Workers scheme, which U.S. indictments said helped North Korean nationals raise money for the DPRK government and weapons programs.