Staying a Step Ahead: Mitigating the DPRK IT Worker Threat
2024-09-23 • Mandiant •
https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat
Mandiant describes UNC5267, a DPRK IT worker operation in which North Korean personnel use stolen or fabricated identities to obtain remote jobs, especially in Western technology companies. Facilitators help the workers launder money or cryptocurrency, receive and host company laptops, support employment verification, and maintain access to financial systems. The report links the activity to sanctions evasion and revenue generation for North Korea, and notes that fraudulent workers can gain elevated access to code and network administration even when they initially operate within their job duties. Observed tradecraft includes front companies, mismatched laptop shipping and identity locations, multiple simultaneous jobs, fake resumes, and hosted developer profiles built from stolen professional images.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | reliablesite.net | 2024-09-23 | 2026-02-27 |
| IPv4 | 74.63.233.50 | 2024-09-23 | 2026-01-21 |
| IPv4 | 192.119.10.67 | 2024-09-23 | 2026-01-21 |
| IPv4 | 104.250.148.58 | 2024-09-23 | 2026-01-21 |
| IPv4 | 66.115.157.242 | 2024-09-23 | 2026-01-21 |
| IPv4 | 192.74.247.161 | 2024-09-23 | 2026-01-21 |
| IPv4 | 198.23.148.18 | 2024-09-23 | 2026-01-21 |
| IPv4 | 104.223.97.2 | 2024-09-23 | 2025-12-03 |
| IPv4 | 174.128.251.99 | 2024-09-23 | 2025-04-24 |
| IPv4 | 155.94.255.2 | 2024-09-23 | 2025-04-24 |
| IPv4 | 199.115.99.34 | 2024-09-23 | 2025-04-24 |
| IPv4 | 70.39.103.3 | 2023-07-12 | 2025-04-24 |
| IPv4 | 104.223.98.2 | 2024-09-23 | 2025-02-25 |
| URL | https://daniel-ayala.netlify.app | 2024-09-23 | 2024-09-23 |
| IPv4 | 54.200.217.128 | 2024-09-23 | 2024-09-23 |
| IPv4 | 60.20.1.234 | 2024-09-23 | 2024-09-23 |
| IPv4 | 37.19.199.133 | 2024-09-23 | 2024-09-23 |
| IPv4 | 119.155.190.202 | 2024-09-23 | 2024-09-23 |
| IPv4 | 192.119.11.250 | 2024-09-23 | 2024-09-23 |
| IPv4 | 72.193.13.228 | 2024-09-23 | 2024-09-23 |
| IPv4 | 38.140.49.92 | 2024-09-23 | 2024-09-23 |
| IPv4 | 184.12.141.109 | 2024-09-23 | 2024-09-23 |
| IPv4 | 23.105.155.2 | 2024-09-23 | 2024-09-23 |
| IPv4 | 104.243.33.74 | 2024-09-23 | 2024-09-23 |
| IPv4 | 103.244.174.154 | 2024-09-23 | 2024-09-23 |
| IPv4 | 123.190.56.214 | 2024-09-23 | 2024-09-23 |
| IPv4 | 50.39.182.185 | 2024-09-23 | 2024-09-23 |
| IPv4 | 38.42.94.148 | 2024-09-23 | 2024-09-23 |
| IPv4 | 109.82.113.75 | 2024-09-23 | 2024-09-23 |
| IPv4 | 198.2.228.20 | 2024-09-23 | 2024-09-23 |
| IPv4 | 74.222.20.18 | 2024-09-23 | 2024-09-23 |
| IPv4 | 208.68.173.244 | 2024-09-23 | 2024-09-23 |
| IPv4 | 207.126.89.11 | 2024-09-23 | 2024-09-23 |
| IPv4 | 67.129.13.170 | 2024-09-23 | 2024-09-23 |
| IPv4 | 3.15.4.158 | 2024-09-23 | 2024-09-23 |
| IPv4 | 67.82.9.140 | 2024-09-23 | 2024-09-23 |
| IPv4 | 68.197.75.194 | 2024-09-23 | 2024-09-23 |
| IPv4 | 104.206.40.138 | 2024-09-23 | 2024-09-23 |
| IPv4 | 113.227.237.46 | 2024-09-23 | 2024-09-23 |
| IPv4 | 18.144.99.240 | 2024-09-23 | 2024-09-23 |
| IPv4 | 71.112.196.114 | 2024-09-23 | 2024-09-23 |
| IPv4 | 204.188.232.195 | 2024-09-23 | 2024-09-23 |
| IPv4 | 42.84.228.232 | 2024-09-23 | 2024-09-23 |
| IPv4 | 104.129.55.3 | 2024-09-23 | 2024-09-23 |
| IPv4 | 198.135.49.154 | 2024-09-23 | 2024-09-23 |
| IPv4 | 5.244.93.199 | 2024-09-23 | 2024-09-23 |
| IPv4 | 37.19.221.228 | 2024-09-23 | 2024-09-23 |
| IPv4 | 37.43.225.43 | 2024-09-23 | 2024-09-23 |
| IPv4 | 71.112.196.115 | 2024-09-23 | 2024-09-23 |
| IPv4 | 51.39.228.134 | 2024-09-23 | 2024-09-23 |
| IPv4 | 98.179.96.75 | 2024-09-23 | 2024-09-23 |
| IPv4 | 23.237.32.34 | 2023-02-02 | 2024-09-23 |