The Microsoft Threat Intelligence Podcast 11.20.24
Ep 32 | 11.20.24

Between Two Gregs: An Update on the North Korean Threat Landscape

Transcript

Sherrod DeGrippo: Welcome to the "Microsoft Threat Intelligence Podcast". I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry, I'm your guide to the back alleys of the threat landscape. Hello, and welcome to the "Microsoft Threat Intelligence Podcast". I am Sherrod DeGrippo. And I am joined by, quite frankly, two of my favorite people. I have with me today Greg Lesnewich, Senior Threat Researcher at Proofpoint, and another Greg, Greg Schloemer, Senior Threat Intelligence Analyst at Microsoft. The Gregs, everyone, the DPRK Gregs. The DPRK Gregs are here. Thanks for joining me.

Greg Schloemer: Thanks for having us. Good to be back.

Sherrod DeGrippo: It's so exciting because DPRK, in my opinion, is the weirdest of our nation-sponsored major players, and tends to be really surprising. So Greg, Lesnewich, you and I worked together at Proofpoint. I think I was your grand boss, or your boss or something?

Greg Lesnewich: At one point you were my boss's boss's boss.

Sherrod DeGrippo: God, that's a lot of management layers; yes too much. But you worked at DPRK when I was there as well, so --

Greg Lesnewich: Mm-hmm.

Sherrod DeGrippo: -- how many years has it been?

Greg Lesnewich: It'll be three dedicated to the DPRK sort of dedicated tracking effort, especially like in sort of native telemetry, but it was high on my list in my previous job prior to coming to Proofpoint. So I would say like four to five years. And some key players in the community that sort of all track North Korea, including Greg Schloemer, were very helpful in me sort of getting up to speed with not only what was current but what was sort of past lineages of different groups and how they used to blend together then separated and then have since maybe are blending back together, which is a terrifying thought.

Sherrod DeGrippo: You know, there's a lot of upward mobility in North Korean espionage roles it seems like. You could change teams, you could change contracts. Great Schloemer, how long have you been doing DPRK?

Greg Schloemer: This will be little over three years for me. I joined the team in 2020, did China for a year, and then yes been doing DPRK ever since, and similarly, lots of DPRK industry GOATs who have helped me learn all the amazing history. I don't know if we can shout out individuals, but I kind of want to shout someone out.

Sherrod DeGrippo: Yes, we can.

Greg Schloemer: Okay, Dan Gordon.

Sherrod DeGrippo: Dan Gordon.

Greg Schloemer: Dan Gordon is the ghost.

Greg Lesnewich: Yes.

Greg Schloemer: He knows all things DPRK history. I think we both learned a ton from him.

Sherrod DeGrippo: Dan Gordon's published quite a bit on DPRK specifically. He's got some papers, and he's on "Risky Bus" I think as well couple times?

Greg Lesnewich: He's definitely published via "Risky Bus". There are some others that work with Greg Schloemer currently that I don't know if we want to use their names, but they are also amazing and GOATed and godlike. So shout out to them as well.

Sherrod DeGrippo: So they know who they are; you know who you are, DPRK --

Greg Lesnewich: Yes.

Sherrod DeGrippo: -- stars.

Greg Schloemer: For sure.

Greg Lesnewich: Yes.

Sherrod DeGrippo: Do you all know each other? Do all the DPRK --

Greg Lesnewich: Definitely, yes. [Laughter]

Greg Schloemer: There's not that many of us, right; like you could put us all in a pretty small room, so yes, we're all buds.

Sherrod DeGrippo: And you just hang out and talk North Korea stuff, or just whatever it takes?

Greg Lesnewich: Whatever it takes. We ask a lot of the same questions the public does like, "What the hell is this group doing; why are they doing it," typically with like only a smidge more insight than the average person might have. But it's the access to the collective brain trust and sort of trust among the folks that chase down the Colimas or the Sleets, or whatever you want to call them that I think makes us small but mighty as a small, little community.

Sherrod DeGrippo: So let me ask you that, then, you've both tracked other nation-sponsored groups from other countries. What sets North Korea apart, Schloemer, like what makes it different; because they're different.

Greg Schloemer: Oh, yes, they're absolutely different. I think -- there are a lot of things I could probably talk for an hour just on this question. But like the biggest one for me is their scrappiness. Like I think when you talk about the other three of the big four like in many ways you expect them to behave like in APT, and like there's a routine amount of like, "Oh, you know, that's a surprising level of sophistication." Whereas, the DPRK it's not that they aren't sophisticated, but I think there are a lot of things that they do that at first glance you're like, "Why is a state-sponsored actor spending their time doing this?" But it works, right, and at the end of the day they are able to achieve their objectives. As a researcher in this space it kind of challenges us to like think outside the box a little bit, and like --

Sherrod DeGrippo: Mm-hmm.

Greg Schloemer: -- not dismiss -- just because they're scrappy doesn't mean they're effective.

Sherrod DeGrippo: Okay. Lesnewich, do you have any thoughts on why DPRK is so different?

Greg Lesnewich: I think that they just go to where they can get the most like bang for their buck, so to speak. And some of that is just I think in the nature of the entities and people that they target. You know, folks in like the crypto spaces targeting like their enterprise accounts isn't necessarily going to get you to big wallets or big paydays. So -- and their enterprise security might be locked down, so you go to, you know, social media to try and leverage them and get access to maybe their personal computer as a hot point, or you know, same thing with targeting like security researchers that are, you know, looking -- if you can't build the exploits yourselves, target someone who is and gain access to them that way. And they sort of like throw out a lot of like the inherited rules of engagement that I see other APTs kind of following, which is target the enterprise accounts. There's definitive difference between information that a person might have, like as an employee of an uninteresting target versus what is actually like siloed and behind, you know, seven VPNs and seven firewalls and stuff, but behind all the enterprise security controls like blueprints for how to produce like a missile or something; versus especially in the crypto space I think that you want access to the person to get your payday, not necessarily just to the enterprise.

Sherrod DeGrippo: And that's something I talk about quite a bit is like the difference between owning a personal identity and owning someone's enterprise identity, and how different that really is; and I think it's interesting that we see such a strange nation-sponsored threat against personal identity with North Korea, whereas I feel like in crime the crime actors generally are not super into individuals. They are looking to get large enterprise, either through ransomware, or info stealers, or just the access that most employees have as an employee, it's much more valuable to the crime actors; versus it sounds like North Korean actors like personal identities that have crypto available.

Greg Lesnewich: Right. And I think, you know, on that subject of crypto specifically, like it also speaks to how determined they are to pursue like the revenue generation goals, because they have groups kind of focusing on like both sides of the spectrum when it comes to crypto. Like Sapphire is much more of that, "Let me target individual traders, and like their personal wallets, and their personal crypto platform accounts," whereas Jade Sleet is the group that's pulling off like multi-hundred million dollar heists straight out of the exchange. I think it really speaks to like how well equipped they are, and the fact that they are able to take these diverse approaches all sort of in pursuit of the same end goal.

Sherrod DeGrippo: And so I think it's interesting too, we recently released the Microsoft Digital Defense Report which has some really deep stats. If you're like a statistics, and data, and numbers nerd, you would definitely want to check out the MDDR. It's aka.ms/mddr. North Korea sponsored activity 54% of it was going towards North America. And I think, you know, there tends to be this idea that North Korea goes after South Korea. But really from the data that we have North Korea goes after North Americans. And it's likely because of I think some of this crypto desperation that they seem to have. Because we have tracked -- I don't know what the total is, but I know that we saw like three billion in a single threat actor in terms of how much crypto they've stolen. And you know, a lot of people kind of might say, "Well, big deal, you know, they are stealing cryptocurrency but they're using that to finance a regime that's buying satellites, doing ballistic missile testing, interfering in potentially Russia and Ukraine," all these different things that really are a giant impact to the geopolitical situation globally. So I think that North Korea on kind of that threat actor hierarchy I think we are definitely in a time where you can no longer count them as a sort of Alseran [phonetic]. They are definitely up in that -- like they've earned their spot, you know, like they're here.

Greg Lesnewich: Yes, I would agree with that. And I think one of the things that's interesting -- Sherrod, I know that you have like sort of the e-crime space in particular. One thing that's sort of interesting that I see as different from them and e-crime, which is also sort of what sets them apart from the rest of the espionage players is you sort of get the sense if you look at their operations holistically that they are doing just enough to -- you know, maybe getting attributed doesn't really matter to them, but they are doing just enough in terms of volume to be productive to their overlords, but not to get necessarily noticed the way that ransomware operators do by international law enforcement. I sort of hypothesized that they are more scared of their handlers and the regime doing something awful to them and their families much more than they are of international law enforcement coming and knocking down their door. They are only sort of trying to avoid getting shut down on the revenue-generating scheme so they don't get yelled out by their bosses and their families don't have something awful happen to them because of lack of productivity. So it's a really interesting dynamic where I think that some of the e-crime space is so industrialized that there can be a brazenness with some of the groups --

Sherrod DeGrippo: Yes.

Greg Lesnewich: -- and others are just sort of like trying to keep the wheels on; versus North Korea sort of everything from their innovation, whether it's the MacOS ecosystem or compromising things like a network or block chain level, all the way down to some of the silly things that we see them do, all sort of come out of that, the need to satisfy the over-watch and people that are guiding their operations, much more than necessarily that information or avoiding detection is.

Sherrod DeGrippo: So that's something I think I would like to hear a little bit more about is this handler situation. So that's something with -- for those who have been living under a rock, the North Korean IT workers are infiltrating Western businesses, getting jobs, faking resumes. It is an entire process and industry for them. But they have handlers that, you know, to my understanding, the regime has them under watch. They're sort of, you know, tracked and made sure that they don't defect or have sympathetic feelings towards America or the West. What do we know about that? That's something that I just find so obviously strange.

Greg Lesnewich: Yes, I think what is terrifying and fascinating about the IT worker sort of clusters and sort of overall activity is, A, we have no idea of the scope. Every day we are sort of discovering new edges and new personas and accounts of people that are applying to these jobs. I don't think a day goes by that we don't see something about a facilitator, you know, someone that they pay in the US to --

Sherrod DeGrippo: Yes.

Greg Lesnewich: -- use their driver's licenses.

Sherrod DeGrippo: Laptop farms and --

Greg Lesnewich: Mm-hmm.

Sherrod DeGrippo: -- like outsourcing servers to sit on like home networks and stuff like that.

Greg Lesnewich: Yes. And it's sort of this really broad effort from -- call it the lower end of North Korean talent pool of, "Okay, well we can't make money within our own economy, so guess we're just going to do it in everybody else's because everybody else is so remote-friendly." And I think it's sort of an interesting dynamic for someone that like, you know, if you are the average North Korean student, you study computer science and math, and you're okay and you know that the guy who is getting -- you know, acing all the courses is probably going to go on to be like in the espionage or in the sort of like APT space, gets to go live abroad and get to go sort of do these operations that aren't that glamorous, but you know, they get to come back and reap the rewards of being good members of the party. And I think that the IT worker stuff opens an avenue for people to do that and say, "Hey, like, you're okay, like, you can write CSSs and PHP," or whatever, "Okay, you can now go abroad and go live somewhere. It's not going to be nice. It's not going to be pretty, but you can now go do normal sort of IT work at its most benign normal IT work you can get access to these companies just as a remote worker." And we've seen stuff as benign as, "This is just a remote worker and the only issue with them is that paying them is technically breaking, you know, OFAC sanctions. And in some cases, there's no other nefariousness like --

Sherrod DeGrippo: They're not exfiling data, they're not stealing cryptocurrency out of the business. They're not like what -- like traditionally thought of insider threat. They are just --

Greg Lesnewich: Exactly.

Sherrod DeGrippo: -- making a salary.

Greg Lesnewich: Yes. One of the challenges, though, that I think Greg can talk too much about it and I is the other end of the spectrum. And what we don't know in a lot of regards is how deep the other end of that spectrum goes. You know, our partners at Secureworks put out a blog a couple weeks ago -- or maybe a week ago about the North Korean IT worker threat. And an industry friend saw your tweet that you put out as a community and said, "Make sure you tell them that we are seeing -- it's from a trusted source at a trusted company who has been cleared to share this information with me, that they're actually seeing a rise in extortion operations since that blog has come out and sort of this additional escalation. So there's some of it that has been benign previously, it's sort of been simmering under the surface for a long time. And now these IT workers will get in. If they get accused of being part of the regime or if even they just get fired for not being a good worker, now that can come along with extortion of, "I have your data. You'd better pay me. Otherwise I'm going to, you know, blast it out to the whole internet." And I think there's sort of the myriad issues with someone working for North Korea having access to your network, and if that is a sensitive network, then it stands to reason that there is a chance that exfiltration of sensitive data might happen or backdoors getting put into services or code. I have no proof of either of those things in particular. I think that it would be silly to discount it just because we haven't seen it so far.

Sherrod DeGrippo: Yes, I completely agree. I mean, the risk is a hundred percent there. Anytime you have an employee that's hiding something about their employment status, introduces liability; right, like who they are, just that part, but obviously the piece that you're talking about with paying a sanctioned worker who at any moment is much more beholden to their regime than they are to you as an employer. We see that in a lot of the big four countries and others where those employees are in jeopardy in terms of the potential for that government to come say, "Hey, you work at this Western company; we want to see what you have." The thing I always say is that yes, sure, somebody could, you know, put a warrant on my door and say like, "Give me all your data." But it's like I'm calling the ACLU, I'm calling Microsoft lawyers. I'm like, "I have a safety net. I have a backup system that these other countries or employees in these other countries just don't have." So something I found really interesting talking about some of this and researching some of this is that North Korea has really bad OPSEC, and sometimes they will be coming from seven VPNs and then their VPNs will drop and it will just be North Korean IP source.

Greg Schoemer: Yes, that definitely happens. OPSEC, even in some of the APT groups, is not stellar. But especially when it comes to the IT worker operations, generally, OPSEC is really bad. You know, you mentioned the VPN dropping. We also see things like the same persona information shared at multiple employers, the same name, the same resume, the same picture used for multiple identities. And so with even just a little bit of collaboration among industry partners, it's super easy to sniff that stuff out. I think the really concerning thing for me when it comes to IT worker operations and just thinking about how to disrupt that -- Greg Lesnewich which talked a little bit about this, ecosystem and sort of the scope that supports and enables this. And it's massive. There truly is an entire like criminal ecosystem supporting DPRK IT workers. And it's continually expanding. I learn something new, whether it be a new tactic, a new country harboring IT workers, I learn something new about this ecosystem almost daily. And so when we think about, you know, how does an individual employer, or security company, or even a group of security companies across industry, like how do we do something about this, the problem is because we don't fully understand the ecosystem and because it is so large, you know, if we impact one area of it, ultimately they're just going to burn that and move on to something that's harder to see. And it's such a unique challenge because it's this mix of -- you know, it's like halfway an HR problem and validating background information, identity documents, et cetera, and it's half a cyber problem, because they're using VPNs and they're using like very distinguishable tradecraft to get into and to main access to enterprise environments. But when there are so many players involved, like what is the thing that we can impact that's going to be the most disruptive, and then once we disrupt that, like how do you stay on top of it? I think that's been a huge challenge as we have tried to navigate the IT worker problem and just staying on top of how it's evolved in a relatively short timeframe.

Sherrod DeGrippo: So in terms of the North Korean IT worker situation, it sounds to me like it's essentially really Agile fraud kind of? [Laughs]

Greg Lesnewich: That's a great way to describe it.

Greg Schoemer: Yes, it really is.

Sherrod DeGrippo: There is that shadow of like crime time that you can kind of pick up from that, you know, like defrauding an employer by, you know, having the same resume, presenting yourself as having skills that you don't really have, getting on a payroll, not doing work, getting fired, stuff like that. So what do we say to employers? This isn't a traditional security problem where we're like, "Run your updates. Do MFA. Make sure employees aren't doing social engineering, becoming victims to that." What can companies do just, really deep, thorough background check vetting there?

Greg Schoemer: Yes, I think that certainly helps. And I think even like as a precursor to that, we as the security community can do a better job with like education of this threat. There's been a lot of great publications in the last few months and that's gone a long way. I know we've gotten at Microsoft far more customer inquiries into the IT crypto threat in probably the last six to eight weeks than we have in the last two years. So that tells me the blogs are working, and that's an excellent first step. But I still think there's a lot of like confusion and lack of understanding of what exactly this is and like risks am I posed? So I think even before we can start trying to fix the problem, we need to make more people aware that it exists, and we need to make sure people like really understand it's not just that you've hired someone who isn't who they say they are, it's also that this ecosystem is tightly connected with APT operators whose objectives are espionage and revenue generation. So it's more than just, you know, fire the fraudulent employee and move on. You have to understand like what other risks might have been posed to you and to your organization and respond accordingly.

Greg Lesnewich: I think sort of doubling down on that, especially with some of these bigger entities where who knows how a contractor gets hired versus a normal employee versus like a temp worker and stuff like that, I think that especially like when this first started coming out, it got boiled down to, "Well, just why aren't you doing background checks?" You think that like we as the security professionals are the ones that decide if that happens or not --

Sherrod DeGrippo: Mm-hmm.

Greg Lesnewich: -- and I think there's an added layer to that that Greg sort of touched on with the ecosystem part and shared that you -- dubbing it very Agile fraud. You know, the conmen on the street are always going to be the ones that have the latest and greatest sort of ideas of how to evade getting found. It's not necessarily a strategic problem, it's like a day-to-day what is going on to make that happen. And I think one of the challenges is that they often are very good at plugging into ecosystems that already exist in that sort of fraud space or like even calling it "fraud" like side hustle stuff of --

Sherrod DeGrippo: Yes, yes.

Greg Lesnewich: -- "Oh, I will just host your laptops for you because I have nothing else to do."

Sherrod DeGrippo: And it's $150 a month with no -- like, yes, it's like this weird ecosystem supply chain of doing things that is almost like money mule stuff or drug mule type stuff where, "I'm not really involved in that. I don't know what's in the package. I just hand it off and I get paid." That kind of seems to be part of the infrastructure foundation for a lot of this.

Greg Lesnewich: Yes, it's challenging to think about it because a lot of times I'm like the money mules, these people are self-advertising and they're putting it on places that, you know, like Fiverr or, you know, other sort of job hosting places where they're not offering themselves up for employment but the, "Hey, I will host your laptop in this place as a service because I need the money." And it's not they're getting scammed or threatened to be a part of it or part of some conspiracy, it is the most sane and safe version of it is, "This guy wants to live two states away with their family and I can just host their laptop here. And I'm not really doing anything illegal, I'm just facilitating that to happen." And so if you go look through these services with any sort of analytical eye, you can see a lot of things that will be the best hiring practices, whether that is like completely fraudulent identities, which we're talking about a nation-state here that has like spoofed and successfully counterfeited US currency so they are able to sort of at the highest levels get fraudulent documents that can pass inspection. Then you sort of roll that into, "Okay, well there are people on there that are offering to take urine tests for people as, you know, a fake employer or a fake employee." So it sort of just gets layered, and layered, and layered to say, "Okay, well if this is what's getting offered, you know, is this the extent of what's happening?" We're not really sure. And so I think that just telling to Greg Schloemer's point of letting people know that this is exists because there are probably going to be internal investigations that happen at companies that we will never know about that will find stuff that we never would have seen because they knew to be looking for it. And it's sort of one of those challenging things where it -- sometimes it feels like you had another threat or you had another TTP to be aware of. But I think to Greg S's point about very distinguishable once they are on network, I think that is unfortunately like a, "If you know, you know," thing, then that becomes easier to spot. And as that sort of information matriculates among bigger industry providers and vendors in the space I think will sort of force their hand into having to evolve to the next iteration of how they're accessing these companies. And hopefully that means that they can't access at least a subset of them because of costs and controls that we put in their way.

Sherrod DeGrippo: I think that's important. We don't talk about this enough. I mean, I've read a lot of news reports, but they don't go into the detail, I think, that I've been able to get from talking to actual DPRK analysts, like both within Microsoft and at other organizations. I'm not as plugged into the suite exclusive star chamber of DPRK analyst community that's out there, but I do know a few. That said, I did put out a post on Twitter asking people for questions for The Gregs. And so everyone should follow me on Twitter -- my handle is sherrod_iam, because I source a lot of the podcast questions from Twitter. I'm a little lazy. But also, you guys are wild. so we've answered quite a few of these already. But one of the ones I thought was interesting was like think about the Sleet actors or the Colima actors, or whatever you want to call them, how do their relay hosting patterns differ from other threat actors? Are there geographies or infrastructures they prefer? One thing I have learned about DPRK is they are fine to use a Mac. They seem really comfortable with Mac malware and getting, you know, like remote access to Mac. But what else do we need to know in terms of like where are they hosting stuff?

Greg Schoemer: Yes, from my perspective -- Greg L may have a unique take on this as well, but from my perspective it's pretty all over the place. I think if I had to pull like a common thread, it would be pick up infrastructure provider that accepts crypto as payment. And like they're pretty much onboard there. So as far as like a particular geo or like specific providers, I don't think I really have an overall trend. When you drill down into specific clusters, we certainly see that, you know, Jade Sleet prefers a certain set of providers when compared to Emerald Sleet. But across the board, it's pretty all over the place.

Sherrod DeGrippo: That was a great question from Jonathan Ryder. Thanks for sending that one in. Let's see what else we've got. Oh, okay, here's a good one from Steve Fradel [assumed spelling], "Where are the North Korean threat actor -- " where are the individuals in those sleet groups, in those Colima groups, whatever you want to call them, "where are they getting their training to be able to do essentially cyber espionage? Are they learning that in schools in DPRK? Are they traveling to China, to other countries? How are they getting these skills?"

Greg Schoemer: Lesnewich, do you want to take the first stab at this one?

Sherrod DeGrippo: Do you know --

Greg Schoemer: I have a hot opinion -- a spicy opinion on this question, so I'll --

Sherrod DeGrippo: Oh, I love the spice.

Greg Schoemer: -- save my thoughts.

Sherrod DeGrippo: I want a spicy opinion.

Greg Lesnewich: Yes. So I think that a lot of that is shrouded in mystery, unfortunately. And we've sort of heard tell of like the hacker hotel in China, and oh Russia and North Korea have a cyber agreement of some sort that involves training or whatever. I think that there is this early period, like Jurassic period -- maybe we can call it the "Lazarus period", where everything was sort of similar. And a lot of this North Korean activity -- like Sony Pictures through maybe the Bangladesh Bank heist was all sort of similar. They all might have gotten trained from like the same sort of people, especially sort of the RGB actors. I think we can discount Pearl Sleet and APT 37 from that and say, "Okay, you know, these operators obviously run this tradecraft from somewhere." I see them now as sort of in their like golden age of training each other and that the folks from like the Bangladesh Bank Heist, Park Jin Hyok and, you know, all the folks that have indictments out about them, I sort of see them as being like what the OSS is to a lot of like American intelligence historians of like, "This is when things were awesome. They could just do whatever they wanted," and they did it on the fly. And I sort of see that generation of operator as potentially the ones maybe not like managing the whole thing, but sort of overseeing where individual crews and clusters are operating to say, "No, we should do things this way. Oh, we -- " you know, "we have money now, we should think about developing our own exploits. We should sort of dictate the tradecrafts, and the tooling, and the tactics based on our amazing experience of kind of winging this and, you know, taking down banks and taking down Sony Pictures," and all those sorts of things. So I sort of see it as very much in-house, but also in the way that I think a lot of us get trained and learn, which is just kind of spending time on the internet, seeing other threat reports and how other people are operating, and if not taking direct copy and paste of that, at least getting inspired to borrow and use some of those tactics. I think especially with the prevalence of browser-based, zero-days that they have popped up with in the last year, I think that, you know, those aren't necessarily things that we're seeing from, you know, dedicated other actors all the time. And I think that that is something that they are starting to say, "Oh, okay, well we have, you know, these well-educated people in the math and sort of sciences. The numbers just sort of dictate that there's probably someone in there that can find and develop exploits." So I think that that's just what they're doing now. And I think that that is sort of the reflection of they're aren't getting trained from anywhere else because otherwise we would see, you know, potentially some of those exploits or sort of exploit styles or even tooling styles coming out of other places. But to your point earlier about using Mac malware, they're like the forbearer and sort of in the lead compared to a lot of these other entities on the sort of tooling that they have available to them to facilitate, you know, not just compromising an individual user, but like a network-level compromise that, you know, they have like things that could facilitate like the reverse peer-to-peer proxy stuff that we used to see in the snake root kit that they now can do on a Mac sort of Apple environment. And that's not a knock on Apple, it is just if that's where the crypto is then that's where they're going to sort of develop their tooling. And I think that that all sort of like feels very like self-contained in that way of they are training themselves and each other and learning on the fly, rather than, "Okay, we're shipping off to Chinese PLA cyber camp for two weeks, and then we're going to come back with tons of team tactics." And it just sort of -- and I think both based on the data but also like the bigger trends -- and if you want to call them "vibes" of, "It doesn't feel like somebody else is training them and they're borrowing tactics." I think if they were, we would see a lot more of these relayer orb networks that are sort of stood up to do all those other things. And they just aren't doing that, so I think that it just is this self-contained ecosystem of training and learning.

Sherrod DeGrippo: That makes sense to me. But Greg Schloemer, is that your spicy take too, or --

Greg Schoemer: Yes, maybe it isn't all that spicy, actually, [laughter] because I almost entirely agree with what Greg Lesnewich said. And also, he gave a much more nuanced answer than I had prepared in my brain, so I'm glad that I let him go first. But I get this question a lot. And I think it's a good question, but I think it also often comes from a place of like being dismissive of North Korean capabilities and thinking like, "Oh, there's no way they learned to do all this stuff themselves," right? And again, we have to acknowledge that has all completely failed and like we will likely never have true insight into how DPRK cyber operators are trained and upskilled. But I'm sure at some point in the lineage of DPRK cyber, there was some sort of exchange of knowledge and tradecraft with an external entity. But the reality is they've been doing this for a long time with a lot of success. And just as Greg L. said, I think especially over the last maybe five years, there's a pretty clear indication that they are evolving from past operations. We look at Moonstone Sleet, for example, and a lot of what they are doing today is sort of an evolution of what Diamond Sleet did two years ago. And we kind of hypothesize that there was likely -- you know, maybe someone moved over, like one of the original operators in Diamond Sleet got retasked to start up this new team or unit, and that's what we see as Moonstone Sleet. But also, just looking at like crypto theft, no one in the world does that as well as North Korea. So like where would they go to learn that? They are the experts. So yes, overall, my opinion is very much that it's all in-house, at least today, and maybe at some point in the past, there was some outsourcing of knowledge.

Greg Lesnewich: I have a similar take that I hypothesize that folks from Diamond, Citrine, and Jade sort of regularly roll over into each other, either based on tooling needs or tasking. I'm not really like 100% sure on that, but I think that they sort of took all that they learned from particularly like the Bangladesh Bank heist and moved forward with like these new kind of super groups that pop up doing crypto when they need to, and then other espionage-y things when that is sort of what's being asked of them. And I think that agility is sort of just kind of rare, and I think speaks to the fact that that is something just innate and ingrained in these teams rather than, "No, well, we need to go after credentials because that's what we were told to do," versus I don't think you get the level of innovation in sort of like holistic intrusion attempts without it sort of being a self-contained entity. And I think just the last point on this I think is COVID really threw a wrench in a lot of our understandings, both from like -- you know, we're adjusting on our side, too. You know, the data isn't changing all that much, but we're adjusting to working from home to these people in North Korea that are operating in and out of it. There was potential a big rotation that either didn't happen and they felt stranded out where they were, and maybe that led to some of the innovation that we saw. And then when the borders opened back up, a bunch of these teams seemed to have gotten flush with, you know, ripe talent and sort of a new vim and vigor for the operations that might have felt stale a couple months previous. And I think that like we can't really discount that. And I actually think that that's where a lot of the exploit development talent got developed is in that sort of lull period of, "Okay, well, we're getting trained in North Korea. We really can't travel. Maybe there's someone from these old sort of like the golden area of intrusion teams that can learn these young bucks up." And this is all just sort of me like spit-balling and hypothesizing, but I sort of see these exploit developer people as wizards that need to be contained in a darkroom and just handed caffeine and food, and they will come out the other side with like this magical understanding after months of hard work. And I think that that COVID time was probably a great time for that to happen because it was so restrictive that, you know, you don't just show up with get kernel access and escaping the chromium sandbox like by accident. That's not baby's first 0Day. We've been in the game for a while and now we are able to like use these things, and this could be the coming-out party rather than like, "Oh -- " like, "Oh, that's cute." You know, we don't say that about their exploits the way we used to say about their malware or their operations fiber ten years ago.

Sherrod DeGrippo: Mm-hmm.

Greg Lesnewich: It went from, "Oh, that's cute," to, "These exploits are now, oh, shit, they can do that?"

Sherrod DeGrippo: Yes.

Greg Lesnewich: Can I curse on here? I just did; sorry.

Sherrod DeGrippo: Yes, we can bleep it out.

Greg Lesnewich: Oh. [Laughs] Perfect.

Sherrod DeGrippo: It kind of makes me think like that old PSA that was like, "Who taught you how to do this stuff?" And the kid's like, "It's you, Dad, I learned it from watching you." But the dad is Lazarus, [laughter] which I would like to take this moment to clarify that not all DPRK-aligned threat actors are Lazarus. It's way more nuanced than that.

Greg Lesnewich: I would almost say that none of them are Lazarus.

Sherrod DeGrippo: None of them are Lazarus.

Greg Lesnewich: I agree.

Sherrod DeGrippo: We see a lot of reporting that's just like, "It's Lazarus." And it's like, "Well, that's not a catch-all. That doesn't just mean North Korea." But I want to talk really quickly about one more question from Twitter. And this question comes from Greg Lesnewich. And it says, "Sherrod, who is your favorite sleet at the moment and why; same question to The Gregs." So my favorite sleet actor -- it used to be Jade Sleet, but now it's Citrine Sleet as of August because of what you mentioned with Citrine Sleet having not just a chromium zero day, but this ability to chain vulnerabilities together to do some pretty impressive exploit stuff. I talked about this with Tom Gallagher, our MSRC VP on LinkedIn. I really found that impressive. We don't see root kits, exploit kits, chaining vulnerabilities. These things are things that we just really haven't seen on the landscape from any threat actor in years. And so for Citrine Sleet to drop this August of this year, I think everyone was taken aback. Greg Schloemer, I worked on this with you, so you basically ran this one. What did you think of it?

Greg Schoemer: Yes. We were definitely left scratching our heads in the Citrine case sort of figuring out where that came from.

Sherrod DeGrippo: Right. And there are theories. There are lots of theories of like how did they get these phones? How did they get these exploits? Like so how can you get them? You can buy them on the black market.

Greg Schoemer: You can buy them. You could steal them --

Sherrod DeGrippo: Buy, steal.

Greg Schoemer: -- from an exploit developer, or you can --

Sherrod DeGrippo: DIY.

Greg Schoemer: -- [inaudible 00:36:52] them out yourself.

Sherrod DeGrippo: Yes.

Greg Schoemer: Yes. That one surprised us. I'm not sure to this day that I have a very solid answer to the question of how they got it. I will say, going back to the point that like maybe Citrine, and Diamond, and Moonstone are, you know, sharing capabilities or resources, knowledge, whatever. You know, Diamond has done some pretty extensive targeting of security researchers in the past. We put out at least one blog on that, several others in the industry have talked about it publicly as well. But it's -- you know, it's not unreasonable to think if there is sharing of capabilities between those groups. We know that Diamond has a demonstrated capability to steal from researchers, so that is definitely a plausible explanation.

Sherrod DeGrippo: Mm-hmm. So all the exploit developers for research purposes, all of the bug bounty hunters, check and make sure that you are not owned, please.

Greg Schoemer: Please.

Sherrod DeGrippo: Lesnewich, I'm going to come to you last. Greg Schloemer, who is your favorite sleet actor right now, and why?

Greg Schoemer: Yes, I think my favorite is your past favorite, Sherrod, big fan of Jade; the reason being they're just so crazy effective. Like all the collective brainpower of the smartest DPRK researchers and crypto trackers together, like we can't stop them, really. It's upwards of three billion dollars in crypto theft over the last few years. Their malware is pretty well understood and is well reported on, and yet they still keep stealing crypto. And so I'm amazed by their elusiveness and their ability to get the job done; frustrated but impressed.

Sherrod DeGrippo: Jade Sleet, can't stop, won't stop stealing crypto.

Greg Lesnewich: And they terrify me a little bit from the sense of we know that they kind of rotate in and out of crypto based on previous Microsoft reporting. And one thing that sort of terrifies me is we all sort of -- especially in like the North Korean tracking space acknowledge them as like the heavyweight, that they are like you bring them in if somebody else can't get the job done or, "Hey, this is a strategic priority. This is the A team." I think what's terrifying about that is that if the like A minus and B plus players have 0Day, is Jade Sleet sitting on them? Do they not -- " and this is sort of just asking up a question like, "Do they not need them because of the nature of their operations? Do they have them -- " I think they were exploiting vulnerability in like a PDF parser in some of their activity that Microsoft and Positive Technologies touched on in their reporting. So it's not beyond the realm of possibility. But I think that Citrine and Jade are my two options for favorites. So I will round out the crypto groups and I will say Sapphire, because Sapphire has been so dedicated to the bit of using the same style emailers forever and just throwing every type of like first-stage macOS infection chain they could throw at someone. And I think that they, for better or for worse, have kind of led the way for like the info stealer rise that we see in the Mac landscape today where they were using these Apple scriptlet files, they were using compiled Mac payloads, and sort of everything in between to try and like learn on the fly and figure out how to infect a target and steal information. And you know, I think we were tracking something of like 18 or 19 different, you know, loader families alone, not even to include like sort of the main -- the flagship backdoors. And so yes, I think Sapphire just sort of that dedication. And they are also another actor that we understand can rotate between sort of espionage and revenue generation stuff. So I think that we've named the big three successfully. My visibility bias in the email space is just -- has me loving Sapphire because I see them more than I see the other two. But I hope to see the other two and also not let our customers be affected by them.

Sherrod DeGrippo: So one final question from Twitter. This comes from Alexis Deray [phonetic], and it is, "How many Gregs does it take to track all of the DPRK cyber shenanigans?" How many Gregs? I have two here, but how many do we really need?

Greg Lesnewich: At least two.

Sherrod DeGrippo: At least two; a nonzero number that is at least two.

Greg Lesnewich: Yes, if you count all of our sort of friends in the space and you call of them Gregs, I think that --

Sherrod DeGrippo: Yes.

Greg Lesnewich: -- that number is close to a couple dozen. I don't know if the DPRK tracking community wants to be known collectively as "The Gregs", but that would do wonders for me and Greg Schoemer's self-esteems.

Sherrod DeGrippo: As far as I'm concerned, the threat intelligence community that tracks DPRK threat actors is now known as "The Gregs".

Greg Schoemer: It's a thing now. We made it a thing. Sorry, everyone.

Sherrod DeGrippo: It's a thing now.

Greg Lesnewich: It should've been "the Daniel Gordons at ValidHorizons", but it's become "The Gregs". [Laughter]

Sherrod DeGrippo: Well, and I want to encourage everyone also listening to follow DPRK CERT. They have a lot of important posts that you'll want to check out on Twitter, the DPRK CERT. Thanks for joining me.

Greg Schoemer: When are you having us back?

Greg Lesnewich: Thank you for having us. [Laughs]

Sherrod DeGrippo: I mean, let's do it every week. Yes, I love a DPRK update. Like I would say other than crime, I like North Korea the best. It's just so interesting to hear about, and Citrine Sleet obviously chaining all that stuff together was a fascinating attack chain that I don't think we've seen in so long. And it's like, "Oh, there's a lot of, you know, innovation and creativity that we haven't seen in a landscape in a long time." So Greg Lesnewich --

Greg Lesnewich: You could spend a whole episode even just sussing out the differences between Diamond, Citrine --

Sherrod DeGrippo: I know.

Greg Lesnewich: -- and Moonstone.

Sherrod DeGrippo: I know.

Greg Lesnewich: You could probably do like a North Korean actor of the week and how that differentiates from other North Korean actors like every day for a whole season like fall of spring.

Greg Schoemer: You totally could.

Sherrod DeGrippo: We should do an actor of the week from like all the countries, and then just have whichever team come on and tell me this is why they're best. Maybe we could have them battle it out like APT Actor Fantasy Football. Greg Lesnewich, Greg Schoemer, thank you so much for joining me. I am Sherrod DeGrippo, and this is the "Microsoft Threat Intelligence Podcast". Thanks for listening. See you next time. Thanks for listening to the "Microsoft Threat Intelligence Podcast". We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode, we'll decode the threat landscape, arming you with the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com for more, and subscribe on your favorite podcast app.