Key Findings

• North Korean threat groups are using artificial intelligence (AI) tools to accelerate and expand the country's long-running scheme to get remote technical workers hired at global companies.

• AI services are empowering North Korean operatives across the attack lifecycle, turning AI into a "force multiplier" for their efforts.

• Threat groups are using AI to shorten the time it takes to create digital personas for specific job markets and roles, leveraging financial opportunities or interview-themed lures to gain initial access.

• Jasper Sleet is using generative AI tools to research job postings and identify in-demand skills or experience requirements to align fake personas with targeted roles.

• North Korean threat groups are significantly improving the scale and sophistication of their social engineering and initial access operations with AI-driven media creation for impersonations and real-time voice modulation.

• Jasper Sleet is using the AI application Faceswap to insert North Korean IT workers' faces into stolen identity documents, reusing the same AI-generated photo across multiple personas.

• North Korean remote IT workers are using AI tools to craft professional responses, answer technical questions, or generate snippets of code to meet performance expectations in unfamiliar environments.

• North Korean threat groups are using AI to refine previously observed post-compromise activities, reducing the time and expertise required for decision-making, privilege escalation, and data exfiltration.

• A transition to agentic AI is underway, which could enable more advanced and damaging threat activity, though Microsoft has not yet observed large-scale use of such systems by threat actors.

Background

Microsoft Threat Intelligence has identified a trio of North Korean threat groups - Coral Sleet, Sapphire Sleet, and Jasper Sleet - that are leveraging AI to enhance their long-running scheme of getting remote technical workers hired at global companies. This operation is a key part of North Korea's broader efforts to generate revenue and gather intelligence through the exploitation of overseas networks and resources.

Accelerating Digital Personas with AI

The North Korean threat groups are using AI services to shorten the time it takes to create digital personas for specific job markets and roles. They frequently leverage financial opportunities or interview-themed lures to gain initial access, with Jasper Sleet using generative AI tools to research job postings and identify in-demand skills or experience requirements to align fake personas with targeted roles.

Enhancing Social Engineering and Initial Access

North Korean threat groups are significantly improving the scale and sophistication of their social engineering and initial access operations with AI-driven media creation for impersonations and real-time voice modulation. They have used AI services to generate lures that mimic internal communications in multiple languages with native fluency, and Jasper Sleet is using the AI application Faceswap to insert North Korean IT workers' faces into stolen identity documents.

Sustaining Long-Term Employment with AI

North Korean remote IT workers are leaning on AI-enabled communications to evade detection and sustain long-term employment, using AI tools to craft professional responses, answer technical questions, or generate snippets of code to meet performance expectations in unfamiliar environments.

Refining Post-Compromise Activities with AI

North Korean threat groups are using AI to refine previously observed post-compromise activities, reducing the time and expertise required for decision-making, privilege escalation, data exfiltration, and minimizing the risk of detection by analyzing security controls.

Transition to Agentic AI

Microsoft warned that a transition to agentic AI is underway, which could enable more advanced and damaging threat activity, though the researchers have not yet observed large-scale use of such systems by threat actors due to ongoing reliability and operational constraints.

Sources

• https://cyberscoop.com/microsoft-north-korea-ai-operations/

• https://x.com/shah_sheikh/status/2030000783979397530

• https://x.com/shah_sheikh/status/2030000728639467744

• https://www.facebook.com/themestimes/posts/microsoft-says-north-korea-is-using-fake-it-workers-powered-by-ai-tools-to-secre/971136842481471/