CSO caught up with Adam Meyers, CrowdStrike’s SVP of counter adversary operations, whose team produced the report, for an exclusive interview on the report’s findings. (Questions regarding the “Channel File 291 incident” were directed to CrowdStrike’s Remediation and Guidance Hub, where the company is providing continuous information and updates, including an FAQ.)

Famous Chollima’s shocking insider threats

Of seven case studies presented in the report, the most daring is that of a group CrowdStrike calls Famous Chollima, an alleged DPRK-nexus group. Starting with a single incident in April 2024, CrowdStrike discovered that a group of North Koreans, posing as American workers, had been hired for multiple remote IT worker jobs in early 2023 at more than thirty US-based companies, including aerospace, defense, retail, and technology organizations.

CrowdStrike’s threat hunters discovered that after obtaining employee-level access to victim networks, the phony workers performed at minimal enough levels to keep their jobs while attempting to exfiltrate data using Git, SharePoint, and OneDrive and installing remote monitoring and management (RMM) tools RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, and Google Chrome Remote Desktop.