Cybersecurity firm Silent Push has confirmed that North Korean IT workers are actively using Astrill VPN to hide their real IP addresses while seeking jobs with international companies. This revelation highlights ongoing efforts by North Korean cyber actors to evade detection and carry out malicious online activities.
The use of Astrill VPN by these individuals was first reported by Google’s Mandiant in September 2024. Silent Push’s latest findings reinforce concerns about North Korea’s cyber operations and their ability to infiltrate global networks.
Tracking North Korean Cyber Activity
Silent Push has been monitoring North Korean hacking groups for years, particularly the infamous Lazarus Group and its subgroups, including Contagious Interview (also known as Famous Chollima).
Through extensive log analysis, researchers discovered that Astrill VPN (astrill.com) is frequently used by these groups as their preferred method for disguising their locations. The repeated use of this service suggests a standardized approach to operational security among North Korean hackers.
Connection to the ByBit Cryptocurrency Heist
The investigation gained traction after researchers uncovered a domain, bybitassessment website, registered just before the $1.4 billion ByBit cryptocurrency heist. This domain was linked to an email address previously associated with North Korean hacking operations.
Silent Push used this discovery to obtain key infrastructure components, including administrative and victim logs, which further confirmed the widespread use of Astrill VPN among North Korean cybercriminals.
Real-Time Threat Intelligence
To help organizations detect potential threats, Silent Push has created a Bulk Data Feed that tracks all known Astrill VPN IP addresses in real time. This tool provides valuable intelligence for companies looking to protect their networks from cyber threats originating from North Korea or other malicious actors.
Technical Findings: Identified IP Addresses
During their investigation, Silent Push identified 27 Astrill VPN IP addresses linked to test records created by North Korean cyber groups. Among these addresses, some have been repeatedly associated with hacking operations, including:
- 104.223.97.2
- 91.239.130.102
- 103.130.145.210
- 104.129.22.2
- 113.20.30.139
- 134.195.197.175
- 167.88.61.250
These IP addresses, along with others spread across different network ranges, serve as key indicators for organizations to monitor for potential cyber threats.
Security Recommendations
While not all traffic from Astrill VPN is linked to malicious activity, cybersecurity experts advise businesses to implement additional security measures when encountering connections from these IP ranges. This is especially important when working with IT contractors or freelancers, as North Korean cyber operatives have been known to disguise themselves as remote workers to infiltrate companies.
By staying vigilant and leveraging intelligence from firms like Silent Push, organizations can better protect themselves against cyber threats linked to North Korea and other state-sponsored actors.
