Israeli cybersecurity firm uncovers, thwarts North Korean cyberattack in 2024, firm reveals

A North Korean IT worker, posing as a legitimate employee at a Western company, was discovered to have orchestrated the cyberattack.

MAY 29, 2025 13:16

Updated: MAY 29, 2025 18:06

State flags of Russia and North Korea fly in a street near a monument to Soviet state founder Vladimir Lenin during the visit of North Korea's leader Kim Jong Un to Vladivostok, Russia April 25, 2019. (photo credit: Yuri Maltsev/REUTERS) — State flags of Russia and North Korea fly in a street near a monument to Soviet state founder Vladimir Lenin during the visit of North Korea's leader Kim Jong Un to Vladivostok, Russia April 25, 2019.

(photo credit: Yuri Maltsev/REUTERS)

An Israeli cybersecurity firm uncovered a highly sophisticated North Korean cyberattack in mid-2024, the firm, Sygnia, announced in a statement on Wednesday.

A North Korean IT worker, posing as a legitimate employee at a Western company, was discovered to have orchestrated the cyberattack.

The investigation began after the FBI recovered a client-issued laptop during a raid on a suspected “laptop farm” – a service that enables foreign workers to impersonate US citizens and obtain remote roles in Western companies.

Syngia said that the attacker operated from within the company and used standard tools like Zoom alongside basic network protocols; the attacker avoided detection for an extended period and had full access to the company’s internal systems through the corporate VPN and a company-issued laptop.

Sygnia’s forensics team discovered that the laptop was used to establish a multi-layered covert control channel, allowing attackers to move laterally, run malicious code, and extract sensitive data – all under the guise of legitimate remote work activity.

Shoham Simon, VP of Cyber Incident Response at Sygnia (credit: GUY LAHAV)

The attacker didn’t break in; rather, they were let in, says Sygnia in their report and analysis of the event. The report continued, “The attacker had full access to the company’s internal systems through the corporate VPN and a company-issued laptop.”

Sygnia's senior vice president statement

Shoham Simon, senior vice president of cyber services at Sygnia, noted that “This is an extraordinary example of how sometimes the threat doesn’t come from outside the organization but from within.”

He continued, saying, “The attacker didn’t exploit a code vulnerability, but a trust vulnerability. The attack’s success was based on the intelligent use of legitimate tools and protocols that are usually overlooked by conventional detection systems.”

Simon emphasized that the incident underscores the importance of expanding threat detection models beyond code analysis to include network protocol anomalies, misuse of legitimate tools, and seemingly routine behavior that may hide malicious activity.

Israeli cybersecurity firm uncovers, thwarts North Korean cyberattack in 2024, firm reveals

A North Korean IT worker, posing as a legitimate employee at a Western company, was discovered to have orchestrated the cyberattack.

Sygnia's senior vice president statement

Israelis must remember to consume media wisely

Editor's Notes: Dermer’s hush-hush tactics deepen crisis of trust

A-G's judicial overreach is undermining Israel's democracy

My Word: The virtues and vices of the virtual world

Is Gideon’s Chariots the right strategy?