Wide World of Cyber: How state adversaries attack security vendors
May 9, 2025
auto_awesome
Steve Stone, SVP of Threat Discovery and Response at SentinelOne, and Alex Stamos, CISO at SentinelOne, dive into the alarming tactics used by state adversaries against security vendors. They reveal how North Korea employs deceptive job applications to infiltrate, and explore the evolution of ransomware attacks that adapt to new security measures. The discussion covers the vulnerabilities in endpoint protection and cloud authentication, emphasizing the critical need for collaboration in combating these sophisticated cyber threats.
SentinelOne's engagement with North Korean job applicants revealed valuable intelligence on the social engineering tactics employed by foreign cyber adversaries.
Ransomware operators increasingly target Endpoint Detection and Response systems, emphasizing the necessity for robust Identity and Access Management practices to prevent administrative access breaches.
The underground economy enabling cybercriminals to bypass KYC checks underscores the importance of vetting customers to mitigate risks associated with seemingly legitimate transactions.
Deep dives
Targeting and Engaging North Korean Applicants
SentinelOne's investigation into job applications revealed that North Korean entities were submitting numerous resumes to the company, attempting to get hired as cybersecurity researchers. Instead of discarding these applications, the team chose to engage them, stringing the applicants along for about five months, during which they identified nearly 370 unique personas and over a thousand applications. This tactic allowed SentinelOne to collect valuable intelligence on the tactics, techniques, and procedures (TTPs) used by North Korean cyber actors, highlighting their long-standing practice of using social engineering to recruit insiders in various organizations. Ultimately, this strategic engagement demonstrated a proactive approach to understanding and mitigating threats from foreign adversaries.
Ransomware Tactics and EDR Console Exploitation
Ransomware operators have evolved their strategies to specifically target Endpoint Detection and Response (EDR) systems, often aiming to gain administrative access to disable these security measures before executing their attacks. This practice has become increasingly common, as attackers realize that disabling EDR capabilities allows them to operate undetected while deploying ransomware. The podcast highlights the significance of robust Identity and Access Management (IAM) practices, particularly in environments where single sign-on is utilized, as this can lead to vulnerabilities if compromised. Therefore, organizations need to prioritize proper configuration and administrative separation to mitigate these risks.
Underground Economy for EDR Testing
The podcast discusses the emergence of an underground economy that allows cybercriminals to bypass Know Your Customer (KYC) checks and acquire licenses for EDR products, enabling them to test their malware against various security measures. This industry thrives on shadow companies that provide a façade to obtain trial access to security technologies and run their malware for testing purposes. By understanding how these tests are conducted, the cybersecurity community can better prepare defenses and enhance detection capabilities. Furthermore, the research emphasizes the importance of rigorously vetting customers and being vigilant about potential threats posed by seemingly legitimate transactions.
The Pervasiveness of Chinese Cyber Espionage
Chinese APT groups have demonstrated a systematic and persistent approach to cyber espionage, often targeting organizations associated with useful technologies or intelligence. The podcast reveals how one particular group was able to compromise a client organization and subsequently attempt to access SentinelOne's resources directly. Through detailed analyses, it became evident that Chinese cyber actors often exhibit high levels of organization and persistence, making them formidable adversaries. The discussion underscores the need for enhanced awareness and adaptive defenses against state-sponsored cyber activities that leverage human intelligence and sophisticated tactics.
Challenges in Modern Cybersecurity Architecture
The conversation highlights significant challenges in the current cybersecurity landscape, particularly regarding the integration of diverse technology stacks and the evolving tactics employed by adversaries. There is a growing consensus that traditional detection and response methods may not adequately address contemporary threats, particularly given the complex interplay of different systems and identity management practices. This means organizations must seek to decouple data instrumentation from detection to achieve holistic visibility and understanding of threats across multiple environments. Ultimately, improving context and collaboration between security components will be vital in staying ahead of increasingly sophisticated cyber threats.
In this edition of the Wide World of Cyber podcast Patrick Gray talks to SentinelOne’s Steve Stone and Alex Stamos about how foreign adversaries are targeting security vendors, including them.
From North Korean IT workers to Chinese supply chain attacks, SentinelOne and its competitors are constantly fending off sophisticated hacking campaigns.
This edition of the Wide World of Cyber was recorded in front of a live audience in San Francisco, with Patrick attending via Zoom.
The Wide World of Cyber podcast series is a wholly sponsored co-production between SentinelOne and Risky Business Media.
