In an unprecedented move, cybersecurity provider SentinelOne uncovered a broad campaign in early 2025 that used around 360 fake applicant profiles and more than 1,000 manipulated job applications to infiltrate sensitive positions in the intelligence sector. The attack is believed to have been carried out by North Korean IT specialists who wanted to gain access to corporate networks via fake remote workstations.
The attackers’ targets
Security service providers such as SentinelOne are at a critical interface: they have valuable expertise, manage central protection mechanisms and are themselves the target of a wide variety of threat actors. A successful breach of such a company not only compromises a single environment, but can also provide insight into the defence strategies of hundreds of customers and millions of endpoints. This particular appeal makes SentinelOne and similar providers prime targets for sophisticated attack plans.
Scale and persistence of the campaign
The recently discovered campaign is considered one of the most extensive that SentinelOne has tracked in recent years. The attackers continuously refined their methods: instead of simple phishing emails or mass job applications, they used stolen identities. With fictitious CVs, professional-looking LinkedIn profiles and fake qualifications, the applicants did not deviate from their goal of securing sensitive roles within the company. Positions in the field of threat intelligence were particularly targeted, as they offer in-depth insights into detection mechanisms and defence strategies.
Camouflage and professionalisation
The tactics employed by North Korean IT workers go far beyond typical insider threats. The attackers used specially created personas that looked deceptively similar to real IT professionals and meticulously adapted their choice of words, communication patterns and technical jargon. During telephone interviews and video calls, they imitated typical work rhythms and even branched out their identities on social media channels to appear as international cyber professionals with strong technical expertise.
Proactive countermeasures by SentinelOne
Instead of simply rejecting the manipulated applications, SentinelOne opted for an active investigation strategy. In close coordination between security and recruiting teams, proprietary workflows were implemented to identify suspicious contacts in the earliest stages and engage them in controlled conversations. This provided valuable insights into the recruitment channels, tools used and internal structures of the perpetrator group – while also preventing undetected accounts from entering the company network.
Advanced threat: access to security tools
Another trend observed by SentinelOne is the growing interest of attackers in in-house security solutions themselves. Access data for detection and management platforms is traded on the black market or sold by compromised insiders for large sums of money. Attackers use these credentials to test their malware directly against the protection mechanisms in order to reduce detection rates or specifically circumvent security controls.
Operation ‘PurpleHaze’ and supply chain risks
At the same time, a suspected Chinese APT group launched a complex campaign called ‘PurpleHaze’. The hackers gained insight into parts of SentinelOne’s infrastructure and that of its customers via an external hardware logistics service provider. Although no direct damage to the core systems was detected, the incident once again highlighted the vulnerability of global supply chains: an attack on the weakest partner can become a springboard for larger operations.
Threat intelligence as an integral component
The lesson from these incidents is clear: cyber threat intelligence must no longer be an isolated function within the company, but must be embedded in all areas – from human resources to sales to technical infrastructure. Only through the consistent integration of threat intelligence into all processes can manipulative recruitment attempts be detected at an early stage and infrastructural weaknesses be consistently closed.
Outlook
The strategies of state-sponsored hacker groups to use fake personas and approach security providers directly are likely to increase. To counter this, stricter controls during recruitment, automated screening mechanisms and regular training for HR teams are essential. At the same time, measures such as zero-trust architectures and sophisticated access controls are becoming increasingly important. This is the only way to prevent external attackers from gaining access to the most sensitive areas of a company via alleged employees.
