Um not really? They claim that they detected it because of the high ping, that’s a network infra and speed of light limitation. All a proxy would have done was make the ping worse.
They tracked down the corporate issued laptop to Arizona where it was allegedly being remotely controlled. From there the article doesn’t say how they identified it as North Korean, maybe it was coming from a North Korean IP or maybe it wasn’t but they already have a group setup to find North Korean remote workers so that’s what they decided it was.
Amazon’s success can be almost entirely credited to the fact that it is actively looking for DPRK impostors, warns its Chief Security Officer. “If we hadn’t been looking for the DPRK workers,”
Whoever it was, was already busted when it was tracked to Arizona so again a proxy wouldn’t have avoided detection
All a proxy would have done was make the ping worse.
They can’t know what the ping between Korea and the US proxy is if all they see is the US proxy. What they get is just the data from that server to Amazon.
Had they been using a proxy instead of remotely controlling the laptop directly, only the proxy would have been found. Amazon would have hit an investigative wall without a police warrant to demand that information from the server owners (which could be set up independently too), they would not have this for a private investigation.
Thinking about it more this story smells. They’re clearly not being truthful about some part. If it was a remote controlled laptop from Arizona the time between a keystroke on the laptop and Amazon receiving it should be normal.
If the remote controlled laptop part is true that would be because Amazon only allows company issued devices to access the VPN (and then access internal resources) which lines up with my experience. To get around that and not have to use the corp laptop they would have to crack whatever secure endpoint attestation Amazon is using to connect to the VPN. Then they’d have to reverse engineer and spoof all the spyware (that’s doing shit like apparently precisely tracking every keystroke). Because without the spyware checking in reporting normal they’d probably detect it even faster. After that’s done you’re right they’d obviously want to use a proxy but again that doesn’t seem at all why they were caught and getting to the point of being able to just directly connect to Amazon’s VPN through a proxy would be a heavy lift requiring a very sophisticated attacker.
The corporate laptop is probably very locked down and I bet Amazon actually caught this from the remote control software being detected by some local security scanner that wasn’t properly circumvented.
I suspect what they did here was recover the laptop and capture the collaborator while managing to ensure that the remote worker who was logging into that laptop was unaware of its capture.
Then at that point they could then measure the ping between the laptop and the DPRK worker in order to find the location of the person logging into it.
There’s still information missing about how they would have caught the collaborator though.
Um not really? They claim that they detected it because of the high ping, that’s a network infra and speed of light limitation. All a proxy would have done was make the ping worse.
They tracked down the corporate issued laptop to Arizona where it was allegedly being remotely controlled. From there the article doesn’t say how they identified it as North Korean, maybe it was coming from a North Korean IP or maybe it wasn’t but they already have a group setup to find North Korean remote workers so that’s what they decided it was.
Whoever it was, was already busted when it was tracked to Arizona so again a proxy wouldn’t have avoided detection
They can’t know what the ping between Korea and the US proxy is if all they see is the US proxy. What they get is just the data from that server to Amazon.
Had they been using a proxy instead of remotely controlling the laptop directly, only the proxy would have been found. Amazon would have hit an investigative wall without a police warrant to demand that information from the server owners (which could be set up independently too), they would not have this for a private investigation.
Thinking about it more this story smells. They’re clearly not being truthful about some part. If it was a remote controlled laptop from Arizona the time between a keystroke on the laptop and Amazon receiving it should be normal.
If the remote controlled laptop part is true that would be because Amazon only allows company issued devices to access the VPN (and then access internal resources) which lines up with my experience. To get around that and not have to use the corp laptop they would have to crack whatever secure endpoint attestation Amazon is using to connect to the VPN. Then they’d have to reverse engineer and spoof all the spyware (that’s doing shit like apparently precisely tracking every keystroke). Because without the spyware checking in reporting normal they’d probably detect it even faster. After that’s done you’re right they’d obviously want to use a proxy but again that doesn’t seem at all why they were caught and getting to the point of being able to just directly connect to Amazon’s VPN through a proxy would be a heavy lift requiring a very sophisticated attacker.
The corporate laptop is probably very locked down and I bet Amazon actually caught this from the remote control software being detected by some local security scanner that wasn’t properly circumvented.
I suspect what they did here was recover the laptop and capture the collaborator while managing to ensure that the remote worker who was logging into that laptop was unaware of its capture.
Then at that point they could then measure the ping between the laptop and the DPRK worker in order to find the location of the person logging into it.
There’s still information missing about how they would have caught the collaborator though.