Threat Actors and Security Vendors: A Complex Web of Interests
The Shadowy World of Adversaries Targeting Security Vendors
The recent attacks on SentinelOne, a leading cybersecurity company, have highlighted the vulnerability of security vendors to complex and sophisticated threats. These attacks not only demonstrate the evolving tactics, techniques, and procedures (TTPs) of financially motivated criminals but also the increasing involvement of nation-state actors in insider threats. Inside the World of Insider Threats
One of the most notable examples of this is the case of DPRK-affiliated IT workers attempting to secure remote employment within Western tech companies, including SentinelOne. These actors have been refining their process, leveraging stolen or fabricated personas, and adapting their outreach tactics to mirror legitimate job seekers in increasingly convincing ways.
- 360 fake personas and over 1,000 job applications linked to DPRK IT worker operations applying for roles at SentinelOne
- These attackers are honing their craft beyond the job application and recruitment process
- They are developing a network of front companies to enable further laundering and logistics
The attackers are not just applying blindly; they are refining their process, leveraging stolen or fabricated personas, and adapting their outreach tactics to mirror legitimate job seekers in increasingly convincing ways. Our team has tracked roughly 360 fake personas and over 1,000 job applications linked to DPRK IT worker operations applying for roles at SentinelOne. Engagement and Adversary Interaction
Instead of staying passive, we made a deliberate choice towards intelligence-driven engagement. In coordination with our talent acquisition teams, we developed workflows to identify and interact with suspected DPRK applicants during the early phases of their outreach. Our attempted interactions offered rare insights into the craftiness and persistence of these infiltration campaigns — particularly the ways in which adversaries adapt to the friction they encounter. The attackers are honing their craft beyond the job application and recruitment process. An operation of this scale and nature requires a different kind of backend infrastructure, such as a sprawling network of front companies to enable further laundering and logistics. Collaboration with Hiring Teams
A key takeaway in working on this investigation was the value of intentionally creating inroads and sharing threat context with different teams not normally keyed into investigations. By doing so, we were able to create a shared understanding of the situation among the teams involved. We brought campaign-level understanding that was combined with tactical insights from our talent team. The payoff was immediate. Recruiters began spotting patterns on their own, driving an increase in early-stage escalation of suspicious profiles. They became an active partner that continues to flag new sightings from the frontlines. In turn, we are codifying these insights into automated systems that flag, filter, enrich, and proactively block these campaigns to lower the burden on our recruiters and hiring managers, and reduce the risk of infiltration. The Growing Trend of Adversaries Exploiting Sales Processes
Another threat vector we’ve observed involves adversaries impersonating legitimate businesses to acquire security products through trusted resellers. This approach is epitomized by the Nitrogen ransomware group. Nitrogen impersonates real companies — spinning up lookalike domains, spoofed email addresses, and cloned infrastructure to convincingly pose as legitimate businesses. Nitrogen then purchases official licenses for EDR and other security products under these false pretenses. This kind of social engineering is executed with precision. Nitrogen typically targets small, lightly vetted resellers — keeping interactions minimal and relying on resellers’ inconsistent KYC practices to slip through the cracks. This highlights a growing challenge for the security industry: reseller diligence and KYC enforcement are clearly part of the threat surface. When those controls are weak or absent, adversaries like Nitrogen gain powerful new ways to elevate their campaigns — often at a lower cost and lower risk than the black market. The PurpleHaze Activity Cluster
Our analysis of the PurpleHaze cluster has reinforced several key insights around operational security and supply chain monitoring. Even when our own infrastructure remained untouched, the targeting of an external service provider previously associated with business logistics surfaced important considerations. One immediate reminder is the necessity of maintaining real-time awareness not only over internal assets but also over adjacent service providers — particularly those with past or current access to sensitive employee devices or logistical information. By integrating threat context into asset attribution workflows, organizations can enhance their ability to trace supply chain touchpoints that may be at risk. Lessons Learned
Our analysis of the PurpleHaze cluster has taught us several lessons about the importance of threat intelligence and operational security. One key takeaway is the value of collaboration between different teams and functions within an organization. By working together, teams can create a shared understanding of the situation and develop effective strategies for mitigating threats. Another key takeaway is the importance of integrating threat intelligence into asset attribution workflows. This enables organizations to enhance their ability to trace supply chain touchpoints that may be at risk. Finally, our analysis has highlighted the need for organizations to maintain real-time awareness of their internal assets and adjacent service providers. This is particularly important in today’s threat landscape, where adversaries are increasingly targeting security vendors for insider access, abuse of legitimate channels, and supply chain infiltration. The Strategic Value of Cyber Threat Intelligence
Cyber threat intelligence has evolved from a niche function into an essential pillar of enterprise defense — particularly for private sector organizations operating in the security space. One of the most tangible examples of the value of cyber threat intelligence is in internal talent acquisition and insider threat defense. Intelligence has become a frontline asset in identifying attempts by North Korean IT workers and other state-backed operatives to embed themselves in organizations under false pretenses. By flagging suspicious applicant patterns, cross-referencing alias histories, and tracking known tradecraft, CTI teams help hiring managers and HR avoid potential insider incidents before they start. Our CTI capabilities must also directly support sales and channel operations. As criminal groups increasingly impersonate legitimate businesses to acquire security products through trusted resellers, intelligence plays a key role in verifying customer legitimacy and identifying anomalous purchase behaviors. Internally, threat intelligence informs and enhances how we defend our own technology and supply chain against highly targeted APT activity. From understanding how adversaries reverse-engineer our software to uncovering which parts of our technology stack they seek to compromise, CTI enables proactive hardening, smarter telemetry prioritization, and meaningful collaboration with product and engineering teams. In essence, intelligence acts as an early-warning system and a strategic guide — ensuring our defenses stay one step ahead of evolving threats. The Future of Cyber Threat Intelligence
As the threat landscape continues to evolve, the role of cyber threat intelligence will only continue to grow. Organizations must remain vigilant and proactive in defending against emerging threats. By leveraging the power of cyber threat intelligence, organizations can stay ahead of the threats and ensure their defenses remain effective. In conclusion, the threat actors and security vendors are intertwined in a complex web of interests. The recent attacks on SentinelOne have highlighted the vulnerability of security vendors to complex and sophisticated threats. To stay ahead of the threats, organizations must prioritize threat intelligence and operational security. By working together and integrating threat intelligence into asset attribution workflows, organizations can create a more robust defense against insider threats and supply chain infiltration. As the threat landscape continues to evolve, the importance of cyber threat intelligence will only continue to grow. Organizations must remain vigilant and proactive in defending against emerging threats. In the end, it is not just about defending against threats, but also about building a stronger and more resilient organization that can withstand the attacks of the future.
