The DPRK group’s attempts to exfiltrate data and install RMM tools by posing as US IT workers is one of several examples that show cross-domain analysis is needed to tackle rising identity-based attacks, according to CrowdStrike’s counter adversary team, as the company reels in the worldwide outage’s wake.
Don’t have an answer to your question – But if you haven’t come across this yet it’s worth a read – https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us
I think there’s a darknet diaries episode about this