North Korean hackers who disguise themselves as IT workers are applying for work in the U.K., according to Google Threat Intelligence Group. Success in the U.S. is declining due to rising awareness of their tactics, indictments, and right-to-work verification challenges, prompting them to turn elsewhere.
The attackers pose as legitimate remote workers, looking to generate revenue, access sensitive company data, or perform espionage operations through employment. Researchers observed them seeking out login credentials for job sites and human capital management platforms.
“Europe needs to wake up fast,” Jamie Collier, Lead Threat Intelligence Advisor, Europe, Google Threat Intelligence Group, told TechRepublic in an email. “Despite being in the crosshairs of IT worker operations, too many perceive this as a U.S. problem. North Korea’s recent shifts likely stem from U.S. operational hurdles, showing IT workers’ agility and ability to adapt to changing circumstances.”
SEE: UK Cyber Risks Are ‘Widely Underestimated,’ Warns Country’s Security Chief
Hackers are targeting larger organisations and new territories
Activity has increased since late October, according to Google, with attackers from the Democratic People’s Republic of Korea targeting larger organisations and new territories. It’s not just the U.K., either, as researchers have discovered evidence of a rise in activity in Germany, Portugal, Serbia, and elsewhere in Europe.
Google’s researchers uncovered a fake CV listing degrees from Belgrade University in Serbia and fabricated residential addresses in Slovakia. Additionally, they found detailed instructions on how to navigate European job sites and secure employment in Serbia, including using the Serbian time zone for communication, as well as a broker facilitating the creation of fake passports.
More aggressive tactics stem from desperation
The North Korean IT workers are also using more aggressive tactics, such as moving operations within corporate virtualised infrastructure and threatening to release proprietary corporate data after being fired unless a ransom is paid.
The researchers link this to desperation to maintain their revenue stream while law enforcement cracks down on their operations in the US. While workers once avoided burning bridges with employers after termination in the hope of being rehired, they now likely believe their dismissal stems from being caught, prompting them to threaten employers instead.
“A decade of diverse cyberattacks precedes North Korea’s latest surge — from SWIFT targeting and ransomware, to cryptocurrency theft and supply chain compromise,” Collier told TechRepublic. “This relentless innovation demonstrates a longstanding commitment to fund the regime through cyber operations.”
How the North Korean IT worker operations work
Targeted industries include defence and government sectors, with the fake workers “providing fabricated references, building a rapport with job recruiters, and using additional personas they controlled to vouch for their credibility.” They are recruited through online platforms including Upwork, Telegram, and Freelancer.
North Korean workers pretend to be from a diverse set of countries, including Italy, Japan, Malaysia, Singapore, Ukraine, the U.S., and Vietnam, using a combination of stolen personal details from real individuals and fabricated information. They have even been known to use AI to generate profile photos, create deepfakes for video interviews, and translate communications into target languages using AI writing tools.
In exchange for employment, the North Korean infiltrators offer services in the development of web solutions, such as job marketplaces, bots, content management systems, blockchain, and AI apps, indicating a broad range of expertise. Payment is made in cryptocurrency and through cross-border transfer platforms like Payoneer and TransferWise, helping to obscure its origin and destination.
The IT workers use certain “facilitators” to aid them in their pursuits. These are individuals or entities based in the target territories that help them find jobs, bypass verification checks, and receive funds fraudulently. The Google team has found evidence of facilitators in both the U.S. and U.K., locating a corporate laptop from New York that was operational in London.
Bring Your Own Device environments are making life easier for the workers
Many businesses with distributed workforces implement Bring Your Own Device policies, where employees can use their personal devices for work. The Google team believes that, since January, the North Korean IT workers have been identifying these companies as prime targets to gain employment.
SEE: BYOD and Personal Apps: A Recipe for Data Breaches
A company-owned device will likely be rife with security features, such as activity monitoring, and can be traced back to its user by the address the company shipped it to and its endpoint software inventories. Therefore, the attacker will be more likely to evade detection by using their own laptop to access internal systems through their employer’s virtual machines.
