North Korea’s Fake IT Worker Scheme Sets Sights on Europe


North Korea’s fake IT worker scheme has shifted its focus to European companies, confirming the global nature of this threat, according to the Google Threat Intelligence Group (GTIG).

This shift has been borne out of Democratic People’s Republic of Korea (DPRK) IT workers facing challenges in seeking and maintaining employment in the US over recent months.

The researchers believe this is likely due to growing awareness of the IT worker threat through public reporting and recent charges brought by US authorities against individuals suspected of involvement in these schemes.

“These factors have instigated a global expansion of IT worker operations, with a notable focus on Europe,” GTIG wrote.

Google emphasized that the US remains a key target for fake IT worker operations, which are used to generate revenue and steal sensitive data on behalf of the DPRK government.

This is achieved by gaining employment as remote IT workers to companies around the world, allowing them privileged access to sensitive systems and data in critical sectors like defense.

North Korea Targets European Firms

The researchers highlighted several cases of DPRK actors using fake personas to gain freelance employment in European firms.

In late 2024, one DPRK IT worker actively sought employment with multiple organizations within Europe, particularly those within the defense industrial base and government sectors.

This individual operated at least 12 personas across Europe and the US, providing fabricated references and building rapport with job recruiters to boost their credibility.

Other IT worker personas attempted to gain employment Germany and Portugal. They had login credentials for user accounts of European job websites and human capital management platforms.

In addition, a diverse portfolio of projects was undertaken in the UK by DPRK IT workers, spanning traditional web development to advanced blockchain and AI applications.

DPRK workers have used deceptive tactics to conceal their identities, falsely claiming nationalities from a diverse set of countries, including Italy, Japan, Malaysia, Singapore, Ukraine, the US and Vietnam.

They also use facilitators overcome identity verification and receive funds fraudulently. The GTIG investigation uncovered a complex chain around such facilitators.

This included the discovery of contact information for a broker specializing in false passports, indicating a coordinated effort to acquire fraudulent identification documents.

IT workers in Europe were recruited through various online platforms, including Upwork, Telegram and Freelancer. Payment for their services was facilitated through cryptocurrency, enabling threat actors to obfuscate the origin and destination of their funds.

Fake IT Workers Expand Extortion Tactics

North Korean threat actors have used fake personas to gain employment as IT workers in foreign companies, especially the US, for a number of years, taking advantage of remote work opportunities to obfuscate their identities.

This tactic has a number of purposes, including using the salaries to help fund the DPRK regime and using their privileged access to steal sensitive data from employers’ networks.

In the past year, these operations have escalated to encompass extortion whereby the IT workers steal sensitive proprietary data and code from their former employers and hold it “hostage” until a ransom demand is met.

In the new research, GTIG assessed that since late October 2024, IT workers have increased the volume of extortion attempts and gone after larger organizations.

The researchers linked this trend to heightened US law enforcement actions against DPRK workers, as this may be driving them to adopt more aggressive measures to maintain revenue streams.

Read now: North Korean Hackers Targeted Cybersecurity Firm KnowBe4 with Fake IT Worker

How to Tackle the Fake IT Worker Threat

Organizations have been urged to deploy stronger verification checks on remote IT workers to avoid falling victim to this tactic.

Rafe Pilling, Director of Threat Intelligence, Counter Threat Unit, Secureworks (Sophos), commented: “The fraudulent North Korean IT worker campaigns have become much more of a recognized issue for a range of organizations. While cybersecurity has long been recognized as a business issue, hiring practices aren’t something most people think about in terms of cybersecurity.”

He set out the following recommendations to improve their hiring practices of such workers:

  • Verify identities by checking documentation for consistency, including their name, nationality, contact details and work history
  • Conduct in-person or video interviews and monitoring for suspicious activity, such as long pauses or not appearing on camera
  • Be wary of candidates’ requests to change their address during the onboarding process and to route pay checks to money transfer services
  • Restrict the use of unauthorized remote access tools and limit access to non-essential systems
  • Undertake post-employment monitoring and validation to ensure that the person who obtained the contract is the same person that is actually performing the work



Source link

Leave a Comment