North Korean IT worker army expands operations in Europe
North Korea’s IT workers have expanded operations beyond the United States and are now increasingly targeting organizations across Europe.
Also referred to as “IT warriors,” they hide their true identities and pose as workers based in other countries by connecting via laptop farms to fraudulently secure positions as remote freelance IT employees at companies worldwide to generate revenue for the Democratic People’s Republic of Korea (DPRK) regime.
As security researchers with the Google Threat Intelligence Group (GTIG) found, North Korea’s IT army has increasingly targeted positions at companies in Germany, Portugal, and the United Kingdom after many of its members have been charged and targeted with sanctions in the United States.
“In their efforts to secure these positions, DPRK IT workers employed deceptive tactics, falsely claiming nationalities from a diverse set of countries, including Italy, Japan, Malaysia, Singapore, Ukraine, the United States, and Vietnam. The identities used were a combination of real and fabricated personas,” said Jamie Collier, a lead threat intelligence advisor at GTIG.
“IT workers in Europe were recruited through various online platforms, including Upwork, Telegram, and Freelancer. Payment for their services was facilitated through cryptocurrency, the TransferWise service, and Payoneer, highlighting the use of methods that obfuscate the origin and destination of funds.”
For instance, GTIG investigators discovered user credentials at European job websites and human capital management platforms linked to DRPK IT worker personas looking for employment at German and Portuguese companies. North Korean IT workers have also been linked to many projects in the United Kingdom, ranging from AI and blockchain technology to web, bot, and content management system (CMS) development.
Another DPRK IT worker targeted multiple European organizations in the defense industrial base and government sectors in late 2024 using fabricated references and personas to make it easier to trick job recruiters into hiring them.
“We are increasingly seeing North Korean IT workers infiltrating larger organizations to steal sensitive data and follow through on their extortion threats against these enterprises,” Michael Barnhart, a Mandiant Principal Analyst at Google Cloud, told BleepingComputer in January.
“It’s also unsurprising to see them expanding their operations into Europe to replicate their success, as it’s easier to entrap citizens who aren’t familiar with their ploy.”
On September 12, 2024, the United Kingdom’s Office of Financial Sanctions Implementation issued an advisory on North Korean IT workers with info on how potential targets can mitigate their risk exposure and warning that individuals and organizations who hire them could be breaching financial sanctions.
U.S. crackdown on DPRK IT work schemes
GTIG’s report follows multiple warnings issued by the FBI regarding North Korea’s massive army of IT workers sent abroad to generate revenue, who have tricked hundreds of companies in the United States and worldwide into hiring them over the years. However, the North Korean regime keeps up to 90% of wages collected this way, generating hundreds of millions every year to fund its weapons programs.
After being discovered and fired, some of these undercover North Korean IT workers have also used insider knowledge to extort former employers, threatening to leak sensitive information stolen from company systems.
In January, the U.S. Justice Department indicted two North Korean nationals and three facilitators for their involvement in a multi-year fraudulent remote IT work scheme involving at least sixty-four U.S. companies between April 2018 and August 2024.
The Treasury’s Office of Foreign Assets Control (OFAC) also sanctioned North Korean front companies linked to North Korea’s Ministry of National Defense and accused of generating revenue via illegal remote IT work schemes. The U.S. State Department now offers millions in exchange for any information that could help disrupt their fraudulent activities.
In recent years, South Korean and Japanese government agencies have also issued alerts on North Koreans impersonating people from other countries to secure employment as remote IT workers at private companies.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Source link
