GTIG's report follows multiple warnings issued by the FBI regarding North Korea's massive army of IT workers sent abroad to generate revenue, who have tricked hundreds of companies in the United States and worldwide into hiring them over the years. In recent years, South Korean and Japanese government agencies have also issued alerts on North Koreans impersonating people from other countries to secure employment as remote IT workers at private companies. Also referred to as "IT warriors," they hide their true identities and pose as workers based in other countries by connecting via laptop farms to fraudulently secure positions as remote freelance IT employees at companies worldwide to generate revenue for the Democratic People's Republic of Korea (DPRK) regime. As security researchers with the Google Threat Intelligence Group (GTIG) found, North Korea's IT army has increasingly targeted positions at companies in Germany, Portugal, and the United Kingdom after many of its members have been charged and targeted with sanctions in the United States. The Treasury's Office of Foreign Assets Control (OFAC) also sanctioned North Korean front companies linked to North Korea's Ministry of National Defense and accused of generating revenue via illegal remote IT work schemes. "We are increasingly seeing North Korean IT workers infiltrating larger organizations to steal sensitive data and follow through on their extortion threats against these enterprises," Michael Barnhart, a Mandiant Principal Analyst at Google Cloud, told BleepingComputer in January. In January, the U.S. Justice Department indicted two North Korean nationals and three facilitators for their involvement in a multi-year fraudulent remote IT work scheme involving at least sixty-four U.S. companies between April 2018 and August 2024. North Korean IT workers have also been linked to many projects in the United Kingdom, ranging from AI and blockchain technology to web, bot, and content management system (CMS) development. "In their efforts to secure these positions, DPRK IT workers employed deceptive tactics, falsely claiming nationalities from a diverse set of countries, including Italy, Japan, Malaysia, Singapore, Ukraine, the United States, and Vietnam. North Korea's IT workers have expanded operations beyond the United States and are now increasingly targeting organizations across Europe. After being discovered and fired, some of these undercover North Korean IT workers have also used insider knowledge to extort former employers, threatening to leak sensitive information stolen from company systems. For instance, GTIG investigators discovered user credentials at European job websites and human capital management platforms linked to DRPK IT worker personas looking for employment at German and Portuguese companies. Another DPRK IT worker targeted multiple European organizations in the defense industrial base and government sectors in late 2024 using fabricated references and personas to make it easier to trick job recruiters into hiring them.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 01 Apr 2025 19:00:07 +0000