Source URL: https://cloud.google.com/blog/topics/threat-intelligence/dprk-it-workers-expanding-scope-scale/
Source: Cloud Blog
Title: DPRK IT Workers Expanding in Scope and Scale
Feedly Summary: Written by: Jamie Collier
Since our September 2024 report outlining the Democratic People’s Republic of Korea (DPRK) IT worker threat, the scope and scale of their operations has continued to expand. These individuals pose as legitimate remote workers to infiltrate companies and generate revenue for the regime. This places organizations that hire DPRK IT workers at risk of espionage, data theft, and disruption.
In collaboration with partners, Google Threat Intelligence Group (GTIG) has identified an increase of active operations in Europe, confirming the threat’s expansion beyond the United States. This growth is coupled with evolving tactics, such as intensified extortion campaigns and the move to conduct operations within corporate virtualized infrastructure.
On The March: IT Workers Expand Globally with a Focus on Europe
DPRK IT workers’ activity across multiple countries now establishes them as a global threat. While the United States remains a key target, over the past months, DPRK IT workers have encountered challenges in seeking and maintaining employment in the country. This is likely due to increased awareness of the threat through public reporting, United States Department of Justice indictments, and right-to-work verification challenges. These factors have instigated a global expansion of IT worker operations, with a notable focus on Europe.
Figure 1: List of countries impacted by DPRK IT Workers
IT Worker Activity in Europe
In late 2024, one DPRK IT worker operated at least 12 personas across Europe and the United States. The IT Worker actively sought employment with multiple organizations within Europe, particularly those within the defense industrial base and government sectors. This individual demonstrated a pattern of providing fabricated references, building a rapport with job recruiters, and utilizing additional personas they controlled to vouch for their credibility.
Separately, additional investigations uncovered other IT worker personas seeking employment in Germany and Portugal, alongside login credentials for user accounts of European job websites and human capital management platforms.
GTIG has also observed a diverse portfolio of projects in the United Kingdom undertaken by DPRK IT workers. These projects included web development, bot development, content management system (CMS) development, and blockchain technology, indicating a broad range of technical expertise, spanning traditional web development to advanced blockchain and AI applications.
Specific projects identified include:
Development of a Nodexa token hosting plan platform utilizing Next.js, React, CosmosSDK, and Golang, as well as the creation of a job marketplace using Next.js, Tailwind CSS, MongoDB, and Node.js.
Further blockchain-related projects involved Solana and Anchor/Rust smart contract development, and a blockchain job marketplace built using the MERN stack and Solana.
Contributions to existing websites by adding pages using Next.js and Tailwind CSS,
Development of an AI web application leveraging Electron, Next.js, artificial intelligence, and blockchain technologies.
In their efforts to secure these positions, DPRK IT workers employed deceptive tactics, falsely claiming nationalities from a diverse set of countries, including Italy, Japan, Malaysia, Singapore, Ukraine, the United States, and Vietnam. The identities utilized were a combination of real and fabricated personas.
IT workers in Europe were recruited through various online platforms, including Upwork, Telegram, and Freelancer. Payment for their services was facilitated through cryptocurrency, the TransferWise service, and Payoneer, highlighting the use of methods that obfuscate the origin and destination of funds.
Facilitators Support European Operations
The facilitators used by IT workers to help them get jobs, defeat identity verification, and receive funds fraudulently have also been found in Europe. One incident involved a DPRK IT worker utilizing facilitators located in both the United States and the United Kingdom. Notably, a corporate laptop, ostensibly intended for use in New York, was found to be operational in London, indicating a complex logistical chain.
An investigation into infrastructure utilized by a suspected facilitator also highlighted heightened interest in Europe. Resources discovered contained fabricated personas, including resumes listing degrees from Belgrade University in Serbia and residences in Slovakia, as well as instructions for navigating European job sites. Additionally, contact information for a broker specializing in false passports was discovered, indicating a coordinated effort to acquire fraudulent identification documents. One document provided specific guidance on seeking employment in Serbia, including the use of a Serbian time zone during communications.
Extortion Heating Up
Alongside global expansion, DPRK IT workers are also evolving their tactics. Based on data from multiple sources, GTIG assesses that since late October 2024, IT workers have increased the volume of extortion attempts and gone after larger organizations.
In these incidents, recently fired IT workers threatened to release their former employers’ sensitive data or to provide it to a competitor. This data included proprietary data and source code for internal projects.
The increase in extortion campaigns coincided with heightened United States law enforcement actions against DPRK IT workers, including disruptions and indictments. This suggests a potential link, where pressure on these workers may be driving them to adopt more aggressive measures to maintain their revenue stream.
Previously, workers terminated from their places of employment might attempt to provide references for their other personas so that they could be rehired by the company. It is possible that the workers suspected they were terminated due to discovery of their true identities, which would preclude attempts to be rehired.
The Virtual Workspace: BYOD Brings IT Worker Risks
To avoid distributing corporate laptops, some companies operate a bring your own device (BYOD) policy, allowing employees to access company systems through virtual machines. Unlike corporate laptops that can be monitored, personal devices operating under a BYOD policy may lack traditional security and logging tools, making it difficult to track activities and identify potential threats. This absence of conventional security measures means that typical evidence trails linked to IT workers, such as those derived from corporate laptop shipping addresses and endpoint software inventories, are unavailable. All of this increases the risk of undetected malicious activity.
GTIG believes that IT workers have identified BYOD environments as potentially ripe for their schemes, and in January 2025, IT workers are now conducting operations against their employers in these scenarios.
Conclusion
Global expansion, extortion tactics, and the utilization of virtualized infrastructure all highlight the adaptable strategies employed by DPRK IT workers. In response to heightened awareness of the threat within the United States, they’ve established a global ecosystem of fraudulent personas to enhance operational agility. Coupled with the discovery of facilitators in the UK, this suggests the rapid formation of a global infrastructure and support network that empowers their continued operations.
For detailed mitigation and detection strategies, please visit our previous report on IT workers.
AI Summary and Description: Yes
**Summary:** The text outlines the expanding threat posed by North Korean IT workers infiltrating organizations globally, particularly in Europe. It presents insights into their deceptive tactics, extortion campaigns, and the challenges they pose to security, especially concerning virtualized corporate infrastructure and BYOD policies. This information is crucial for professionals in security and compliance as it emphasizes the need for better detection and mitigation strategies in the face of evolving threats.
**Detailed Description:**
The report provides a comprehensive overview of the activities and threats posed by North Korean IT workers, emphasizing the changing landscape of cybersecurity risks associated with remote work environments and international operations. Key points include:
– **Global Threat Expansion:**
– Following increased awareness and law enforcement actions in the U.S., DPRK IT workers have diverted their operations to Europe, targeting defense and government sectors.
– They utilize fabricated references and multiple personas to penetrate organizations with a focus on the EU.
– **Deceptive Tactics:**
– These operatives maintain at least 12 personas and utilize online platforms (e.g., Upwork, Telegram) to secure employment.
– Payment methods such as cryptocurrency and services that obscure transactions signify advanced techniques for evading detection.
– **Technical Versatility:**
– Identified projects range from web and bot development to blockchain applications, showcasing a diverse skill set that includes:
– Development of platforms using Next.js and React.
– Creation of smart contracts on Solana and other blockchain technologies.
– Building of job marketplaces and AI applications.
– **Extortion Evolving:**
– There is a notable increase in extortion attempts aimed at larger organizations, where former employees threaten to leak sensitive data.
– The correlation between pressure from law enforcement and a rise in aggressive tactics indicates a defensive shift in behavior among these workers.
– **Risks of BYOD Policies:**
– The move towards BYOD in businesses complicates monitoring efforts. Personal devices are often less secure and lack the logging capabilities of corporate devices, creating a vulnerable environment for cyber threats.
– Awareness of BYOD-related risks is crucial as DPRK IT workers exploit these weaknesses to execute their operations stealthily.
– **Support Networks:**
– Investigations have revealed a network of facilitators aiding DPRK IT workers, providing fake identities and career guidance—indicating a well-organized effort to circumvent identity verification and job banning.
**Implications for Security and Compliance Professionals:**
– Organizations must enhance their security measures, especially for remote and BYOD situations, ensuring robust monitoring and threat detection is in place.
– The evolving landscape of cyber threats necessitates ongoing training and awareness initiatives for organizations to recognize and mitigate risks associated with deceptive tactics.
– Collaboration with law enforcement and intelligence agencies is essential for staying abreast of emerging threats and developing appropriate defense strategies.
– Regular reviews of hiring practices and background checks, particularly in sensitive sectors, may help mitigate risks stemming from remote worker infiltration.
In conclusion, the text serves as a critical reminder that the cybersecurity landscape is rapidly changing, with actors like DPRK IT workers employing sophisticated methods that require proactive and sophisticated countermeasures from security professionals. For detailed mitigation strategies, organizations are encouraged to consult prior reports and enhance their defenses against these emerging threats.