In the United Kingdom, North Korean cybercriminals are applying for IT positions under the guise of legitimate workers, revealed by Google Threat Intelligence Group. Their success rate in the United States is decreasing due to increased awareness of their strategies, legal charges, and employment verification requirements, leading them to shift their focus to other regions.
These attackers disguise themselves as authentic remote workers, aiming to generate revenue, gain access to sensitive company information, or conduct espionage activities through their employment. Observations by researchers show that they are actively searching for login credentials on job portals and human resources management platforms.
“Europe must quickly recognize the situation,” stated Jamie Collier, Europe’s Lead Advisory Expert on Threat Intelligence at Google Threat Intelligence Group, in an email to TechRepublic. “Despite being the main target of cybercriminal activities, many still view this as a problem primarily affecting the U.S. North Korea’s recent actions are likely spurred by operational obstacles in the U.S., illustrating the flexibility and adaptability of cybercriminals to changing situations.”
SEE: UK Cyber Risks Are ‘Widely Underestimated,’ Cautioned by the Country’s Security Leader
Increased Focus on Larger Organizations and New Locations by Hackers
Since late October, there has been a rise in activity, as reported by Google, indicating that cybercriminals from North Korea are targeting larger enterprises and venturing into new territories. Besides the U.K., evidence suggests an escalation in activities in countries like Germany, Portugal, Serbia, and other European nations.
Google researchers discovered falsified credentials, including degrees from Belgrade University in Serbia, and fake addresses in Slovakia on a fabricated CV. They also found detailed guidelines on maneuvering through European job platforms to secure employment in Serbia, involving tactics like using the Serbian time zone for communication and engaging a middleman to produce fake passports.
Increased Aggression Linked to Desperation
North Korean IT workers have adopted more forceful strategies, like shifting operations within corporate virtual environments and threatening to expose proprietary corporate data post-termination unless a ransom is paid.
The researchers attribute this behavior to the need to sustain their revenue flow amid intensified law enforcement actions against their U.S. operations. Previously, these workers refrained from burning bridges with employers in hopes of re-employment; currently, they likely interpret their termination as a result of being identified, leading them to intimidate employers.
“A decade of various cyber assaults precedes North Korea’s recent surge — from SWIFT attacks and ransomware to cryptocurrency theft and compromise of supply chains,” explained Collier to TechRepublic. “This continuous evolution underscores a steadfast commitment to financing the regime via cyber activities.”
Insights into North Korean IT Worker Operations
Targeted sectors include defense and governmental areas, with fake workers strategically “providing forged recommendations, establishing rapport with job recruiters, and employing other manipulated personas to validate their credibility.” They are recruited through online platforms such as Upwork, Telegram, and Freelancer.
The North Korean operatives portray themselves as hailing from diverse countries like Italy, Japan, Malaysia, Singapore, Ukraine, the U.S., and Vietnam, by combining stolen personal data with fabricated details. They have been observed using AI to produce profile images, creating deepfake videos for interviews, and utilizing AI writing tools for translations into target languages.
In exchange for their work, these infiltrators offer services in developing web solutions including job platforms, bots, content management systems, blockchain, and AI applications, showcasing a wide array of skills. Payments are made via cryptocurrency and cross-border transfer services like Payoneer and TransferWise to obscure the source and destination of funds.
Facilitators are utilized by the IT workers to aid in their activities. These facilitators, based in target regions, assist in securing jobs, bypassing verification procedures, and illicitly obtaining funds. Google’s team identified facilitators in both the U.S. and the U.K., even locating a corporate laptop from New York that was operational in London.
Bring Your Own Device Systems – A Boon for Cybercriminals
Many businesses with widely dispersed workforces implement Bring Your Own Device policies, allowing employees to utilize personal devices for work purposes. Google’s team suspects that since January, North Korean IT workers have identified these companies as ideal targets for employment opportunities.
SEE: BYOD and Personal Apps: A Recipe for Data Breaches
A company-issued device is likely to have robust security measures, such as activity monitoring, and can be traced back to the user through shipping details and endpoint software catalogs. Consequently, using their personal laptop to access internal systems through their employer’s virtual machines allows cybercriminals to potentially evade detection more effectively.
About Author
