advertisement
X-twitter Facebook Instagram Linkedin Youtube Spotify
Facebook
X
LinkedIn
WhatsApp
Reddit

North Korean IT workers are attacking businesses from the inside

  • The Google Threat Intelligence Group says that workers from the Democratic People’s Republic of Korea represent a massive threat to businesses and governments.
  • These workers evade detection by leveraging a sophisticated network of facilitators and good old lies.
  • Not only do these workers participate in espionage, data theft and disruption, they even draw a salary, which could be used to fund further activities.

Despite being effectively locked off from the rest of the world, the Democratic People’s Republic of Korea (DPRK) is currently worming its way into some of the biggest firms in the world.

Together with its partners, the Google Threat Intelligence Group (GTIG) says it has uncovered an operation in which DPRK operatives are tricking European and American corporations into hiring them.

We saw this in 2024 when KnowBe4 unknowingly hired a North Korean national without realising it.

How a North Korean operative tricked KnowBe4 into hiring them

These efforts have been ramped up, and GTIG reckons this represents an existential threat. While there is greater awareness around this campaign, this has only served to amp up the efforts from DPRK operatives, forcing them to get more creative. In one case, GTIG reports that a DPRK worker had at least 12 personas they used to get employed by multiple organisations in the defense industrial base and government sectors throughout Europe.

“This individual demonstrated a pattern of providing fabricated references, building a rapport with job recruiters, and using additional personas they controlled to vouch for their credibility,” GTIG reports.

Surprisingly, these workers are taking on incredibly complex tasks, likely to appear more attractive to employers who require scarce skills.

“GTIG has also observed a diverse portfolio of projects in the United Kingdom undertaken by DPRK IT workers. These projects included web development, bot development, content management system (CMS) development, and blockchain technology, indicating a broad range of technical expertise, spanning traditional web development to advanced blockchain and AI applications,” the GTIG squad reports.

The DPRK workers pretend to be workers from Italy, Japan, Malayasia, Singapore and even the US. The identities are a mix of real and fabricated personas.

How do they do it

The team at GTIG has identified what it calls a “complex logistical chain” that exists to get these DPRK workers hired. This includes facilitators who the IT workers use to get jobs, defeat identity verification and receive funds. In one incident, a DPRK worker used facilitators in the US and UK which is likely to add to the worker’s credibility.

“An investigation into infrastructure used by a suspected facilitator also highlighted heightened interest in Europe. Resources discovered contained fabricated personas, including resumes listing degrees from Belgrade University in Serbia and residences in Slovakia, as well as instructions for navigating European job sites. Additionally, contact information for a broker specializing in false passports was discovered, indicating a coordinated effort to acquire fraudulent identification documents. One document provided specific guidance on seeking employment in Serbia, including the use of a Serbian time zone during communications,” Google’s intelligence team reported.

Because these workers are fake, they are able to outperform regular workers because often, work is being done by multiple people. This paints these workers as rockstars to employers, and they rise through the ranks quickly, getting what experts described to Cyberscoop as the “keys to the kingdom”.

It appears that companies with a Bring Your Own Device (BYOD) policy are fertile ground for these IT workers. This means workers can be more evasive as they aren’t required to provide a shipping address or even use company-approved software that would allow employers to track these individuals.

“Global expansion, extortion tactics, and the use of virtualized infrastructure all highlight the adaptable strategies employed by DPRK IT workers. In response to heightened awareness of the threat within the United States, they’ve established a global ecosystem of fraudulent personas to enhance operational agility. Coupled with the discovery of facilitators in the UK, this suggests the rapid formation of a global infrastructure and support network that empowers their continued operations,” writes GTIG.

This trend is a major threat to businesses. Not only can these workers participate in espionage, data theft and disruption, but businesses are also technically funding these activities by paying these workers.

GTIG detailed how to mitigate this threat in September 2024, and that guidance is still relevant, so it’s worth reading over it now as the threat becomes more prevalent.

[Image – Jeremy Zhu from Pixabay]

advertisement

About Author

More
Picture of Brendyn Lotz

Brendyn Lotz

Brendyn Lotz writes news, reviews, and opinion pieces for Hypertext. His interests include SMEs, innovation on the African continent, cybersecurity, blockchain, games, geek culture and YouTube.

Related News

What Google said about the Competition Commission’s MDPMI

Cassava gives AI firm access to its collection of GPUs

Don’t travel without considering this new Bolt feature

Diversification has been key to Vodacom’s success

Why the SABC can’t produce fresh content

Acer South Africa prioritises local assembly of commercial monitors

advertisement
Facebook Instagram Linkedin Youtube Spotify
Hypertext is one of South Africa’s leading technology news and reviews sites. We publish original content daily for consumers and businesses.
All original words & media by Hypertext by htxt.media are licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Permissions beyond the scope of this license may be available at Hypertext. Where images and material are supplied by rights holders outside of htxt.media, original publishing licences are indicated and unaffected.
Click here to suggest a story.
Click here for advertising.

© 2025. All rights reserved by HTXT.