- North Korean hackers posing as IT workers have expanded their operations into Europe, Google has warned
- These operatives pose as legitimate remote workers, aiming to infiltrate organizations and generate revenue for the DPRK regime
- Their tactics have evolved to include intensified extortion campaigns and exploitation of corporate virtualized infrastructure
North Korean hackers posing as IT workers are pushing further into Europe, according to Google’s Threat Intelligence Group (GTIG). These individuals, masquerading as legitimate remote employees, typically developers, seek to infiltrate companies to fund the Democratic People’s Republic of Korea (DPRK) terrorism regime. The group warned that these hackers’ methods have become more sophisticated, involving aggressive extortion and exploitation of virtualized corporate environments.
DPRK Agents Spreading Across the Pond
GITG revealed in its report that, initially concentrated on U.S. targets, DPRK IT workers have faced challenges in securing and maintaining employment there due to increased awareness and legal actions. This has prompted a strategic shift towards European markets, with GTIG identifying instances where a single operative managed at least 12 personas across Europe and the U.S., seeking positions in sectors like defense and government. These individuals often provide fabricated references and control multiple personas to vouch for their credibility.
In the UK, DPRK IT workers have undertaken various projects, including web and bot development, content management systems, and blockchain technologies. Specific endeavors involve creating platforms using Next.js, React, CosmosSDK, Golang, and developing job marketplaces with technologies like MongoDB and Node.js. Their blockchain-related work spans Solana and Anchor/Rust smart contract development, reflecting a broad technical expertise.
Evolving Tactics and Extortion
Beyond geographical expansion, these operatives have intensified their extortion efforts. Since late October 2024, there has been an uptick in threats to release sensitive company data following terminations, including proprietary information and source codes. GTIG suggests this aggression correlates with increased U.S. law enforcement actions against DPRK IT workers, pushing them towards more desperate measures to sustain revenue streams.
DPRK IT workers have also begun exploiting companies’ Bring Your Own Device (BYOD) policies, accessing systems through personal devices that lack standard security measures. This strategy allows them to operate undetected, as personal devices often miss the monitoring tools present on corporate hardware. GTIG believes these workers have identified BYOD environments as particularly vulnerable, increasing the risk of undetected malicious activity.
These hackers will be hoping to emulate the actions of the Ronin hacker, who in 2022 embedded a trojan horse into a CV, which, once opened, granted the sender unauthorized access to the engineer’s computer. As a result, $540 million worth of cryptocurrencies were stolen from the Ronin bridge that March.
