North Korea’s army of “IT workers”, who pose as genuine job seekers to join unwitting companies and infiltrate them for criminal gain, has continued to grow across the world, including in Asia, according to a new report by Google this week.
These scammers work in a wide range of organisations, using fraudulent personas to get into companies and generate revenue for the North Korea regime, says Google. The aim is to evade sanctions and fund its weapons of mass destruction (WMD) and ballistic missile programmes, it adds.
These individuals pose as remote employees, and can place businesses at risk of espionage, data theft, and operational disruption, according to the Google Threat Intelligence Group (GTIG) report. It notes that these North Korean IT workers are now a global threat due to their activities across multiple countries.
There has been an increase of active operations globally, especially in Europe. They also have a growing presence in Asia, including key countries such as Japan, Malaysia, Singapore, and Vietnam.
Google has identified IT workers assuming false national identities, including those of Asian countries such as Japan, Malaysia, Singapore, and Vietnam, to secure jobs. The identities used were a combination of real and fabricated personas.
Their presence spans across industries, including Web development, advanced blockchain technology, and artificial intelligence (AI) applications.
Evolving tactics
Worryingly, this growth has been coupled with evolving tactics, such as intensified extortion campaigns, targeting larger organisations, and a shift to conducting operations within corporate virtualised infrastructure.
Recently dismissed IT workers have threatened to leak sensitive company data, including proprietary information and internal source code, or sell the data to competitors.
This surge in extortion attempts has coincided with intensified American law enforcement actions against North Korean operatives, suggesting that mounting pressure may be pushing them toward more aggressive means of securing revenue, according to the Google report.
Previously, terminated workers would attempt to use fake references from their other personas to regain employment. This could indicate that the workers suspect that they had lost their jobs due to discovery of their true identities, which would make reemployment less possible.
“A decade of diverse cyberattacks (encompassing SWIFT targeting, ransomware, cryptocurrency theft, and supply chain compromise) precedes North Korea’s latest surge,” said Dr Jamie Collier, lead threat intelligence advisor for Europe at GTIP.
“This relentless innovation demonstrates a longstanding commitment to fund the regime through cyber operations,” she noted.
With success experienced by earlier North Korean IT workers, she expects North Korea to broaden its global reach.
With Asia-Pacific (APAC) already impacted by these operations, this problem is set to escalate, she said. “These campaigns thrive on ignorance and will likely enjoy particular success in areas of APAC with less awareness of the threat.”
