Google warns of rising global threat from N Korean IT ops

Google's Threat Intelligence Group (GTIG) has warned that North Korean IT worker operations are expanding globally, with recent activity targeting European governments, defence industries, and organisations across the Asia-Pacific region, including Australia and New Zealand.

The warning comes in a new GTIG blog post published on 2 April, which outlines how these workers—masquerading as legitimate remote employees—are generating revenue for the Democratic People's Republic of Korea (DPRK) regime through fraudulent employment, espionage, and extortion.

"In late 2024, GTIG identified a DPRK IT worker operating at least 12 personas across Europe and the U.S.," the group said. "This individual sought employment with multiple companies, particularly within defence industrial bases and European governments."

Investigations found that these workers used a variety of deception tactics, including falsified references, fake identities, and impersonation of recruiters. In many cases, DPRK operatives fabricated their nationalities, claiming to be from countries including Italy, Japan, Malaysia, Singapore, Ukraine, the United States, and Vietnam.

GTIG said the identities used in these operations were a mix of real and invented personas. These tactics allowed workers to build credibility with hiring managers and infiltrate target organisations undetected.

In one instance, a DPRK IT worker was found to be operating in London using a corporate laptop originally intended for deployment in New York, underscoring the logistical sophistication of the operations. Further investigations linked these activities to facilitators based in the US and UK, some of whom were allegedly involved in falsifying documents and helping operatives navigate European employment systems.

The technical expertise demonstrated by DPRK IT workers also spans a broad spectrum, including blockchain and AI development, web and bot development, and CMS projects. In the UK alone, workers were linked to the development of platforms using technologies such as Next.js, CosmosSDK, Golang, MongoDB, Solana, and Rust.

Another concerning development noted by GTIG is the increasing use of extortion by DPRK workers. Since October 2024, there has been a significant uptick in threats made by recently terminated employees to leak proprietary data and source code to competitors unless ransom demands are met.

Initially targeting smaller businesses, these extortion campaigns have recently shifted to larger enterprises, a trend GTIG attributes to growing enforcement pressure in the United States.

"A decade of diverse cyberattacks (encompassing SWIFT targeting, ransomware, cryptocurrency theft, and supply chain compromise), precedes North Korea's latest surge," said Dr Jamie Collier, Lead Threat Intelligence Advisor for Europe at GTIG. "This relentless innovation demonstrates a longstanding commitment to fund the regime through cyber operations."

He added: "Given DPRK IT workers' operational success, North Korea will likely broaden its global reach. With APAC already impacted by these operations, this problem is set to escalate. These campaigns thrive on ignorance and will likely enjoy particular success in areas of APAC with less awareness of the threat."

The blog also raises concerns about the exploitation of bring-your-own-device (BYOD) policies in corporate environments. Unlike standard corporate laptops, personal devices often lack endpoint monitoring tools, making it harder to detect malicious activity.

GTIG said DPRK operatives are now using virtualised infrastructure to carry out operations from personal devices, further complicating detection efforts.

The organisation concludes that DPRK IT worker operations are not only increasing in scale but evolving rapidly in terms of tactics, geographical reach, and technical sophistication.