Google warns that fake North Korean IT workers have expanded to Europe

Google is warning that the recent spate of North Korean fake IT workers has spread outside the US and into Europe.

Over the last few years, individuals from the Democratic People's Republic of Korea (DPRK) have been posing as remote IT staff and applying for jobs with US companies. The candidates claim to be based anywhere in the world – Italy, Japan, Malaysia, Singapore, Ukraine, the US, and Vietnam, for example – and cite impressive qualifications and experience. The workers are often placed via fake recruitment firms.

However, they are in fact a way of laundering cash for the North Korean government, with many having also stolen proprietary data, installed malware on corporate systems, and demanded ransom payments.

And now, Google has warned, these groups are expanding their scope and tactics, extending their extortion campaigns and carrying out their operations within corporate virtualized infrastructure. They've also expanded their geographical area of operations.

"DPRK IT workers' activity across multiple countries now establishes them as a global threat. While the United States remains a key target, over the past months, DPRK IT workers have encountered challenges in seeking and maintaining employment in the country," said Jamie Collier, lead adviser at Google's Threat Intelligence Group (GTIG), in a blog post.

"This is likely due to increased awareness of the threat through public reporting, United States Department of Justice indictments, and right-to-work verification challenges. These factors have instigated a global expansion of IT worker operations, with a notable focus on Europe."

Late last year, for example, one DPRK IT worker was running at least 12 personas across Europe and the US, looking for work at multiple organizations within Europe – particularly those within the defense and government sectors.

These workers in Europe were recruited through various online platforms, including Upwork, Telegram, and Freelancer. Payment was managed via cryptocurrency, the TransferWise service, and Payoneer.

There's also been a number of cases in the UK, with DPRK IT workers involved in projects including web development, bot development, content management system (CMS) development, and blockchain technology – showing a broad range of technical expertise.

The fake workers are also evolving their tactics, warned Google. Since late October last year, GTIG data shows, they've been carrying out more extortion attempts and targeted larger organizations.

In these incidents, recently-fired IT workers threatened to release their former employers' sensitive information, including proprietary data and source code for internal projects, to a competitor.

"The increase in extortion campaigns coincided with heightened United States law enforcement actions against DPRK IT workers, including disruptions and indictments," said Collier.

"This suggests a potential link, where pressure on these workers may be driving them to adopt more aggressive measures to maintain their revenue stream."

Google also warned organizations to be wary of bring your own device (BYOD) policies, which it said are being targeted by the fake workers, as they may lack traditional security and logging tools.

The advice comes on top of recommendations from the FBI.

Organizations should keep security generally tight, on the least privilege principle, and should monitor and investigate unusual network traffic. And when it comes to hiring, they should use tight identity-verification processes throughout the interviewing, onboarding, and employment of any remote worker, according to the FBI. They should look out for other applicants with the same resume content and/or contact information, and keep a sharp eye out for the use of AI and face-swapping technology during video job interviews.

"Global expansion, extortion tactics, and the use of virtualized infrastructure all highlight the adaptable strategies employed by DPRK IT workers," said Collier.

"In response to heightened awareness of the threat within the United States, they've established a global ecosystem of fraudulent personas to enhance operational agility. Coupled with the discovery of facilitators in the UK, this suggests the rapid formation of a global infrastructure and support network that empowers their continued operations."