North Korean IT worker spies now targeting jobs across Europe, researchers warn

North Korean agents posing as legitimate remote IT workers are increasingly infiltrating companies in Europe, cybersecurity researchers warn in a new report.

While the US remained the main target of these North Korean spies, referred to as "IT warriors”, their recent activity across multiple countries establishes them as a global threat, the Google Threat Intelligence Group (GTIG) warned in its report.

The group from the Democratic People's Republic of Korea (DPRK) is also using evolving tactics like intensified extortion to place their agents inside organisations, researchers said.

This increases the risk of corporate espionage, data theft, and disruption “with a notable focus on Europe”, they warn.

Citing an example, the report notes the case of a DPRK IT worker “who operated at least 12 personas across Europe and the US”.

This “IT warrior” reportedly sought employment with multiple organisations in Europe, particularly those in the defence and government sectors.

The agent fabricated references, built rapport with job recruiters, and used additional personas to vouch for their credibility, researchers cautioned.

Similar IT worker “personas” were also found seeking employment in Germany and Portugal, they noted.

“GTIG has also observed a diverse portfolio of projects in the UK undertaken by DPRK IT workers,” researchers say.

“These projects included web development, bot development, content management system (CMS) development, and blockchain technology, indicating a broad range of technical expertise,” GTIG noted.

The workers reportedly use deceptive tactics, such as falsely claiming nationalities from countries like Italy, Japan, Malaysia, Singapore, Ukraine, the US, and Vietnam.

These workers were recruited by several companies via online platforms, including Upwork, Telegram, and Freelancer, the report noted.

In several European countries, facilitators are also helping the North Korean “IT workers” get jobs, defeat identity verification, and receive funds fraudulently, researchers say, hinting at a complex logistical chain with “heightened interest in Europe”.

Cybersecurity experts also suspect these “IT warriors” may be under increased pressure, driving them to adopt more aggressive measures to maintain their revenue stream from extorting larger organisations.

Some companies that operate a “bring your own device (BYOD)” policy may be particularly vulnerable, they say.

“Unlike corporate laptops that can be monitored, personal devices operating under a BYOD policy may lack traditional security and logging tools, making it difficult to track activities and identify potential threats,” researchers say.

“GTIG believes that IT workers have identified BYOD environments as potentially ripe for their schemes,” they say.

With the latest discovery of facilitators in the UK, experts warn of a rapid formation of a global infrastructure and support network aiding North Korean IT worker spies.