Full Report
Google has found a significant increase in North Korean actors attempting to gain employment as IT workers in European companies, leading to data theft and extortion
Analysis Summary
# Threat Actor: Unspecified Democratic People's Republic of Korea (DPRK) IT Operations
## Attribution & Identity
**Attribution:** Democratic People's Republic of Korea (DPRK) state-sponsored actors.
**Aliases/Associations:** Referred to generally as the "fake IT worker scheme" associated with the DPRK government.
## Activity Summary
The threat actor operations, identified by the Google Threat Intelligence Group (GTIG), have shifted focus from the US to **European companies**. This expansion is likely due to increased public awareness and recent US legal actions against individuals involved in these schemes. Actors gain employment as remote IT workers using **fake personas** to secure positions in targeted organizations globally. Recent activity in late 2024 showed DPRK actors seeking freelance employment specifically within **European defense industrial base and government organizations**.
## Tactics, Techniques & Procedures
- Gaining employment as remote IT workers using **fake personas**.
- Exploiting the employment relationship to gain **privileged access to sensitive systems and data**.
- Potential activities include data theft, generating revenue for the DPRK, and measuring content/advertisement effectiveness/usage (if employed by relevant vendors, though the primary goal described is espionage/revenue).
- *No specific MITRE ATT&CK IDs were provided in the source material.*
## Targeting
- **Sectors:** Critical sectors, including **Defense Industrial Base**, Governmental organizations, and generally sectors where IT roles provide system and data access.
- **Geography:** Shifting focus to **Europe**, while the **US remains a key target**.
- **Victims:** Organizations within Europe, particularly those in the defense industrial base and government sectors.
## Tools & Infrastructure
- **Malware families used:** Not specified in the summary.
- **Infrastructure (C2, domains, IPs):** Not specified in the summary. The focus is on exploiting legitimate employment infrastructure.
## Implications
This shift in focus indicates the DPRK is adapting its long-running revenue-generating and espionage strategy to circumvent increased scrutiny in the United States. Targeting Europe's defense and government sectors via legitimate IT employment presents a significant insider threat vector against sensitive national security information.
## Mitigations
- Increased scrutiny of remote IT worker hires, particularly those presenting foreign profiles or unusual employment gaps/backgrounds.
- Implementing robust vetting processes for freelance and remote IT roles, especially those requiring privileged system access.
- Organizations within critical infrastructure and defense sectors should be highly vigilant regarding the provenance and background of their outsourced or remote IT personnel.