North Korean IT specialists reportedly apply more to European companies

The number of applications from alleged IT specialists who are backed by North Korean cyber criminals is increasing at European companies. The North Koreans are specifically looking for remote jobs and transfer their salaries to the North Korean government. This is according to a report by the Google Threat Intelligence Group (GTIG). In some cases, the alleged IT employees also install malware on company computers or steal internal data for which they demand a ransom. After this approach became increasingly well-known and therefore more difficult in the USA, the North Korean criminals expanded their scam to Europe.

Applicants use false identities and AI photos

The North Korean agents apply for the advertised IT jobs using false identities. They use fake CVs and sometimes invent former bosses, which they cite as references to increase their credibility. The alleged IT workers often use generative AI to create application photos, for example. According to the report, web and CMS development and the use of blockchain and AI technology are particularly common skills.

In one case, the security researchers identified an alleged worker who had applied for jobs in the USA and Europe using twelve different fake profiles. He was specifically looking for jobs in the defense industry and the public sector. The researchers also tracked down further cases in Germany and Portugal in which fake applicants used European job portals. They gave the USA, Italy, Japan, Malaysia or Singapore as their origin.

Private work computers facilitate attacks on companies

The cyber criminals also have intermediaries in Europe who support them in their job search. These intermediaries help to circumvent possible identity checks and receive salary payments. Alternatively, they can be paid with cryptocurrencies or on money transfer portals such as TransferWise or Payoneer, which they also use to disguise the transfer of salary to North Korea. The negotiators also receive the laptops provided by the employers and connect them to the internet. The supposed IT staff then log into the devices from North Korea via VPN during working hours.

According to the GTIG report, cyber criminals are now deliberately targeting jobs where the use of private devices is permitted. There, they can access the company network via virtual machines. In contrast to company-owned devices, private laptops have no security and logging programs, making it more difficult for companies to track the activities of supposed employees and detect threats. Furthermore, a discrepancy between the reporting address and the delivery address of a work laptop is not noticeable.

Last year, the Federal Office for the Protection of the Constitution warned German companies about alleged IT employees from North Korea. It recommends conducting job interviews in person or by video call and verifying the identity of the applicant. They should also only send devices to the address stated on the ID and not pay salaries exclusively in cryptocurrencies.

(sfe)