On the 2nd, the Google Threat Intelligence Group stated that cyber threat activities utilizing North Korean IT personnel have significantly increased beyond the United States, particularly in Europe.
According to Google, as regulations on North Korean IT personnel have tightened in the United States, their activities have spread to the global market, including Europe. They are attempting to gain employment in the defense industry and government agencies using forged identities and manipulated recommendations, with activities in Europe being particularly pronounced. In one case, it has been revealed that North Korean IT personnel used more than 12 forged Shinwon identities to operate throughout Europe and the United States.
Another group accessed job sites and platforms in Germany and Portugal using login credentials, and in the United Kingdom, various projects including web development, blockchain technology, and artificial intelligence (AI) application development have been detected. This shows that the range of skills possessed by North Korean IT personnel is very broad.
North Korean IT personnel are disguising themselves with various nationalities including Italy, Japan, Malaysia, Singapore, Ukraine, the United States, and Vietnam, and are active through online platforms such as Upwork, Telegram, and Freelancer. Their wages are delivered via cryptocurrency or TransferWise and Payoneer, making it difficult to trace the flow of funds.
In particular, since October 2024, attempts at extortion and cyber attacks by North Korean IT personnel have significantly increased. This coincides with the strengthening of U.S. sanctions and regulations and is interpreted as an effort to maintain revenue through cyber attacks. In environments where access to corporate systems via personal laptops is permitted due to Bring Your Own Device (BYOD) policies, these threats may become even more severe.
Jamie Collier, senior consultant for the Google Threat Intelligence Group in Europe, noted that "North Korea has executed various cyber threats over the past decade, including SWIFT attacks, ransomware, cryptocurrency theft, and supply chain attacks," adding that "their evolution shows that efforts to finance regimes through cyber attacks are ongoing."
He further added, "Given that North Korean IT personnel's operations have been repeatedly successful, there is a significant possibility that their scope of activities will expand further. The Asia-Pacific region is already no exception, and areas with lower threat awareness may suffer larger damages."