“As pressure has increased in the US, we have seen these IT workers shift their focus to other countries where employers are less familiar with this scheme and they are likely to meet less scrutiny,” Hultquist said.
“These North Koreans are legitimately skilled people in many cases, and they’re good at their jobs. And they’re IT workers, so they’re getting access to the most sensitive systems by virtue of their job.
“Our concern is that this is about as serious as a threat gets, and it’s a looming threat for Australia. And we can already see evidence that they’re operating in Australia.”
Hultquist did not name the Australian businesses. He said local human resources executives should be on high alert for remote workers using fraudulent or AI-generated identity documents to apply for roles.
“With most cyber threats, the advice is to get a certain device or block IP addresses,” he said.
“This is not that type of threat. The HR group has to change the way they hire, and post-COVID, there’s an increasing number of remote employees, and those employees in some cases are not getting the same scrutiny that they’ve had in the past.
“They’re getting access to serious financial data, which puts them in a position to steal a lot of money, and they’re getting access to critical infrastructure, which leads to very real national security concerns.”
Australia’s Department of Foreign Affairs and Trade has issued an advisory alert about the issue, urging businesses to closely scrutinise identity verification documents for forgery, and conduct video interviews to verify a worker’s identity. The department said businesses that hire North Korean IT workers might be in breach of Australian government sanctions, which could lead to prison time for executives or heavy fines.
“DPRK IT workers deliberately obfuscate their identities, locations, and nationalities, typically using fake personas, proxy accounts, stolen identities and falsified or forged documentation to apply for jobs,” the department said.
Loading
“They target employers located in wealthier countries (including Australia), utilising a variety of mainstream and industry-specific freelance contracting, and social media and networking platforms.
“DPRK IT workers often take on projects that involve virtual currency. DPRK IT workers also use virtual currency exchanges and trading platforms to manage digital payments they receive for contract work as well as to launder these illicitly obtained funds back to the DPRK.”
Michael Barnhart, who heads Mandiant’s team tracking threats from North Korea, said that the “threat actors” have recently become more dangerous once they gain employment at Western organisations.
“We’re seeing IT workers follow through on releasing sensitive data of organisations they’ve infiltrated to pressure victims into paying exorbitant ransoms. They’re also demanding more cryptocurrency than they ever have before,” Barnhart said.
“We assess that the heightened media attention and ongoing government disruptions targeting their cyber operations this past year are forcing an escalation in their tactics.
“The latest indictments against key leaders of North Korea’s IT worker scheme represent an escalation from law enforcement agencies in disrupting these illicit operations … Revealing the individuals and calling out their locations also sends a message that they’re no longer anonymous pseudonyms in an unknown region.”
Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.