North Korea’s Expanding IT Threat: NZ And Other Nations In The Crosshairs

North Korea’s cyber operations continue to evolve, with Google’s Threat Intelligence Group (GTIG) reporting a sharp increase in IT worker activity on a global scale. While previous investigations largely centred on U.S. operations, new findings confirm that the problem has now expanded to Australia, New Zealand, and many other regions worldwide.

A Growing Global Threat

DPRK IT workers' activity across multiple countries now establishes them as a global threat. While the United States remains a key target, in recent months, these workers have encountered challenges securing and maintaining employment in the country. Increased awareness, U.S. Department of Justice indictments, and right-to-work verification hurdles have pushed them to expand their operations globally, with a notable focus on Europe.

Targeting Defence and Government Sectors

In late 2024, GTIG identified a North Korean IT worker operating under at least 12 fabricated identities across Europe and the U.S. This individual successfully sought employment within defence industrial bases and European government entities, a concerning expansion of Pyongyang’s cyber-infiltration strategy. Additionally, separate investigations uncovered IT worker personas seeking employment in Germany and Portugal, alongside login credentials for European job sites and human capital management platforms.

Diverse IT Projects in Europe

GTIG has also observed a diverse portfolio of projects undertaken by DPRK IT workers in the United Kingdom, spanning web development, bot development, CMS development, and blockchain technology. Specific projects identified include:

• Development of a Nodexa token hosting platform using Next.js, React, CosmosSDK, and Golang.
• Creation of a job marketplace using Next.js, Tailwind CSS, MongoDB, and Node.js.
• Blockchain-related projects involving Solana and Anchor/Rust smart contract development.
• AI web applications leveraging Electron, AI, and blockchain technologies.
• Contributions to existing websites using Next.js and Tailwind CSS.

DPRK IT workers were recruited through platforms such as Upwork, Telegram, and Freelancer. Payments were made via cryptocurrency, TransferWise, and Payoneer, further obfuscating financial trails.

Facilitators Enabling European Operations

Facilitators who assist DPRK IT workers in obtaining jobs, bypassing identity verification, and receiving fraudulent payments have also been identified in Europe. One case involved a DPRK IT worker using facilitators based in the U.S. and the U.K. Notably, a corporate laptop meant for a New York-based employee was found to be operational in London, suggesting a complex logistical network.

Further investigation revealed fabricated personas with resumes listing degrees from Belgrade University in Serbia and addresses in Slovakia. Instructions for navigating European job sites and contact details for a broker dealing in false passports were also uncovered.

Escalating Extortion Efforts

Since October 2024, North Korean IT workers have increasingly resorted to extortion. Recently dismissed workers have threatened to leak proprietary data and source code to competitors. Initially targeting smaller businesses, these cyber actors are now shifting focus to larger enterprises with higher ransom demands.

The increase in extortion coincides with heightened U.S. law enforcement actions against DPRK IT workers, including disruptions and indictments. Previously, these workers attempted to re-enter the same companies under different personas, but recent terminations appear to be linked to identity exposure, making re-entry impossible. As a result, extortion tactics have become more aggressive.

The Virtual Workspace: BYOD Risks

To mitigate security risks, some companies avoid distributing corporate laptops and instead adopt a Bring Your Own Device (BYOD) policy, allowing employees to access systems via virtual machines. However, personal devices under BYOD policies often lack traditional security and logging tools, making malicious activity harder to track.

GTIG believes DPRK IT workers have identified BYOD environments as vulnerable targets, and in early 2025, new reports confirm their active exploitation of such setups.

An Evolving Threat to APAC

Dr Jamie Collier, Lead Threat Intelligence Advisor for Europe at GTIG, warns that North Korea’s cyber tactics have been evolving for over a decade, spanning SWIFT financial fraud, ransomware attacks, cryptocurrency theft, and supply chain compromises. “Given DPRK IT workers' operational success, North Korea will likely broaden its global reach. With APAC already impacted by these operations, this problem is set to escalate. These campaigns thrive on ignorance and will likely enjoy particular success in areas of APAC with less awareness of the threat.”

Conclusion

Global expansion, evolving extortion tactics, and the exploitation of virtual work environments highlight the adaptability of DPRK IT workers. In response to heightened awareness in the United States, these actors have built a worldwide network of fraudulent personas, facilitators, and deceptive recruitment practices. The presence of facilitators in the UK further signals the rapid formation of a global infrastructure supporting their operations.

With Australia and New Zealand now in the crosshairs, security professionals must adopt proactive detection measures to counteract this persistent cyber menace before it escalates further.

© Scoop Media