North Korea deploying fake IT workers and hackers to target UK firms, cryptocurrency, and defence data, spy chief warns

3 December 2024, 08:53

The NCSC also believes that UK firms are almost certainly being targeted by workers from North Korea "disguised as freelance third-country IT staff to generate revenue for the DPRK regime".
The NCSC also believes that UK firms are almost certainly being targeted by workers from North Korea "disguised as freelance third-country IT staff to generate revenue for the DPRK regime". Picture: Alamy
EJ Ward

By EJ Ward

The National Cyber Security Centre (NCSC) has issued a stark warning to UK businesses about the covert activities of North Korean workers posing as freelance IT professionals.

Listen to this article

Loading audio...

These operatives, disguised as contractors from third countries, are reportedly exploiting remote working opportunities to infiltrate companies, generate revenue for the North Korean regime, and, in some cases, compromise corporate security.

In his first major speech, Richard Horne, head of GCHQ's National Cyber Security Centre (NCSC), will say North Korean hackers were targeting cryptocurrency to raise revenue and attempting to steal defence data to improve Pyongyang's internal security and military capabilities.

The NCSC also believes that UK firms are almost certainly being targeted by workers from North Korea "disguised as freelance third-country IT staff to generate revenue for the DPRK regime".

The NCSC’s alert highlights a sophisticated strategy by the Democratic People’s Republic of Korea (DPRK) to evade international sanctions. By embedding IT workers under false identities in Western firms, the regime not only garners much-needed funds but also gains potential access to sensitive data.

This development is an escalation in the tactics employed by North Korea to bolster its economy and support its controversial military programmes.

Read more:UK must confront Russia's 'aggression and recklessness' and China’s sophisticated cyber threats, warns GCHQ chief

Read more: North Korea deepens alliance with Russia, trading troop support for advanced weapons technology to fuel nuclear programme

Cyber researchers at Mandiant uncovered this fake IT worker profile
Cyber researchers at Mandiant uncovered this fake IT worker profile. Picture: Mandiant

In a briefing, HM Treasury’s Office of Financial Sanctions Implementation (OFSI) underscored the seriousness of the issue. It is "almost certain" that UK companies are being targeted by these operatives, who use online freelance platforms to secure roles.

Often working through witting or unwitting enablers, these individuals obscure their true origins with fake credentials, aliases, and proxies.

Funds earned from these contracts are funnelled through complex laundering networks, sometimes involving cryptocurrencies, to evade detection.

The Treasury’s warning also emphasised the legal risks for UK firms. Employing or paying DPRK-linked workers could inadvertently breach financial sanctions, exposing businesses to civil penalties or even criminal charges.

While the primary motive has been financial, recent cases indicate a troubling shift. North Korean operatives have begun leveraging their access to launch cyberattacks.

In one high-profile incident, a UK-based firm unknowingly hired a North Korean contractor who later exfiltrated sensitive company data and issued a six-figure ransom demand in cryptocurrency.

“This is a serious escalation,” said Rafe Pilling, Director of Threat Intelligence at Secureworks. "No longer are they just after a steady pay check, they are looking for higher sums, more quickly, through data theft and extortion, from inside the company defences."

The arm of GCHQ warns North Korean hackers were targeting cryptocurrency to raise revenue and attempting to steal defence data to improve Pyongyang's internal security and military capabilities.
The arm of GCHQ warns North Korean hackers were targeting cryptocurrency to raise revenue and attempting to steal defence data to improve Pyongyang's internal security and military capabilities. Picture: Alamy

The activities of these IT workers are part of a broader strategy by North Korea to raise funds and enhance its cyber capabilities. The regime’s hacking groups, such as the notorious Lazarus Group, have already been implicated in high-profile cybercrimes, including cryptocurrency thefts and attempts to steal defence secrets.

The NCSC also flagged Iran’s developing cyber capabilities as a growing concern, though North Korea’s activities remain a primary focus due to their link to weapons proliferation and military advancements.

This issue is not isolated to the UK. Authorities in the US and South Korea have also reported similar infiltration attempts, with some Fortune 100 companies unwittingly hiring North Korean operatives.

More Latest News

See more More Latest News

The body of Yair Yaakov, 59, has reportedly been recovered.

Two more hostages recovered by Israeli forces in Gaza, Netanyahu says

There were reports of vehicles being damaged and burned out, stolen cars, motorbikes being used and bricks thrown at officers amid the disorder, Greater Manchester Police said.

Girl, 16, charged with assaulting an emergency worker in Salford after ‘60 masked youths’ clash with police

The affected products include the Jolly Rancher Hard Candy, “Misfits” Gummies, Hard Candy Fruity 2 in 1, and Berry Gummies, the FSA said.

'Don't eat them': Brits told to avoid popular American sweets linked to cancer amid 'toxicological concern'

A woman has been arrested after a four-year-old boy was found dead in Dunholme End.

Boy, 4, found dead inside Maidenhead home as police arrest woman on suspicion of murder

Exclusive
Caz Holbrook, 54, said 2023 was a "very stressful" year after her landlord evicted her and her 15-year-old son from their home in Ross-on-Wye, Herefordshire

I was evicted after Liz Truss's budget tanked the economy – my son and I ended up in a beetle-infested flat

St Michael's Church, Mytholmroyd

Village church ordered to silence 'cherished' chiming bells after residents' complaints spark huge row

The Bridgerton actress said she has been left with a concussion and "on edge" - and the incident traumatised her dog.

Bridgerton actress Genevieve Chenneour left 'traumatised' after fighting off phone thief who threatened to 'stab' her

Shopper walking through the aisle of a supermarket.

Deadly disease outbreak linked to 'contaminated' UK supermarket item

Demonstrators gathered outside Stoke Newington Police Station in protest against police in schools, after it emerged that a 15-year-old Black girl ('Child Q') was strip-searched by police at a Hackney school, which is thought to be racially motivated.

Officer who strip-searched black schoolgirl while she was on her period admits failings but denies racist motivation

Thomas Tuchel, Head Coach of England

My mum finds Jude Bellingham’s on-field antics repulsive, says Thomas Tuchel

The jury found him not guilty of an additional sexual assault charge and have not yet returned a verdict on a charge of rape.

Harvey Weinstein found guilty in New York sexual assault retrial but acquitted on second charge

A fire broke out at a leisure centre in a town near Ballymena amid ongoing riots.

Masked thugs set leisure centre on fire as residents fear for their life in Ballymena

Brian Wilson performs Pet Sounds at the Pantages Theatre on May 26, 2017 in Los Angeles, California.

Legendary Beach Boys co-founder and primary songwriter Brian Wilson dies aged 82

England head coach Thomas Tuchel.

'I'm in the right place': Thomas Tuchel wants to extend England head coach job until Euro 2028

The Lower Broughton Road in Salford.

Rioting erupts and 16-year-old girl arrested in Salford as ‘60 masked youths’ clash with police and 'set fire to car'

Katie Boulter and Emma Raducanu following their doubles match defeat to Lyudmyla Kichenok and Erin Routliffe on day three of the HSBC Championships at The Queen's Club, London

Emma Raducanu and Katie Boulter beaten in the doubles at Queens