North Korea deploying fake IT workers and hackers to target UK firms, cryptocurrency, and defence data, spy chief warns

3 December 2024, 08:53

The NCSC also believes that UK firms are almost certainly being targeted by workers from North Korea "disguised as freelance third-country IT staff to generate revenue for the DPRK regime".
The NCSC also believes that UK firms are almost certainly being targeted by workers from North Korea "disguised as freelance third-country IT staff to generate revenue for the DPRK regime". Picture: Alamy
EJ Ward

By EJ Ward

The National Cyber Security Centre (NCSC) has issued a stark warning to UK businesses about the covert activities of North Korean workers posing as freelance IT professionals.

Listen to this article

Loading audio...

These operatives, disguised as contractors from third countries, are reportedly exploiting remote working opportunities to infiltrate companies, generate revenue for the North Korean regime, and, in some cases, compromise corporate security.

In his first major speech, Richard Horne, head of GCHQ's National Cyber Security Centre (NCSC), will say North Korean hackers were targeting cryptocurrency to raise revenue and attempting to steal defence data to improve Pyongyang's internal security and military capabilities.

The NCSC also believes that UK firms are almost certainly being targeted by workers from North Korea "disguised as freelance third-country IT staff to generate revenue for the DPRK regime".

The NCSC’s alert highlights a sophisticated strategy by the Democratic People’s Republic of Korea (DPRK) to evade international sanctions. By embedding IT workers under false identities in Western firms, the regime not only garners much-needed funds but also gains potential access to sensitive data.

This development is an escalation in the tactics employed by North Korea to bolster its economy and support its controversial military programmes.

Read more:UK must confront Russia's 'aggression and recklessness' and China’s sophisticated cyber threats, warns GCHQ chief

Read more: North Korea deepens alliance with Russia, trading troop support for advanced weapons technology to fuel nuclear programme

Cyber researchers at Mandiant uncovered this fake IT worker profile
Cyber researchers at Mandiant uncovered this fake IT worker profile. Picture: Mandiant

In a briefing, HM Treasury’s Office of Financial Sanctions Implementation (OFSI) underscored the seriousness of the issue. It is "almost certain" that UK companies are being targeted by these operatives, who use online freelance platforms to secure roles.

Often working through witting or unwitting enablers, these individuals obscure their true origins with fake credentials, aliases, and proxies.

Funds earned from these contracts are funnelled through complex laundering networks, sometimes involving cryptocurrencies, to evade detection.

The Treasury’s warning also emphasised the legal risks for UK firms. Employing or paying DPRK-linked workers could inadvertently breach financial sanctions, exposing businesses to civil penalties or even criminal charges.

While the primary motive has been financial, recent cases indicate a troubling shift. North Korean operatives have begun leveraging their access to launch cyberattacks.

In one high-profile incident, a UK-based firm unknowingly hired a North Korean contractor who later exfiltrated sensitive company data and issued a six-figure ransom demand in cryptocurrency.

“This is a serious escalation,” said Rafe Pilling, Director of Threat Intelligence at Secureworks. "No longer are they just after a steady pay check, they are looking for higher sums, more quickly, through data theft and extortion, from inside the company defences."

The arm of GCHQ warns North Korean hackers were targeting cryptocurrency to raise revenue and attempting to steal defence data to improve Pyongyang's internal security and military capabilities.
The arm of GCHQ warns North Korean hackers were targeting cryptocurrency to raise revenue and attempting to steal defence data to improve Pyongyang's internal security and military capabilities. Picture: Alamy

The activities of these IT workers are part of a broader strategy by North Korea to raise funds and enhance its cyber capabilities. The regime’s hacking groups, such as the notorious Lazarus Group, have already been implicated in high-profile cybercrimes, including cryptocurrency thefts and attempts to steal defence secrets.

The NCSC also flagged Iran’s developing cyber capabilities as a growing concern, though North Korea’s activities remain a primary focus due to their link to weapons proliferation and military advancements.

This issue is not isolated to the UK. Authorities in the US and South Korea have also reported similar infiltration attempts, with some Fortune 100 companies unwittingly hiring North Korean operatives.

More Latest News

See more More Latest News

Donald Trump has ordered the release of the last classified files surrounding the assassination of John F. Kennedy on Thursday, vowing that ‘everything will be revealed’.

JFK's grandson slams Trump after president orders assassination files to be made public

President Donald Trump (C) receives the Order of Abdulaziz al-Saud medal from Saudi Arabia's King Salman bin Abdulaziz al-Saud

Trump demands $1 trillion investment and a reduction in oil prices from Saudi Arabia

Storm Eowyn is battering the UK today.

Trains axed and schools shut amid 'extreme and real' threat as Storm Eowyn blasts Britain with 108mph hurricane winds

Paul Antony Butler, 53, was located and arrested in the Liskeard area of Cornwall, which is around 20 miles from Plymouth.

'Armed and dangerous’ man, 53, arrested on suspicion of murder after death of woman in Plymouth

The Met Office issued a red weather warning for wind across parts of Scotland and Northern Ireland on Friday.

Storm Eowyn hits UK: Full list of closures as Brits hit with 100mph winds and 'danger to life' warning issued

The Nashville school shooter is thought to have written a large manifesto in which he praises the work of Hitler and the Nazis, as well as American pro-Trump conservative commentator Candace Owens.

Nashville school shooter, 17, was inspired by Hitler and Candace Owens according to 'manifesto'

A deal worth around £9 billion has been struck with Rolls-Royce by the Government to help power Britain's nuclear submarines.

Rolls Royce handed £9 billion defence contract to power Britain’s nuclear submarines

Donald Trump has sent 1,500 additional troops to the US-Mexico border with plans to increase the US military presence to 10,000 troops in a severe immigration crackdown.

Trump sends 1,500 troops to Mexican border with plans to up army presence to 10,000 in immigration crackdown

Oliver White took his own life "as a direct result" of the robbery.

Luxury watch store manager who took his own life 'offered life savings' to bosses after £1.4m raid, court told

Donald Trump has ordered the release of the last classified files surrounding the assassination of John F. Kennedy on Thursday, vowing that ‘everything will be revealed’.

'All will be revealed': Trump orders last JFK assassination files to be released

Southport killer Axel Rudakubana is a 'young psychopath' - but the sentencing rules are right, says ex-attorney general

Southport killer Axel Rudakubana is a 'young psychopath' - but the sentencing rules are right, says ex-attorney general

Exclusive
MPs from Reform UK have called for a debate on the death penalty for criminals like Rudakubana following the killer’s sentencing hearing.

Reform MPs call for death penalty debate and CPS chief to be sacked after Southport killer jailed for 52 years

President Donald Trump signs an executive order

Trump's 'blatantly unconstitutional' order to end automatic birthright citizenship blocked by judge

Millions have received an emergency alert to their mobile phones after the Met Office issued a red danger to life warning for wind

Millions receive emergency alert after Met Office issues red danger to life warning for wind ahead of Storm Eowyn

Axel Rudakubana

'What punishment is enough?' Andrew Marr reflects on 52-year sentence of 'girl hating sadist' Axel Rudakubana

This is the moment the Southport killer's father tried to stop him going to his old school

Moment Southport killer's dad stops him going to old school after buying knives - a week before dance class murders