'Many of the remedies are in the hands of the HR department, which usually has very little experience dealing with a covert state adversary'
British employers are being warned to verify IT job applicants through video or face-to-face interviews to avoid unknowingly employing North Korean agents, according to a Guardian report based on new findings from Google’s intelligence team.
The fraudulent hiring tactic, which targets remote IT positions, is part of an elaborate scheme by operatives from the Democratic People’s Republic of Korea (DPRK).
These workers impersonate legitimate candidates to secure jobs in Western firms, using the income to fund Kim Jong-un’s authoritarian regime.
Google’s Threat Intelligence group disclosed that one operative had assumed at least a dozen false identities across Europe and the US. The case involved attempts to infiltrate sensitive sectors such as defence and government.
A concerning twist to the scam is the new tactic of extortion. “Bogus IT professionals have been threatening to release sensitive company data after being fired,” the Guardian reported, highlighting the expanding threat landscape.
John Hultquist, chief analyst at Google’s Threat Intelligence group, said that North Korea’s focus had shifted to the UK and broader Europe due to increased resistance to the tactic in the United States.
“North Korea is facing pressure in the US and it is particularly focused on the UK for extending its IT worker tactic. It is in the UK where you can see the most extensive operations in Europe,” he explained.
The fraudulent workers do not act alone. According to the Guardian, the scheme often involves “facilitators” — individuals physically present in the employer’s country. These accomplices assist by providing counterfeit passports and establishing local addresses to which company-issued laptops can be delivered.
Once received, the devices are accessed remotely by individuals connected to Pyongyang, often based in entirely different regions. Moreover, companies that allow “bring your own device” (BYOD) practices are especially vulnerable, as it becomes harder to trace or control the hardware used.
“The bottom line is their operations have a physical presence in the UK, which is the most important step to grow across multiple sectors in the country,” Hultquist added.
Google’s Hultquist emphasized that basic verification procedures — such as video interviews — could significantly hamper North Korea’s ability to deceive hiring managers.
“Many of the remedies are in the hands of the HR department, which usually has very little experience dealing with a covert state adversary,” he said. “If you want to you’ve got to use background checks, do a better job checking physical identities, and ensuring the person you’re talking to is who they claim to be. This scheme usually breaks down when the actor is asked to go on camera or come into the office for an interview.”
Sarah Kern, a North Korea expert with cybersecurity firm Secureworks, echoed the sentiment. She told the Guardian that many businesses remain unaware of the scheme’s prevalence and urged British companies to step up candidate verification and HR training.
“In the US, it has also been fruitful to conduct in-person interviews, or at the very least video interviews, and checking that you’re talking to who was actually advertised on the résumé,” she said.
Common indicators that an IT worker might be a fraud include erratic address changes and the use of non-traditional payment methods, such as money transfer services instead of bank accounts, Kern explained.
Online freelancing platforms such as Upwork and Freelancer are reportedly being used to source unsuspecting companies. A spokesperson for Upwork told the Guardian that the use of false identities is “a strict violation of our terms of use” and that the company takes “aggressive action to … remove bad actors from our platform.”
Kern added that many of the impersonators avoid video calls altogether.
“We observed that they were very avoidant of video interviews because often they’re located in a working centre where there’s a lot of these North Korean IT workers working from one small room,” she said. “They wouldn’t want to show their video, or it sounded like they’re in a call centre, but with no actual reason as to why.”
