Ireland's technology sector is being targeted by a North Korean government operation aimed at raising and extorting funds for its nuclear weapons programme, a senior threat intelligence analyst with Google has told Prime Time.
The operation involves North Korean IT workers using fake identities to gain employment as freelance remote developers or engineers in western tech companies, to gain access to company information and provide their earnings to North Korea.
Speaking to Prime Time, Google’s Threat Intelligence Group’s (GTIG) Chief Analyst, John Hultquist, said Ireland’s tech sector has become a "large target for these actors."
GTIG analyses and monitors global cybersecurity threats that might affect Google, and its customers.
In the past, the same North Korean operation has mainly targeted the technology sector in the US and Asia, but analysts have noted increasing activity in Europe.
Within Ireland’s tech sector, certain highly skilled jobs - like software developers and engineers - are considered by recruitment companies as some of the most difficult to staff.
North Korean workers use stolen or fake passports, CVs, and qualifications, to apply for such jobs online and get through the recruitment process.
In applying, the workers typically pose as EU citizens. Under EU and international sanctions, North Korean nationals are not allowed to work in Ireland.
Previous reports into the operation from elsewhere in the world noted that local facilitators have also been used to attend in-person interviews and meetings.
"We do know that they are already working with Irish companies, but we think we have to recognise that what we can see is really limited because these are covert operations," Mr Hultquist told Prime Time.
"The activity that we can validate and we've seen for certain so far in Ireland appears to be in the crypto sector, but that could only be the tip of the iceberg."
Mr Hulquist says the IT workers have "always been very interested in cryptocurrency projects" and that "they are really an insider threat for those projects."
"We think ultimately, in a lot of cases, they want to gain access to the information that might allow them to make a lot of money out of those projects," Mr Hultquist said.
The operation is just one of a range of schemes run by North Korea aimed at bringing money back to the regime.
"We know this money funds their weapons programmes and keeps the regime essentially alive. But it really works by fooling everyday companies into hiring North Korean workers," Mr Hultquist said.
According to a UN Security Council report released last year, the IT worker scheme generates an estimated $250m to $600m (€225 to €540m) annually for North Korea.
"They are taking jobs that are hard to fill and that organisations have a hard time recruiting for. They actually do have some very specific talents, or they can at least fake that they have those talents through an interview," Mr Hultquist said.
"These [workers] are not necessarily spies, but they're working alongside spies in the North Korean military intelligence," he added.
"I think any country who has not got an experience with this is somewhat of a soft target. It's not something that you would necessarily prepare for regularly as an enterprise, and not something that a lot of other countries have experience with."
"I think European governments and tech companies particularly, should be taking this very seriously," Mr Hulquist added.
How the scheme works
According to UN Security Council report from March 2024 and other government security reports, North Korean workers engaging in this scheme operate from places like Russia, China and elsewhere in Asia.
They pose as non-North Korean nationals working remotely to apply for jobs online in areas such as blockchain development, software engineering, and IT support.
To avoid being identified as North Korean they impersonate others using false identity documents, qualifications, utility bills, bank statements, and coding portfolios, some of which are generated through AI. They also use VPNs to mask their location.
Images within a 2024UN Security Council report show examples of multiple fake LinkedIn profiles for a senior iOS developer using the same alias, a fake GitHub profile, and a fake CV for a blockchain and python chatbot engineer.
"They're really an early adopter of AI, as far as the adversaries that we track," Mr Hultquist told Prime Time. "They are particularly using it to create fake identifications. So, they might take a real ID and then change the picture so that it looks like them."
According to one former North Korean IT worker cited in a UN Security Council report, the workers sometimes use local facilitators to consolidate their earnings into bank accounts in the facilitators’ names, after which the money is used to purchase items requested by the regime.
Local facilitators have also helped the workers procure false identities in the US.
Last year, in a case related to the North Korean scheme, prosecutors charged an American woman with stealing the "identities of American citizens to enable individuals based overseas to pose as domestic, remote IT workers."
According to another 2024 report, this one from the UK the Office of Financial Sanctions Implementation, part of the UK Treasury, local facilitators have also rented out their identities for profit.
This, the report says, involved completing email, phone and ID verification, providing laptops for workers to access remotely, or even attending interviews or meetings in person.
Once working within companies, the workers have had access to sensitive data and information.
The Google Threat Intelligence Group (GTIG) report published in recent weeks found incidents where recently fired IT workers threatened to release their former employers’ sensitive data to provide it to a competitor or to enable cyberattacks.
Last October, it was reported that an unnamed company based either in the US, UK or Australia was hacked after accidentally hiring a North Korean cyber criminal as a remote IT worker.
All of this means companies need much tighter background checks when people are hired, Mr Hulquist said.
"You're going to have to have security teams and HR teams working together to defend the enterprise to keep people from getting in."
As ultimately, these workers "are the ultimate insider threat," Mr Hulquist said. "We've seen them build in back doors. We've seen them attack the targets of the people that they've worked with. We've seen disruptive and destructive attacks after the fact on multiple occasions."
"So even though this could actually end up being a somewhat harmless scenario, there's a serious risk that you've let a North Korean spy into your organisation and they have access to your IT."
