SAN FRANCISCO — North Korean nationals have infiltrated the employee ranks at top global companies more so than previously thought, maintaining a pervasive and potentially widening threat against IT infrastructure and sensitive data.
“There are hundreds of Fortune 500 organizations that have hired these North Korean IT workers,” Mandiant Consulting CTO Charles Carmakal said Tuesday during a media briefing at the RSAC 2025 Conference.
“Literally every Fortune 500 company has at least dozens, if not hundreds, of applications for North Korean IT workers,” Carmakal said. “Nearly every CISO that I’ve spoken to about the North Korean IT worker problem has admitted they’ve hired at least one North Korean IT worker, if not a dozen or a few dozen.”
Google, which ranks eighth on the annual list of the top global companies by revenue, is caught up in this widespread threat, too.
North Korean technical workers have been detected in Google’s talent pipeline as job candidates and applicants, but none have been hired by the company to date, said Iain Mulholland, senior director of security engineering at Google Cloud.
Threat hunters, insider risk management firms and security analysts continue to raise the alarm about North Korean nationals gaining employment at major corporations, highlighting the expansive ecosystem of tools, infrastructure and specialized talent North Korea’s regime has established for this effort.
The latest warnings and intel from Mandiant and Google constitute an escalation of this threat. Insider risk management firm DTEX recently told CyberScoop that 7% of its customer base, representing a fair cross-section of the Fortune 2000, have been infiltrated by North Korean operatives working as full-time employees with privileged access.
The risk of North Korean nationals working for any large organization has moved from being a possibility to an outright assumption. “If you’re not seeing this, it’s because you’re not detecting it, not because it’s not happening to you,” Mulholland said.
“The way that we’ve watched them put IT workers in Fortune 500 companies has been astounding,” said Sandra Joyce, VP of Google Threat Intelligence.
For now, this group of specialized North Koreans mostly earn money for the jobs they do and send their salaries back to Pyongyang.
Carmakal said he was baffled by this scheme a few years ago, because it appeared to be a relatively small amount of money in play. But the money earned by North Korea’s regime has accumulated over time and now has the potential to generate substantial revenue.
A thousand IT workers earning six-figure salaries that are funneled back to the North Korean government works out to $100 million a year, and many of these operatives are working multiple jobs at different organizations concurrently, Carmakal said.
“Most of this activity is generally a fundraising activity,” said John Hultquist, chief analyst at Google Threat Intelligence Group.
Yet, as more North Korean operatives gain employment for technical roles, the potential threat their access to critical systems presents has grown in kind.
“When they start getting rooted out, it can sort of break bad on you and then start breaking things,” Hultquist said. “We’ve already seen evidence of them doing that, especially when their jobs are essentially threatened.”
Pressure is coming in the form of lost wages. Many enterprises are now aware of the threat posed by North Korean IT workers, and companies are detecting and removing them from systems more quickly.
Mandiant observed a change in activity about six months ago, as North Korea shifted tactics and started extorting companies to supplement the wages it lost from outed employees.
These extortion scenarios, which represent “a very small percentage of cases,” took on a few forms, Carmakal said. Former employees have followed up with their supervisors, threatening to leak data they had access to during their time of employment if the company didn’t pay their signing bonus or the last month of their salary.
In other cases, new personas sent emails to victim organizations claiming to be a threat actor that had broken into their network and stolen data.
“As we looked at that sample of data that they took, we were able to tie that back to an investigation that we ran six months prior, and learned that that was the exact data that a suspected North Korean IT worker had taken from the company as part of their employment,” Carmakal said.
“The concern that we have is that there’s always the potential that at some point in time, these actors that have taken data as part of their employment may publish it on the internet,” Carmakal said. “We haven’t seen it happen yet, but that’s the fear that most of these organizations have today.”
Damage could potentially come in even more destabilizing forms, including outright disruption of critical services or infrastructure.
Mandiant has seen North Korea’s Reconnaissance General Bureau, which has been linked to previous destructive and disruptive attacks, using the same IP addresses as North Korean IT workers, Hultquist said.
“There’s various technical connections there, and so I think it’s a very real threat,” he said. “Any place they get, they’re essentially in-house. So they can easily hand it over to the intelligence services, if they’re not literally monitoring everything they did, which I think is very, very possible as well.”
The post North Korean operatives have infiltrated hundreds of Fortune 500 companies appeared first on CyberScoop.
–
Read More – CyberScoop
