Cybersecurity Firm Mistakenly Hires North Korean Hacker, Faces Hack Attack

KnowBe4, a U.S.-based security awareness training company, recently discovered that it had inadvertently hired a North Korean fake IT worker for the role of Principal Software Engineer afterย the employeeโ€™s newly given computer became infected with malware.

In an incident report summary on insider threat published on Tuesday, Stu Sjouwerman, KnowBe4 CEO and President said that the North Korean hacker posing as a software engineer was reportedly hired through a standard recruitment process for their AI division, which involved multiple interviews, background checks, and reference verifications.

โ€œOur HR team conducted four video conference-based interviews on separate occasions, confirming the individual matched the photo provided on their application. Additionally, a background check and all other standard pre-hiring checks were performed and came back clear due to the stolen identity being used. This was a real person using a valid but stolen US-based identity. The picture was AI โ€œenhanced,โ€ Sjouwerman stated in the incident report summary.

Once everything was okayed, the fake IT employee was hired, and a Mac workstation was issued to him so that he could start work.

Upon receiving the machine, a series of suspicious activities were detected on the new hireโ€™s machine on July 15, 2024, beginning at 9:55 pm EST, triggering alerts to KnowBe4โ€™s InfoSec Security Operations Center (SOC) team.

When KnowBe4โ€™s SOC team reached out to the user to inquire about the irregular activity and possible cause, the employee identified as โ€œXXXXโ€ responded to SOC that he was following steps to troubleshoot a speed issue with his router and that it may have caused a compromise.

When the SOC team attempted to contact him to get additional information, he was unavailable for a call and later became unresponsive. At around 10:20 pm EST, Sjouwerman said the company contained the infected Mac workstation.

An internal investigation by KnowBe4โ€™s SOC team revealed that during the roughly 25-minute period, the threat actor had performed various actions to manipulate session history files, transferred potentially harmful files, and executed unauthorized software, including using a Raspberry Pi to load the malware.

Following confiscating the machine, the company shared its data and findings with Mandiant, a leading global cybersecurity expert, and the FBI,ย and found out that the fake IT worker was actually a North Korean hacker.

โ€œHow this works is that the fake worker asks to get their workstation sent to an address that is basically an โ€œIT mule laptop farmโ€. They then VPN in from where they really physically are (North Korea or over the border in China) and work the night shift so that they seem to be working in US daytime,โ€ Sjouwerman added.

โ€œThe scam is that they are actually doing the work, getting paid well, and giving a large amount to North Korea to fund their illegal programs. I donโ€™t have to tell you about the severe risk of this.โ€

Despite the imposition, Sjouwerman emphasized that no illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems.

โ€œThe subject has demonstrated a high level of sophistication in creating a believable cover identity, exploiting weaknesses in the hiring and background check processes, and attempting to establish a foothold within the organization’s systems,โ€ Sjouwerman said in a sum-up of the incident.

“This is a well-organized, state-sponsored, large criminal ring with extensive resources. The case highlights the critical need for more robust vetting processes, continuous security monitoring, and improved coordination between HR, IT, and security teams in protecting against advanced persistent threats. Left is the original stock picture. Right is the AI fake submitted to HR.”

To prevent these types of scams, Sjouwerman has provided a few tips for organizations, which include scanning of internal remote devices, a robust vetting process, better resume scanning for career inconsistencies, conducting video interviews, and not depending on email references only for new hires but also conduct more thorough background checks.

Kavita Iyer
Kavita Iyerhttps://www.techworm.net
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!

Subscribe to our newsletter

To be updated with all the latest news

Read More

Suggested Post