Security Firm Accidentally Hires North Korean Hacker, Did Not KnowBe4

A security firm recently hired a software engineer for its internal AI team that turned out to be a North Korean threat actor, who immediately began loading malware to his company-issued workstation.

KnowBe4, which provides security awareness and training, conducted standard pre-hiring background checks for the employee and four separate video-conference interviews with him before his hiring, Stu Sjouwerman, KnowBe4's founder, shared in a blog post about the situation. The company also verified that the person interviewed was the same one in the photo sent in with a resume.

The checks came back clean and the candidate for the position ("principal software engineer") appeared credible and qualified, though later the company realized he was using a stolen identity and his photo was AI-enhanced.

Once the verification and hiring process was complete, KnowBe4 sent the new employee, who is referred to in KnowBe4's post as "XXXX," his Mac workstation, "and the moment it was received, it immediately started to load malware," Sjouwerman wrote.

"On July 15, 2024, a series of suspicious activities were detected on the user beginning at 9:55pm EST," he detailed. "When these alerts came in, KnowBe4's security operations center (SOC) team reached out to the user to inquire about the anomalous activity and possible cause. XXXX responded to the SOC that he was following steps on his router guide to troubleshoot a speed issue and that it may have caused a compromise."

What the employee was really doing, however, was performing various actions to manipulate session history files, transferring potentially harmful files, and executing unauthorized software using a Raspberry Pi. KnowBe4's SOC attempted to get him on a call to investigate further, but he said he was unavailable and "later became unresponsive." By 10:20am, the SOC had quarantined XXXX's device.

KnowBe4 shared the data it collected about the employee and his activities with cybersecurity firm Mandiant and the FBI, to corroborate the company's initial findings. The company eventually discovered that XXXX was a fake IT worker from North Korea, and an FBI investigation is still ongoing.

"It Can Happen to Anyone"

Sjouwerman stressed to customers that no data breach occurred due to the activity, as security tooling blocked the malware before it was executed. His aim in sharing what happened at his company is to provide "an organizational learning moment," he said.

"Do we have egg on our face? Yes," he wrote. "And I am sharing that lesson with you."

KnowBe4 grants new employees' accounts only limited permissions for proceeding through the new hire onboarding process and training, with access to only necessary apps such an an email inbox, Slack, and Zoom. This means that XXXX never had access to any customer data, KnowBe4's private networks, cloud infrastructure, code, or any KnowBe4 confidential information, Sjouwerman said.

"No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems," Sjouwerman wrote. However, "if it can happen to us, it can happen to almost anyone," he added.

Indeed, North Korean threat actors are notorious for engaging in successful cybercriminal activities by posing as credible IT workers. Last October, the Department of Justice warned that the freelance IT market was being flooded by operatives working on behalf of the North Korean government, urging caution to companies when hiring new workers. The department found that these workers are quietly directing their earnings to the government's sanctions-ridden nation's nuclear weapons program.

“Most of these individuals who attempt to obtain employment are not physically located in the US," Sjouwerman explained. "In order for them to conduct work, they require a US location for the equipment to be sent. There are small networks set up at drop locations where a US-based individual will turn on the received computers and configure them to be accessed remotely. The remote worker will then connect into the laptop farm network, and from there remote into the received device. This will cause security and access logs for that person to show up as being US-based and coming from the correct device.”

How Not to Hire a North Korean Hacker

KnowBe4 has made "several process changes" to hiring to help ensure any potential bad actor will be detected earlier, according to the post. In the US, for example, the company now will only ship new employee workstations to a nearby UPS shop and require a picture ID to obtain it.

Other process improvements that organizations can make are to ensure all background and reference checks are verified for inconsistencies and properly vetted; review and strengthen access controls and authentication processes; and conduct security awareness training for employees to stress social-engineering tactics used by threat actors.

The company also made recommendations so other organizations can avoid a similar scenario, including scanning remote devices for any suspicious access or activity; improving vetting and resume scanning for inconsistencies; and checking for red flags, like a laptop shipping address that's different from where the person is supposed to live and work.

Other red flags to look out for in potential employees include the use of VoIP numbers and/or lack of digital footprint for provided contact information, and any discrepancies in addresses, personal information, or date of birth across different sources. A remote employee's sophisticated use of VPNs or virtual machines should raise an alarm.