Security Firm's North Korean Hacker Hire Not an Isolated Incident

What happened to KnowBe4 also has happened to many other organizations, and it's still a risk for companies of all sizes due to a sophisticated network of government-sponsored fake employees.

6 Min Read
North Korean flag as the key on a computer keyboard
Source: DD Images via Shutterstock

A postmortem on the accidental hiring of a North Korean threat actor at a security firm reveals a sophisticated, industrial-like network of fake IT workers carefully groomed to fool US companies into giving them employment for the financial gain of the North Korean government.

In July, security awareness training firm KnowBe4 was transparent in revealing how a software engineer the company hired turned out to be a North Korean threat actor who immediately began loading malware onto his company-issued workstation.

Though administrators managed to detect and shut down the malicious operation before any harm was done, the incident served as a wake-up call about the sophistication of a North Korean state-sponsored program that sends operatives posing as credible IT workers out into the workforce.

Within weeks of the company's public revelation, KnowBe4 heard from more than a dozen other organizations that had similar stories of either hiring or being solicited for work by North Korean actors, the company revealed in a white paper (PDF) released this week.

Companies from the size of Fortune 500 organizations to small businesses with only 12 employees accidentally hired North Korean fake employees, with organizations with largely remote workforces being at the highest risk.

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

"It turns out that the North Korean fake employee problem is a complex, industrial, scaled nation-state operation, and it is likely that thousands of organizations around the world have or are now involved in accidentally hiring North Korean fake employees," Roger Grimes, KnowBe4 data-driven defense evangelist, wrote in the report.

Anatomy of a State-Sponsored Fake Employee Program

The fact that the fake worker scheme is much more widespread than initially believed and that the people taking part in them are "exceptionally skilled" are the greatest lessons learned from KnowBe4's experience, Erich Kron, security awareness advocate at KnowBe4, tells Dark Reading.

"The ability to pass background checks, combined with the willingness and ability to interview on several Zoom calls is indicative of just how polished their program is," he says. "They seem to have processes in place that work exceptionally well on organizations both large and small."

The program takes advantage of a cultural shift in employment among US organizations over the past several years that has made companies more susceptible to placing workers with malicious intent in legitimate positions, Kron says.

This shift is a combination of organizations embracing the remote-work model, and the modern interest in hiring people from around the globe based on their knowledge and abilities rather than geographical location, he says.

Related:Small US Cyber Agencies Are Underfunded & That's a Problem

"This is extremely challenging when many of the best candidates and people knowledgeable with cutting-edge technology are not US-born and may have strong accents that may have been a barrier to hiring in the past," Kron says. "Multicultural workforces are not only common in the modern business world but are critical if organizations wish to hire the top talent in their fields."

A Look Behind the Curtain

KnowBe4 learned much about how the various aspects of the North Korean program operate in the wake of the company's own incident. The company discovered that the chief goal of this program is financial gain, though operatives also to a lesser extent engage in cyber espionage and even corporate sabotage activities, once joining an organization.

Overall, there are four parts that are integral to making the fake employee scheme work: North Korean-based program leaders; North Korean employees and managers based in other countries; non-Korean scheme assisters that are usually based in the country where the job is located; and infrastructure to assist with accepting payments, generating fake identities or stealing real identities, creating fake employee websites and projects, giving references, money laundering, document forgery services, and other supporting activities.

Related:Russian Ransomware Gangs on the Hunt for Pen Testers

The employees are often skilled IT workers and developers trained at North Korean universities, and are usually located in foreign countries, such as China, in shared living spaces and workspaces. They usually work in busy call-center-like spaces; in fact, organizations that interviewed or hired these fake employees often noted the noisy background, Grimes observed.

KnowBe4 described the employees ensnared in the program as themselves unfortunate victims of a type of human trafficking. They receive very little of the earned revenue, with most of it benefiting the North Korean government. Moreover, close family members stay back in North Korea "to be used as personal leverage to force the employee to toil long hours for very little wages," Grimes wrote.

How to Spot a North Korean Fake Employee

KnowBe4 offered substantial guidance for organizations during the hiring process to help them spot a North Korean threat actor before taking that person on board, as well offered after-hiring advice in case an operative makes it onto an IT team.

Some characteristics and behaviors in a candidate to look out for include the person being of Asian decent who is not highly skilled in English, though he or she claims to have always lived in the US. The person will be using a fake identity, a fake ID credential, and a fake work history that will all fail an secondary verification.

The candidate also will supply personal websites, profiles, or GitHub sites that seem overly basic, "often saying something and nothing at the same time, or you can find very similar sites and profiles," Grimes wrote. These sites and profiles also will have been posted only very recently and will have no Internet presence outside of the properties supplied by the candidate.

After hiring, organizations may detect unnecessary logins by the employee on the remote device provided by the company, from an IP address that doesn't match the claimed geographical location, or other unusual behavior. Employees also may work hours inconsistent with the time zone where they claim to be located.

Because the motivation for the threat actors is financial, another red flag after hiring is a request to be paid in unusual or strange payment schemes, including the demand for virtual currency.

Protecting Your Organization

If an organization suspects a person is a threat actor during the hiring process, it should be reported immediately to senior management for support in vetting the person's legitimacy. KnowBe4 also advised that organizations "threat model" their hiring process and make updates to mitigate the risk of hiring fake employees, such as sharing the warning signs for these actors with those in the direct hiring process.

Indeed, "reviewing hiring processes and reworking them around lessons learned from the experience has been critical" to KnowBe4's incident recovery, and "well worth the investment" to ensure the scenario doesn't repeat itself, Kron says.

If a company does suspect that one of its employees is a North Korean actor, KnowBe4 advised that any device supplied to the person by the company is immediately locked down to the bare minimum access, and monitored for unusual activity, malware, log modifications, or unexpected language changes. The company also should take further steps to monitor employee activity and, of course, remove the person from the job if suspicions prove true.

In retrospect, KnowBe4 has learned that even though it already had a strong security culture with many controls in place that allowed the company to mitigate the situation quickly, "there is always room for improvement," Kron says.

"Having been through this has allowed us to become even more secure than we were previously," he says, "and by sharing the lessons we learned, we hope it will help others."

Read more about:

CISO Corner

About the Author

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights