Cyber firm KnowBe4 unknowingly hired a North Korean hacker – and it went exactly as you might think

hands typing on laptop with red warning sign
(Image credit: Getty Images)

Security awareness training firm KnowBe4 has detailed how a North Korean threat actor was able to sneak into the organization posing as a remote software engineer.

The hiring process for a new engineer for its internal IT AI team was uneventful. After four rounds of interviews, the company offering the individual a job after performing background checks and verifying references.

All was not as it seemed, though, as the candidate was able to circumvent KnowBe4’s due diligence using a stolen identity and AI-generated imagery. Their true nature quickly became apparent, however, as they immediately began loading malware as soon as they received their Mac workstation.

On 15 July 2024, KnowBe4’s EDR software detected suspicious activity from the user in question, prompting the company’s SOC team to reach out to the employee to inquire about their anomalous activity.

The threat actor told the security team they were simply following steps on their router guide to troubleshoot a speed issue that may have caused a compromise.

The SOC team tried to get the user on a call to discuss his activity after he was observed performing a series of suspicious actions, including manipulating session history files, using a Raspberry Pi to download malware, and executing malicious software.

After he claimed he was unavailable to join the call, the user became unresponsive and KnowBe4’s security staff contained his device, drawing the saga to an end.

KnowBe4 views the incident as a ”learning moment”

KnowBe4 stated that the user did not gain any illegal access and no data was lost, compromised, or exfiltrated during the incident, framing it as an “organizational learning moment”.

Stu Sjouwerman, CEO at KnowBe4 and author of the blog post detailing the event, noted that despite emerging unscathed from the incident, it could have been potentially devastating.

“I don't have to tell you about the severe risk of this. It's good we have new employees in a highly restricted area when they start, and have no access to production systems. Our controls caught it, but that was sure a learning moment that I am happy to share with everyone,” he said.

A “new age of cyber spies and cyber espionage”

KnowBe4 noted this appears to be part of a wider campaign where North Korean threat actors try to get into US organizations posing as remote IT staff. The hackers get work devices sent to what KnowBe4 describes as an ‘IT mule laptop farm’ where they use a VPN to appear as if they are logging in from the US.

To maintain their cover, the threat actors appear to actually carry out their responsibilities. They work the night shift to align themselves with the US workday and collecting their pay, which KnowBe4 claims is used to fund further illegal programs in North Korea.

The training specialist listed some tips for other organizations to avoid falling prey to a similar scam, which includes scanning devices used by home workers to make sure nobody remotes into them, as well as more rigorous checks to ensure the prospect is physically located where they claim they are.

Improved resume scanning for career inconsistencies is another possible method organizations can use to improve their chances of catching a malicious hire, as well as flagging if the shipping address for their work device differs from where they claim to live and work.

RELATED WHITEPAPER

Crystal Morin, cybersecurity strategist at Sysdig, said firms looking for fully remote candidates open themselves up to new threats.

“Organizations hiring remotely open themselves to tremendous talent on a global scale. The struggle, though, is not in finding qualified candidates — there are so many people interested in joining the ranks of cybersecurity — the issue lies within whether or not organizations are actually hiring the people they believe they’re communicating with,” she said.

Morin added that she expects this attack vector to become more popular as companies continue operating hybrid work practices, with HR departments required to place increased scrutiny on hiring remote workers.

“This is the new age of cyber spies and cyber espionage. Our world is just realizing, however, that this is a security issue we have to deal with,” she said.

“I expect that we will begin to see HR departments scrutinize remote candidates a little more thoroughly during interview and onboarding processes, especially in organizations that are considered critical infrastructure and within roles that have administrative access or access to sensitive data.

“Maintaining a partnership between HR, security teams, and insider threat teams to establish a more comprehensive background check on new hires is a worthy endeavor.”

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.