Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

KnowBe4 reveals it accidentally hired a North Korean hacker

Cyber security awareness firm KnowBe4 warns of the dangers of nation-state hackers getting inside your perimeter.

user icon David Hollingworth
Wed, 24 Jul 2024
KnowBe4 reveals it accidentally hired a North Korean hacker
expand image

You’ve got to hand it to KnowBe4 – not many companies in the cyber security business would admit they mistakenly hired a North Korean hacker, but that’s exactly what the US-based cyber security awareness company has done.

The company went through the usual hiring process – the job was posted, applicants were interviewed, references were checked, and eventually, the position was filled.

KnowBe4 sent the new hire his new Mac laptop on 15 June.

============
============

And then, the malware began to be deployed.

“The EDR software detected it and alerted our InfoSec Security Operations Center. The SOC called the new hire and asked if they could help,” Stu Sjouwerman, KnowBe4’s founder and CEO, said in a blog post overnight.

“That’s when it got dodgy fast.”

What KnowBe4 had done was hire a fake IT worker, a known scam operated by North Korean and Chinese threat actors. Their laptop had ended up at what is known as an “IT mule farm”, which the new hire then connected to via VPN from North Korea. The hacker operated on the night shift to appear to be working on US time.

In addition, the hacker even supplied a deepfake profile image to KnowBe4’s HR department.

“The scam is that they are actually doing the work, getting paid well, and give a large amount to North Korea to fund their illegal programs,” Sjouwerman said.

“I don’t have to tell you about the severe risk of this.”

Once the malicious activity was detected, KnowBe4 began an investigation. The company contacted the suspicious employee, who said that the activity was due to an attempt to troubleshoot a router issue. The hacker continued to load malware via a Raspberry Pi device while also manipulating session history files.

KnowBe4 attempted to get the worker on call, but the hacker said they were unavailable, and soon after stopped responding entirely. The first malicious activity was detected at 9:55pm, and after losing contact with the hacker, KnowBe4’s SOC locked down the device at around 10:20pm.

No harm was done.

The FBI was called in, and the data collected during the incident was shared with cyber security firm Mandiant. They both confirmed what KnowBe4 had suspected – that the “new hire” was, in fact, a fake.

Sjouwerman said that the best way to handle insider threats like this is to constantly scan remote devices for people remoting into them, improve vetting processes, and resume scanning for inconsistencies in a potential hire’s work history.

“This case highlights the critical need for more robust vetting processes, continuous security monitoring, and improved coordination between HR, IT, and security teams in protecting against advanced persistent threats,” Sjouwerman said.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.