Leading U.S. Cybersecurity Awareness Company Unknowingly Hires Remote North Korean Hacker

KnowBe4, a leading cybersecurity firm, was recently the target of a North Korean hacker posing as an IT worker. KnowBe4 has revealed the attacker aimed to install malware on a company-issued MacBook. The company also details the methods used to bypass security measures and highlights steps businesses can take to protect themselves from similar threats.

Incident Overview

KnowBe4 disclosed that it was deceived by a sophisticated phishing scheme orchestrated by a North Korean hacker who impersonated a legitimate IT worker. The attacker managed to get through KnowBe4’s thorough hiring process but was eventually detected and stopped before any data was compromised.

The incident began when KnowBe4 hired a remote software engineer who successfully passed multiple rounds of interviews and background checks. However, once the company-issued MacBook was in the attacker’s hands, it started loading malware, triggering KnowBe4’s security systems.

An investigation conducted in collaboration with the FBI and cybersecurity firm Mandiant revealed that the engineer was a North Korean national using a stolen US identity. The attacker used an AI-generated profile picture to mask their true identity.

“This was a real person using a valid but stolen US-based identity,” stated KnowBe4’s Chief Executive Officer and President, Stu Sjouwerman. “The picture was AI ‘enhanced’.”

Hacker Tactics

The hacker employed various tactics, including manipulating session history files, transferring potentially harmful files, and executing unauthorized software. They used a Raspberry Pi to download the malware, disguising their activity as routine troubleshooting.

KnowBe4’s security team quickly contained the threat, preventing further damage. This incident underscores the increasing sophistication of state-sponsored cyberattacks and the necessity for robust security measures.

Government Advisory

North Korean operatives are increasingly targeting Western companies, exploiting remote work trends, and using advanced methods to circumvent traditional security protocols.

In May 2022, the US government advised organizations to be vigilant against North Korean hackers posing as IT freelancers. According to an advisory from the United States State and Treasury Departments and the FBI, highly skilled North Korean developers were trying to secure employment under false identities to facilitate cyber intrusions for the North Korean government.

Protecting Your Organization: Key Takeaways for HR Managers

Here are essential strategies for HR managers to protect against fake employee scenarios and respond if compromised:

How to mitigate the risk:

1. Rigorous Vetting: Implement multi-layered background checks beyond basic criminal records. Use third-party services for identity verification and social media analysis.
2. Video Interviews: Conduct video interviews for all candidates, especially for remote positions. Note any inconsistencies between the candidate’s appearance and their online presence.
3. Reference Checks: Thoroughly verify references, speaking to previous supervisors and colleagues to understand the candidate’s work ethic and character.
4. Behavioral Assessments: Use behavioral assessments in the hiring process to evaluate personality traits, work style, and potential for deception.
5. Red Flag Awareness: Train hiring managers to recognize red flags such as resume inconsistencies, evasive answers during interviews, and overly eager candidates.
6. Cybersecurity Training: Mandate cybersecurity training for all employees with access to company data or devices to identify phishing scams, social engineering tactics, and fake profiles.

How to respond:

1. Immediate Containment: If suspicious activity is detected, isolate the affected user account and restrict access to sensitive systems immediately.
2. Forensic Investigation: Engage a cybersecurity firm to conduct a thorough investigation to determine the extent of the breach and identify the attacker’s methods.
3. Law Enforcement Notification: Report the incident to the FBI and other relevant law enforcement agencies.
4. Data Breach Response Plan: Have a comprehensive response plan in place to guide actions during a security incident.
5. Employee Communication: Communicate transparently with employees about the incident, detailing steps taken to mitigate risk and protect their data.