KnowBe4, a leading U.S. cybersecurity company, recently uncovered a serious security lapse: it had inadvertently hired a North Korean hacker who sought to infect the company’s network with malware. The firm’s CEO, Stu Sjouwerman, shared details of the incident in a blog post, framing it as both a significant learning opportunity and a warning for other organizations.
Sjouwerman was quick to clarify that no data was compromised or stolen from KnowBe4. “This is not a data breach notification,” he emphasized. “No illegal access occurred, and no data was lost or exfiltrated. This is a moment for us to learn and share. If this can happen to us, it could happen to anyone. Don’t let it happen to you.”
The company was in search of a software engineer for its IT AI team when they hired an individual who turned out to be a North Korean hacker using a stolen U.S. identity and an AI-enhanced photograph. The FBI is investigating, with suspicions that the hacker was an “Insider Threat/Nation State Actor.”
Recruitment and Red Flags
KnowBe4, which operates in 11 countries and is based in Florida, provides security training, including phishing tests, to businesses. The recruitment process for the new hire included posting the job, screening resumes, conducting interviews, and performing background checks. Despite this thorough process, the new hire attempted to load malware onto their workstation as soon as it was received.
The hacker’s AI-enhanced photo passed four video interviews and background checks, which were misleading due to the stolen identity used. Everything seemed legitimate until the suspicious activities began.
Detection and Response
On July 15, 2024, KnowBe4’s Security Operations Center (SOC) detected irregularities starting at 9:55 pm EST. The SOC team reached out to the new hire, referred to as “XXXX,” who claimed to be troubleshooting a router issue. Despite the explanation, further investigation revealed that the hacker was manipulating files, transferring harmful data, and executing unauthorized software with a Raspberry Pi.
SOC’s attempts to get more information from XXXX included arranging a call, but the individual became unresponsive. By 10:20 pm EST, the SOC team had contained XXXX’s device.
Collaboration with Mandiant and the FBI
The SOC’s findings suggested that the malware installation was intentional, raising concerns about XXXX being an Insider Threat or Nation State Actor. KnowBe4 worked with Mandiant, a top cybersecurity firm, and the FBI to validate their findings. It was confirmed that the hacker was indeed a North Korean posing as an IT worker.
Due to the ongoing FBI investigation, specific details remain undisclosed. However, Sjouwerman explained that the hacker had arranged for the workstation to be sent to a “IT mule laptop farm,” using a VPN to log in remotely from North Korea or China. The aim was to maintain the appearance of working U.S. hours while diverting significant earnings back to North Korea.
Lessons and Security Enhancements
Sjouwerman highlighted the sophistication of the scam, noting that it was well-organized and state-sponsored. The hacker’s ability to create a convincing identity and exploit vulnerabilities in the hiring process underscored the need for more rigorous vetting procedures and ongoing security monitoring.
The incident is a stark reminder for organizations to enhance their security measures and improve coordination between HR, IT, and security teams to safeguard against advanced threats. KnowBe4’s proactive response and collaboration with experts and law enforcement were crucial in mitigating the potential impact, serving as a critical lesson for others in the cybersecurity field.