Incident highlights 'weaknesses in hiring and background check processes'
A fake IT worker from North Korea attempted to infiltrate security awareness training provider KnowBe4 this month, its CEO revealed on Tuesday.
Stu Sjouwerman shared the incident report on a blog post, revealing that the fake employee stole a US-based identity to get hired as a principal software engineer at KnowBe4.
"The subject has demonstrated a high level of sophistication in creating a believable cover identity, exploiting weaknesses in the hiring and background check processes, and attempting to establish a foothold within the organisation's systems," the CEO shared on the blog post.
The poser was able to slip past four video conference-based interviews that were meant to confirm the individual with the photo provided in their application, as well as other standard pre-hiring checks carried out by KnowBe4.
"This is a well-organised, state-sponsored, large criminal ring with extensive resources," Sjouwerman said. "The case highlights the critical need for more robust vetting processes, continuous security monitoring, and improved coordination between HR, IT, and security teams in protecting against advanced persistent threats."
Attacker's attempted infiltration
The poser's scheme was discovered after the company delivered a Mac workstation to the employee.
"The moment it was received, it immediately started to load malware," Sjouwerman said.
According to the incident report, a series of suspicious activities were detected on the user account on July 15 before the device was contained by KnowBe4's security operations centre (SOC) team.
"The attacker performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorised software. He used a raspberry pi to download the malware," the report read.
The poser initially reasoned that the compromise might be due to his troubleshooting of his router guide after a speed issue. However, he later became unresponsive and unavailable for a call when the SOC attempted to get more details.
Sjouwerman described the scheme as involving a fake worker requesting their workstation be sent to an address that is actually an "IT mule laptop farm." From there, they use a VPN to connect from their actual location and work the night shift, making it appear as though they are working during US daytime hours.
"The scam is that they are actually doing the work, getting paid well, and give a large amount to North Korea to fund their illegal programmes," the CEO said. "I don't have to tell you about the severe risk of this."
The compromised workstation has been contained after the discovery, according to the shared report. The FBI is also carrying out an active investigation of the incident.
"No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems. This is not a data breach notification, there was none," Sjouwerman said.
Learning moment for employers
The KnowBe4 CEO told the public to look at the incident as an "organisational learning moment."
"If it can happen to us, it can happen to almost anyone. Don't let it happen to you," Sjouwerman said.
To prevent it from happening, he shared the following tips:
- Scan your remote devices, to make sure no one remotes into those.
- Better vetting, making sure that they are physically where they are supposed to be.
- Better resume scanning for career inconsistencies.
- Get these people on video camera and ask them about the work they are doing.
- The laptop's shipping address different from where they are supposed to live/work is a red flag.
