What just happened? In a warning that highlights the lengths cybercriminals will go to infiltrate systems, a US security training company has revealed it was tricked into hiring a North Korean hacker as a software engineer. The firm only discovered what happened when he loaded the company-provided computer with malware.
KnowBe4 creates customized security awareness programs for companies, developed to teach employees about hacking dangers. An example is testing susceptibility to phishing attacks by sending employees fake emails to see if anyone falls for the ruse.
In a recent post, CEO and founder Stu Sjouwerman told a cautionary tale, though he emphasized that no company data was lost, compromised, or exfiltrated, and there was no breach.
It started when KnowBe4 posted a job for a software engineer for its internal IT AI team. After HR conducted four video interviews with a candidate on separate occasions, confirmed the individual matched the photo on their application, checked their background, and performed other pre-hiring checks, the person in question was hired to work remotely.
What the company didn’t know was that the new hire was using a valid but stolen US-based ID and stock photo, which had been altered using AI, to convince KnowBe4 that they were a legitimate candidate. You can see the original stock photo (left) and the AI-enhanced one below.
The interviewers believed the person they interviewed looked enough like the faked photo to be convincing.
All seemed normal, until last week when the employee, referred to only as XXXX, was sent his company-supplied Mac workstation. The moment it was received, it immediately started to load malware.
KnowBe4’s SOC team contacted XXXX to inquire about the detection and its possible cause. He claimed that he was following steps on his router guide to troubleshoot a speed issue and that it may have caused a compromise.
XXXX then performed actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software. He used a Raspberry Pi to download the malware. The company tried to get him on video call but he said he was unavailable and later became unresponsive. His device was contained about 25 minutes after the suspicious activities were detected.
Analysis suggests that XXXX may be an Insider Threat/Nation State Actor. The information was shared with cybersecurity firm Mandiant and the FBI. It was determined that XXXX was a fake IT worker from North Korea.
KnowBe4 said the work Mac was shipped to an address “that is basically an ‘IT mule laptop farm,” which XXXX accessed via VPN. He also worked night shift so it appeared he was working US daytime.
There have been warnings of North Koreans using stolen identities to secure remote US jobs. Their wages are used to fund North Korea’s illegal programs, and the positions enable access to sensitive information and the opportunity to breach systems/install malware.