North Korean hacker hired by US security vendor immediately loaded malware

KnowBe4, a US-based security vendor, discovered it had hired a North Korean hacker who attempted to load malware into their network, prompting an FBI investigation.

What happened

KnowBe4, a US-based security vendor, has revealed that it unknowingly hired a North Korean hacker who attempted to load malware into the company's network. The incident was detected before causing any major problems, and no illegal access was gained or data was lost, compromised, or exfiltrated on KnowBe4 systems. The company was looking for a software engineer for its internal IT AI team. The hacker was using a stolen US identity and an AI-enhanced photo and passed all standard hiring checks. Once hired, the individual’s malicious activities triggered security alerts, leading to an investigation.

The suspicious activities, including unauthorized software installations and malware downloads, were flagged by KnowBe4’s Security Operations Center (SOC). The SOC found that the malware loading may have been intentional by the user and suspected him to be an Insider Threat/Nation State Actor. The company shared the collected data with Mandiant, a leading global cybersecurity expert, and the FBI to corroborate its initial findings.

KnowBe4 cannot provide much detail due to the active FBI investigation, but the fake worker may have logged into the company computer remotely from North Korea. They work the night shift so they appear to be working in the US daytime, posing as a legitimate employee and funding illegal programs in North Korea.

What was said

In a KnowBe4 blog post, CEO and founder Stu Sjouwerman wrote, “First of all: No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems.” He went on to explain that "This is not a data breach notification, there was none. See it as an organizational learning moment I am sharing with you. If it can happen to us, it can happen to almost anyone. Don't let it happen to you.”

A summary of the SOC report was included in the blog and it explained that “On July 15, 2024, a series of suspicious activities were detected on the user beginning at 9:55 pm EST. When these alerts came in KnowBe4's SOC team reached out to the user to inquire about the anomalous activity and possible cause. XXXX responded to SOC that he was following steps on his router guide to troubleshoot a speed issue and that it may have caused a compromise.

The attacker performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software. He used a Raspberry Pi to download the malware. SOC attempted to get more details from XXXX including getting him on a call. XXXX stated he was unavailable for a call and later became unresponsive. At around 10:20 pm EST SOC contained XXXX's device. How this works is that the fake worker asks to get their workstation sent to an address that is basically an "IT mule laptop farm". They then VPN in from where they really physically are (North Korea or over the border in China) and work the night shift so that they seem to be working in US daytime. The scam is that they are actually doing the work, getting paid well, and give a large amount to North Korea to fund their illegal programs. I don't have to tell you about the severe risk of this. It's good we have new employees in a highly restricted area when they start, and have no access to production systems. Our controls caught it, but that was sure a learning moment that I am happy to share with everyone.”

See also: HIPAA Compliant Email: The Definitive Guide

Why it matters

This incident serves as proof of the multifaceted nature of cybersecurity threats and the importance of a comprehensive, adaptive approach to security:

• Insider threats: The event highlights the considerable danger presented by insider threats, particularly those of national origin. Companies may remain susceptible to sophisticated attacks despite implementing robust recruitment procedures.
• Identity theft: The use of a stolen identity and AI-enhanced photos reveals how advanced techniques can bypass traditional background checks and security measures, presenting a major challenge for HR departments and security teams.
• Remote work risks: The scenario where the hacker logged in remotely from North Korea or China using a VPN points to the risks associated with remote work. It highlights the need for stringent security protocols and monitoring for remote employees.
• Advanced Persistent Threats (APTs): This incident illustrates the persistent and advanced nature of threats posed by state-sponsored hackers, who are becoming increasingly adept at infiltrating organizations for espionage and financial gain.
• Security awareness: As KnowBe4 specializes in security awareness training, this event emphasizes the importance of continuous vigilance and the need for organizations to educate their employees about potential security threats.
• Technological exploitation: The use of AI for enhancing photos and other forms of technological manipulation highlights the evolving tools at the disposal of cybercriminals, requiring ongoing advancements in security technologies and strategies.

See also: Detecting cyber anomalies

FAQs

What is malware?

Malware is software intentionally designed to cause damage, disrupt operations, steal information, or gain unauthorized access to computer systems. It includes various forms such as viruses, worms, trojans, ransomware, spyware, and adware. 

Go deeper: What is malware?

What measures can organizations take to prevent similar incidents?

Organizations can implement multi-factor authentication, conduct more thorough background checks, use AI to detect anomalies and ensure continuous monitoring of employee activities. Regular training on identifying and responding to insider threats is also crucial.

Related: How to identify and prevent malware in healthcare

Can background checks be made more secure?

Yes, background checks can be enhanced by incorporating biometric verification, cross-referencing multiple data sources, and using advanced AI to detect anomalies or inconsistencies in applicant information.