KnowBe4, a US-based security vendor, discovered it had hired a North Korean hacker who attempted to load malware into their network, prompting an FBI investigation.
KnowBe4, a US-based security vendor, has revealed that it unknowingly hired a North Korean hacker who attempted to load malware into the company's network. The incident was detected before causing any major problems, and no illegal access was gained or data was lost, compromised, or exfiltrated on KnowBe4 systems. The company was looking for a software engineer for its internal IT AI team. The hacker was using a stolen US identity and an AI-enhanced photo and passed all standard hiring checks. Once hired, the individual’s malicious activities triggered security alerts, leading to an investigation.
The suspicious activities, including unauthorized software installations and malware downloads, were flagged by KnowBe4’s Security Operations Center (SOC). The SOC found that the malware loading may have been intentional by the user and suspected him to be an Insider Threat/Nation State Actor. The company shared the collected data with Mandiant, a leading global cybersecurity expert, and the FBI to corroborate its initial findings.
KnowBe4 cannot provide much detail due to the active FBI investigation, but the fake worker may have logged into the company computer remotely from North Korea. They work the night shift so they appear to be working in the US daytime, posing as a legitimate employee and funding illegal programs in North Korea.
In a KnowBe4 blog post, CEO and founder Stu Sjouwerman wrote, “First of all: No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems.” He went on to explain that "This is not a data breach notification, there was none. See it as an organizational learning moment I am sharing with you. If it can happen to us, it can happen to almost anyone. Don't let it happen to you.”
A summary of the SOC report was included in the blog and it explained that “On July 15, 2024, a series of suspicious activities were detected on the user beginning at 9:55 pm EST. When these alerts came in KnowBe4's SOC team reached out to the user to inquire about the anomalous activity and possible cause. XXXX responded to SOC that he was following steps on his router guide to troubleshoot a speed issue and that it may have caused a compromise.
The attacker performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software. He used a Raspberry Pi to download the malware. SOC attempted to get more details from XXXX including getting him on a call. XXXX stated he was unavailable for a call and later became unresponsive. At around 10:20 pm EST SOC contained XXXX's device. How this works is that the fake worker asks to get their workstation sent to an address that is basically an "IT mule laptop farm". They then VPN in from where they really physically are (North Korea or over the border in China) and work the night shift so that they seem to be working in US daytime. The scam is that they are actually doing the work, getting paid well, and give a large amount to North Korea to fund their illegal programs. I don't have to tell you about the severe risk of this. It's good we have new employees in a highly restricted area when they start, and have no access to production systems. Our controls caught it, but that was sure a learning moment that I am happy to share with everyone.”
See also: HIPAA Compliant Email: The Definitive Guide
This incident serves as proof of the multifaceted nature of cybersecurity threats and the importance of a comprehensive, adaptive approach to security:
See also: Detecting cyber anomalies
Malware is software intentionally designed to cause damage, disrupt operations, steal information, or gain unauthorized access to computer systems. It includes various forms such as viruses, worms, trojans, ransomware, spyware, and adware.
Go deeper: What is malware?
Organizations can implement multi-factor authentication, conduct more thorough background checks, use AI to detect anomalies and ensure continuous monitoring of employee activities. Regular training on identifying and responding to insider threats is also crucial.
Related: How to identify and prevent malware in healthcare
Yes, background checks can be enhanced by incorporating biometric verification, cross-referencing multiple data sources, and using advanced AI to detect anomalies or inconsistencies in applicant information.