North Korean Hackers Targeted KnowBe4 with Fake IT Worker Infosecurity Magazine

pDeputy Editor Infosecurity MagazineppCybersecurity awareness training company KnowBe4 has revealed it was duped into hiring a fake IT worker from North Korea resulting in attempted insider threat activityppThe malicious activity was identified and prevented before any illegal access was gained or any data was compromised on KnowBe4 systemsppIn a blog published on July 23 2024 KnowBe4 detailed the high level of sophistication used by North Korean attackers in creating a believable cover identity capable of passing an extensive interview and background checkppThe case demonstrates North Koreas ongoing efforts to get fake workers employed in IT roles in Western companies both as a means of generating revenue for the Democratic Peoples Republic of Korea DPRK government and to conduct malicious cyber intrusionsppStu Sjouwerman Chief Executive Officer and President at KnowBe4 noted This is a wellorganized statesponsored large criminal ring with extensive resources The case highlights the critical need for more robust vetting processes continuous security monitoring and improved coordination between HR IT and security teams in protecting against advanced persistent threatsppKnowBe4 advertised for a software engineer role within its internal IT AI team and received a resume from an individual using a valid but stolen USbased identity The picture provided on the application was AI enhancedppFour video conference interviews were conducted on separate occasions confirming the individual matched the photo provided on their applicationppA background and other standard prehiring checks were carried out and passed due to the stolen identity being usedppAfter employment was confirmed KnowBe4 sent the remote worker a Mac workstationppKnowBe4s EDR software quickly detected suspicious activities taking place on the device at 2155 EST on July 15 including the downloading of malwareppThese activities included various actions to manipulate session history files transfer potentially harmful files and execute unauthorized software A raspberry pi was used to download the malware  ppThe firms Security Operations Center SOC was alerted who evaluated that these activities may be intentional and that the worker may be an insider threatnation state actorppThe SOC contacted the worker about the activity who responded that he was following steps on his router guide to troubleshoot a speed issue and that it may have caused a compromiseppThe SOC also attempted to get the fake worker on a call who stated he was unavailable for a call and then became unresponsive The SOC then contained the device at around 2220 ESTppKnowBe4 shared its findings with threat intelligence firm Mandiant and the FBI This uncovered that the fake employee was part of a North Koreasponsored criminal outfit specializing in these IT worker scamsppOnce employment is gained the fake workers requests their workstation is sent to an address that is an IT mule laptop farm They then use VPNs to access the workstation from their real physical location which is usually North Korea or ChinappThe scam is that they are actually doing the work getting paid well and give a large amount to North Korea to fund their illegal programs explained SjouwermanppKnowBe4 set out advice on how companies can avoid employing fake North Korean IT workers based on its experience includingp