KnowBe4 catches North Korean hacker posing as IT employee

A North Korean threat actor posed as an IT worker on KnowBe4's AI team, but was caught before gaining access to the cybersecurity company's corporate network.

In an incident report summary published on Tuesday, KnowBe4 CEO and president Stu Sjouwerman said the company discovered that a newly hired principal software engineer was a North Korean nation-state threat actor trying to compromise the security awareness training company's systems. Sjouwerman stressed that the fake IT worker was vetted and interviewed prior to joining KnowBe4's internal AI team.

However, KnowBe4 detected suspicious activity beginning on July 15 that was connected to the new hire's workstation.

North Korean threat actors impersonating IT workers to infiltrate U.S. enterprises is not a new trend. A joint government advisory warned organizations of the threat in 2022.

"We posted the job, received resumes, conducted interviews, performed background checks, verified references, and hired the person. We sent them their Mac workstation, and the moment it was received, it immediately started to load malware," Sjouwerman said in the report.

Subsequently, KnowBe4's endpoint detection and response tools detected the malicious activity and alerted its infosec security operations center. The situation escalated after the SOC called the new hire and asked if they could help following the alert. Based on the insufficient response and suspicious activity, KnowBe4 assessed that the new hire was an "insider threat/Nation State Actor."

"The attacker performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software. He used a raspberry pi to download the malware," Sjouwerman said in the report.

An investigation conducted with Mandiant and the FBI showed that the threat actor used deepfake technology to obtain the job and a VPN to manipulate their location. "Our HR team conducted four video conference based interviews on separate occasions, confirming the individual matched the photo provided on their application," Sjouwerman wrote. "Additionally, a background check and all other standard pre-hiring checks were performed and came back clear due to the stolen identity being used. This was a real person using a valid but stolen US-based identity. The picture was AI 'enhanced.'"

The investigation also shed more light on how the scam worked. Sjouwerman said the fake worker had their workstation sent to an address that acts as an "IT mule laptop farm."

KnowBe4 CISO Brian Jack expanded on how IT mule laptop farms work to TechTarget Editorial.

"Most of these individuals who attempt to obtain employment are not physically located in the U.S. In order for them to conduct work, they require a U.S. location for the equipment to be sent," Jack said. "There are small networks set up at these drop locations where a U.S.-based individual will turn on the received computers and configure them to be accessed remotely. The remote worker will then connect into the laptop farm network and from there remotely access the received device. This will cause security and access logs for that person to show up as being U.S.-based and coming from the correct device."

Next, threat actors manipulate VPN locations and work the night shift where they are to make it appear as though they're working during daytime hours in the U.S.

"The scam is that they are actually doing the work, getting paid well and give a large amount to North Korea to fund their illegal programs. I don't have to tell you about the severe risk of this," Sjouwerman said in the report.

In the 2022 advisory, government agencies also warned that the fake employees' goal is to generate revenue for the Democratic People's Republic of Korea and fund government initiatives such as weapons development.

Sjouwerman provided tips to detect and prevent these types of scams, including conducting video interviews and scanning internal remote devices. He warned organizations not to rely on email references only for new hires and to conduct more thorough background checks.

He stressed that this insider threat highlights the critical need for a more robust vetting process to prevent advanced persistent threat actors from gaining access to an organization.

"The subject has demonstrated a high level of sophistication in creating a believable cover identity, exploiting weaknesses in the hiring and background check processes, and attempting to establish a foothold within the organization's systems," Sjouwerman said in the report.

Jack told TechTarget Editorial that KnowBe4 will make some changes to its own vetting process moving forward. "Certain roles may require more strict identity validation, which may include fingerprint checks or similar. Requested addresses used for shipping equipment to remote new hires will also be more scrutinized," he said.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.