Recently, a security firm accidentally hired a North Korean hacker. In reality, North Korean IT workers are highly skilled and can make a lot of money, with some earning over $300,000 a year on their own. In fact, teams of these workers can earn more than $3 million each year.1
Unfortunately, these earnings are often used to fund illegal activities, including dangerous weapons programs. While this case did not result in a data breach, it shows the rising risk of Cyberattacks and the need for better security when hiring, especially for remote jobs.
KnowBe4 Hires North Korean Hacker Using AI-Enhanced Photo
KnowBe4, a company that helps organizations train their employees about Cybersecurity, was looking for a software engineer to join their internal IT AI team. They posted the job opening and received many resumes. After reviewing these resumes, they conducted several interviews, checked backgrounds, and confirmed references before deciding to hire someone.
The HR team held four separate video interviews with the candidate. During these interviews, they made sure the person looked like the photo they submitted with their application. They also completed a background check and all the usual pre-hiring checks. Everything appeared clear at first.
However, it turned out that the new hire was using a real but stolen identity from a U.S. citizen. The image they provided had been enhanced using artificial intelligence (AI), which makes it harder to recognize the deception.
Source: KnowBe4
KnowBe4 Investigates Suspicious Activities Of New Hire
KnowBe4 then created a FAQ section about an incident involving Employee ID: XXXX, who was hired as a Principal Software Engineer.
Once the new hire received their Mac workstation, it quickly began to load malware. The malware was designed as an infostealer, targeting data stored in web browsers. According to KnowBe4, it’s possible he was aiming to collect any information left on the computer before it was assigned to him.
On July 15, 2024, the company noticed some strange activities happening on that employee’s account. After the Security Operations Center (SOC) team looked into these activities, they believed that the actions might have been done on purpose. They suspected that this employee could be an insider threat or possibly working for a foreign government.
Behind The Fake Hire
According to KnowBe4, it passed the hiring process because the North Korean hacker was highly skilled.
The fake employee then requested that their workstation be sent to an address that serves as a sort of “IT mule laptop farm.” From there, they use a VPN to connect from their actual location, either in North Korea or just across the border in China. They work during the night to match U.S. daytime hours. A different shipping address for the laptop than where the person is supposed to live or work is a warning sign.
They do complete real work while getting paid well, and a portion of their earnings goes back to North Korea to support its illegal activities. Fortunately, the KnowBe4 team ensures that new employees in highly restricted areas do not have access to their production systems at the start.
Stu Sjouwerman, CEO of KnowBe4, assured customers that no data was stolen because the company’s security tools stopped the malware before it could do any harm. He shared the story to help others learn from the situation. “Do we have an egg on our face? Yes,” he wrote. “And I am sharing that lesson with you.”
U.S. Agencies Warn Of North Korean IT Workers Posing As Foreign Nationals
Since 2022, the U.S. Department of State, the U.S. Department of the Treasury, and the FBI have issued warnings to the public, international organizations, and businesses. They are alerting everyone about attempts by Democratic People’s Republic of Korea (DPRK) IT workers to get jobs while pretending to be from other countries.
North Korea sends thousands of skilled IT workers across the world to make money. The money they earn is used to support their illegal weapons programs, including weapons of mass destruction (WMD) and ballistic missiles, which go against U.S. and United Nations (UN) sanctions.
Cybersecurity In Hiring
As more businesses hire remote workers, it’s important to consider Cybersecurity during the hiring process. Here are key things you need to know to protect your company:
1. Watch for Red Flags
Be alert to warning signs. For instance, if a candidate asks for their workstation to be shipped to a different address than where they claim to work, this could be a sign of fraud. Any unusual requests or behaviors during the hiring process should be looked into closely.
2. Secure Workstations
When sending computers or devices to remote workers, ensure they are pre-configured with security settings like encryption, VPNs, and multi-factor authentication (MFA). This helps protect sensitive data and prevents cyberattacks.
3. Limit Access at the Start
It’s wise to give new remote employees limited access to important systems when they first join. Slowly increase their access as they prove trustworthy. This minimizes the risk of someone doing harm early on if they turn out to be a threat actor.
4. Use Security Tools
Implement tools that monitor activity, detect malware, and track data access. If an employee is working remotely, make sure their actions are logged and analyzed to identify any suspicious behavior.
5. Train In-House & Remote Employees
Train both your hiring team and on-site and remote employees on the risks of hiring scams and insider threats. Everyone should understand the importance of security and how to report anything suspicious.
That said, Cybersecurity should be a priority at every stage of the hiring process.
FAQ
What Is The KnowBe4 Controversy?
The KnowBe4 controversy involves the company accidentally hiring a North Korean hacker who used a stolen identity. This incident fueled concerns about hiring practices and Cybersecurity risks, especially for remote workers.
Was KnowBe4 Breached By The North Korean IT Worker?
No, KnowBe4 was not breached by the North Korean IT worker. According to the firm, when hiring new employees, their user accounts are given limited permissions. This allows them to go through the onboarding process and training while accessing only a few necessary apps.
What Can Companies Do To Prevent Such Incidents?
To prevent incidents like this, 2Secure advises companies to implement strong security measures and ensure proper endpoint protection for all devices. It’s also important to provide training for remote workers on safe practices while working from home.
Source:
- GUIDANCE ON THE DEMOCRATIC PEOPLE’S REPUBLIC OF KOREA INFORMATION TECHNOLOGY WORKERS. (2022). https://ofac.treasury.gov/media/923126/download?inline
