[Cyware] North Korean Hackers Targeted KnowBe4 with Fake IT Worker

Summary: KnowBe4 revealed it was deceived into hiring a fake IT worker from North Korea, leading to attempted insider threat activities that were ultimately thwarted. The incident underscores the sophistication of North Korean cybercriminals and the need for improved vetting and security measures in hiring processes.

Threat Actor: North Korean Cybercriminals | North Korean Cybercriminals
Victim: KnowBe4 | KnowBe4

Key Point :

  • KnowBe4 was targeted by a sophisticated North Korean operation that involved creating a believable cover identity to pass hiring checks.
  • The fake employee engaged in suspicious activities immediately after being hired, including downloading malware and manipulating files.
  • KnowBe4’s Security Operations Center quickly identified the threat, leading to containment and collaboration with Mandiant and the FBI.
  • Recommendations for companies include stronger background checks, enhanced monitoring, and security awareness training to prevent similar scams.

Cybersecurity awareness training company KnowBe4 has revealed it was duped into hiring a fake IT worker from North Korea, resulting in attempted insider threat activity.

The malicious activity was identified and prevented before any illegal access was gained or any data was compromised on KnowBe4 systems.

In a blog published on July 23, 2024, KnowBe4 detailed the high level of sophistication used by North Korean attackers in creating a believable cover identity, capable of passing an extensive interview and background check.

The case demonstrates North Korea’s ongoing efforts to get fake workers employed in IT roles in Western companies, both as a means of generating revenue for the Democratic People’s Republic of Korea (DPRK) government and to conduct malicious cyber intrusions.

Stu Sjouwerman, Chief Executive Officer and President at KnowBe4, noted: “This is a well-organized, state-sponsored, large criminal ring with extensive resources. The case highlights the critical need for more robust vetting processes, continuous security monitoring, and improved coordination between HR, IT and security teams in protecting against advanced persistent threats.”

How a Fake Worker Gained Employment

KnowBe4 advertised for a software engineer role within its internal IT AI team and received a resume from an individual using a valid but stolen US-based identity. The picture provided on the application was AI ‘enhanced.’

Four video conference interviews were conducted on separate occasions, confirming the individual matched the photo provided on their application.

A background and other standard pre-hiring checks were carried out and passed due to the stolen identity being used.

Insider Threat Activity Begins Immediately

After employment was confirmed, KnowBe4 sent the remote worker a Mac workstation.

KnowBe4’s EDR software quickly detected suspicious activities taking place on the device at 21.55 EST on July 15, including the downloading of malware.

These activities included various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software. A raspberry pi was used to download the malware.  

The firm’s Security Operations Center (SOC) was alerted, who evaluated that these activities may be intentional, and that the worker may be an insider threat/nation state actor.

The SOC contacted the worker about the activity, who responded that he was following steps on his router guide to troubleshoot a speed issue and that it may have caused a compromise.

The SOC also attempted to get the fake worker on a call, who stated he was unavailable for a call and then became unresponsive. The SOC then contained the device at around 22.20 EST.

KnowBe4 shared its findings with threat intelligence firm Mandiant and the FBI. This uncovered that the fake employee was part of a North Korea-sponsored criminal outfit specializing in these IT worker scams.

Once employment is gained, the fake workers requests their workstation is sent to an address that is an “IT mule laptop farm.” They then use VPNs to access the workstation from their real physical location, which is usually North Korea or China.

“The scam is that they are actually doing the work, getting paid well, and give a large amount to North Korea to fund their illegal programs,” explained Sjouwerman.

How to Detect Fake IT Worker Scams

KnowBe4 set out advice on how companies can avoid employing fake North Korean IT workers based on its experience, including:

  • Stronger background checks, flagging any small discrepancies, such as inconsistencies in address and date of birth across different sources
  • Do not rely on email references of employees
  • Better resume scanning for career inconsistencies
  • Make sure remote IT workers are physically where they are supposed to be
  • Get these people on video camera and ask them about the work they are doing
  • Scan all remote devices to ensure they are not accessed remotely
  • Implement enhanced monitoring for any continued attempts to access systems
  • Review and strengthen access controls and authentication processes
  • Provide security awareness training for employees, including HR teams, that highlight these tactics

Source: https://www.infosecurity-magazine.com/news/north-korean-hackers-targeted