2024-07-25
KnowBe4 Hired a North Korean Hacker Who Used a Stolen Identity
Security firm KnowBe4 is sharing a cautionary tale. A North Korean hacker used a stolen identity to apply for a position as a software engineer at KnowBe4. Thanks to the stolen identity, the individual passed background checks, their references were validated, and they were hired. Once the person received their Mac workstation, it began loading malware onto the company network. The case is being investigated by the FBI.
Editor's Note
This is a good news story: The endpoint protection software detected the malicious activity, and the SOC paid attention and took swift action. Companies may also reconsider remote only hiring. Deep fakes are only getting better and having an in person meeting with a candidate should be required.
Johannes Ullrich
Forward KnowBe4's 'Tips to Prevent This' to your HR Manager, CIO and COO.
John Pescatore
Interestingly they hired this person for an AI position, interviews were virtual and likely using faked imagery. As Paul Asadoorian postulated: "Had they not begun loading malware, I wonder how long they could have worked there and done other things that are not as obvious (like exfiltrate IP)." No data was lost, the attempt to load malware was detected by the laptop EDR, nor is this a breach notification; in this era of hiring workers we may never see in person, this is a learning opportunity. Just how rigorously are you vetting remote hires? Do you challenge remote workers with different work and shipping addresses? Insist on camera on interviews? Require more than just email reference checks? Check resumes for career inconsistencies? Identify conflicting personal information and unexplained unavailability? Your HR folks may be more aware of these risks than you think.
Lee Neely
A potential supply chain attack with an insider twist. With today's largely remote workforce, validating identity is difficult, especially with the use of generative AI. In some organizations a new employee may not visit a corporate office for weeks to months, ample time to create mischief. Kudos to KnowBe4 for disclosing as their tips can be used to guide changes in company hiring processes.
Curtis Dukes
The most important step in IAM is to get the identity right. If one fails in that step, all the authentication down the line will not help. This is true for knowing your customers, employees, partners, vendors, et. al. We tend to focus on fraudulent transactions though fraudulent applications are the greater risk.
William Hugh Murray
This person gets through the process to get hired and, within a week, destroys all their work by trying to subvert their system immediately. Probably not the best operational practice; this could have been much worse.
Moses Frost
Read more in
KnowBe4: How a North Korean Fake IT Worker Tried to Infiltrate Us
The Register: Security biz KnowBe4 hired fake North Korean techie, who got straight to work ... on evil
Ars Technica: North Korean hacker got hired by US security vendor, immediately loaded malware
Security Week: KnowBe4 Hires Fake North Korean IT Worker, Catches New Employee Planting Malware