KnowBe4, a U.S.-based cyber security firm, inadvertently hired a North Korean cyber threat actor posing as a Principal Software Engineer. The infiltrator aimed to deploy an infostealer on company assets but the sketchy activity was rapidly detected before any data compromise:

American cybersecurity company KnowBe4 says a person it recently hired as a Principal Software Engineer turned out to be a North Korean state actor who attempted to install information-stealing on its devices.

The firm detected and stopped the malicious actions in time, so no data breach occurred. However, the case highlights the continued threat posed by North Korean threat actors posing as IT staff, something that the FBI has warned about repeatedly since 2023.

The DPRK maintains a highly organized army of IT workers who obscure their true identities to get hired by hundreds of American firms.

Despite extensive background checks and video interviews, the hacker used stolen identities and AI tools to pass initial screenings. Fortunately, KnowBe4's security measures detected the threat before any data was compromised, underscoring the persistent and sophisticated tactics of North Korean cyber criminals aimed at infiltrating and exploiting U.S. companies. This also highlights the importance of having robust detection capabilities not just looking at external threats, but internal ones as well.

What I find the most interesting about this incident is the use of generative AI to assist North Korea in crafting what would appear to be legitimate credentials combined with a genuine IT professional conducted multiple video interviews:

Before hiring the threat actor, KnowBe4 performed background checks, verified the provided references, and conducted four video interviews to ensure they were a real person and that his face matched the one on his CV.

However, it was later determined that the person had submitted a U.S. person's stolen identity to dodge the preliminary checks, and also used AI tools to create a profile picture and match that face during the video conference calls.

This alarming breach highlights the growing threat from North Korean human IT operatives, who use their positions to fund the nation's weapons and cyber operations. Generally, most cyber security programs are only designed to look for cyber threat activity rather than human-based espionage or disruptive operations.

KnowBe4 should be commended for its rapid detection and response, averting what could likely have been a potential disaster.

The incident serves as a stark reminder of the critical need for enhanced vigilance and robust security protocols. Companies are urged to isolate new hires' work environments and scrutinize shipping addresses to prevent similar occurrences in the future.

Full post by KnowBe4 CEO Stu Sjouwerman explains the entire scheme:

How a North Korean Fake IT Worker Tried to Infiltrate Us

How a North Korean Fake IT Worker Tried to Infiltrate Us

KnowBe4, Inc.Stu Sjouwerman

Sign Up for the Praeryx Newsletter

Are you interested in receiving the latest Praeryx blog posts directly to your inbox? Sign up for the Praeryx Newsletter today to stay informed about the latest cyber threats and adversary behavior, learn how to leverage cyber threat intelligence to protect your organization, and stay ahead of the ever-evolving cyber threat landscape!

Subscribe

Email sent! Check your inbox to complete your signup.

We do not spam you! Unsubscribe anytime.