KnowBe4, a US-based information vendor, revealed that it unwittingly hired a North Korean hacker who attempted to load malware into the company's network. KnowBe4 CEO and laminitis Stu Sjouwerman described the incidental successful a blog post this week, calling it a cautionary communicative that was fortunately detected earlier causing immoderate large problems.
"First of all: No amerciable entree was gained, and nary information was lost, compromised, oregon exfiltrated connected immoderate KnowBe4 systems," Sjouwerman wrote. “This is not a information breach notification, determination was none. See it arsenic an organizational learning infinitesimal I americium sharing with you. If it tin hap to us, it tin hap to astir anyone. Don't fto it hap to you.”
KnowBe4 said it was looking for a bundle technologist for its interior IT AI team. The steadfast hired a idiosyncratic who, it turns out, was from North Korea and was "using a valid but stolen US-based identity" and a photograph that was "enhanced" by artificial intelligence. There is present an progressive FBI probe amid suspicion that the idiosyncratic is what KnowBe4's blog station called "an Insider Threat/Nation State Actor."
KnowBe4 operates successful 11 countries and is headquartered successful Florida. It provides information consciousness training, including phishing information tests, to firm customers. If you occasionally person a fake phishing email from your employer, you mightiness beryllium moving for a institution that uses the KnowBe4 work to trial its employees' quality to spot scams.
Person Passed Background Check and Video Interviews
KnowBe4 hired the North Korean hacker done its accustomed process. "We posted the job, received résumés, conducted interviews, performed inheritance checks, verified references, and hired the person. We sent them their Mac workstation, and the infinitesimal it was received, it instantly started to load malware," the institution said.
Even though the photograph provided to HR was fake, the idiosyncratic who was interviewed for the occupation seemingly looked capable similar it to pass. KnowBe4's HR squad "conducted 4 video league based interviews connected abstracted occasions, confirming the idiosyncratic matched the photograph provided connected their application," the station said. "Additionally, a inheritance cheque and each different modular pre-hiring checks were performed and came backmost wide owed to the stolen individuality being used. This was a existent idiosyncratic utilizing a valid but stolen US-based identity. The representation was AI 'enhanced.'"
The 2 images astatine the apical of this communicative are a banal photograph and what KnowBe4 says is the AI fake based connected the banal photo. The banal photograph is connected the left, and the AI fake is connected the right.
The employee, referred to arsenic "XXXX" successful the blog post, was hired arsenic a main bundle engineer. The caller hire's suspicious activities were flagged by information software, starring KnowBe4's Security Operations Center (SOC) to investigate:
On July 15, 2024, a bid of suspicious activities were detected connected the idiosyncratic opening astatine 9:55 p.m. EST. When these alerts came successful KnowBe4's SOC squad reached retired to the idiosyncratic to inquire astir the anomalous enactment and imaginable cause. XXXX responded to SOC that helium was pursuing steps connected his router usher to troubleshoot a velocity contented and that it whitethorn person caused a compromise.
The attacker performed assorted actions to manipulate league past files, transportation perchance harmful files, and execute unauthorized software. He utilized a Raspberry Pi to download the malware. SOC attempted to get much details from XXXX including getting him connected a call. XXXX stated helium was unavailable for a telephone and aboriginal became unresponsive. At astir 10:20 p.m. EST SOC contained XXXX's device.
“Fake IT Worker From North Korea”
The SOC investigation indicated that the loading of malware "may person been intentional by the user," and the radical "suspected helium whitethorn beryllium an Insider Threat/Nation State Actor," the blog station said.
"We shared the collected information with our friends astatine Mandiant, a starring planetary cybersecurity expert, and the FBI, to corroborate our archetypal findings. It turns retired this was a fake IT idiosyncratic from North Korea," Sjouwerman wrote.
KnowBe4 said it can't supply overmuch item due to the fact that of the progressive FBI investigation. But the idiosyncratic hired for the occupation whitethorn person logged into the institution machine remotely from North Korea, Sjouwerman explained:
How this works is that the fake idiosyncratic asks to get their workstation sent to an code that is fundamentally an "IT mule laptop farm." They past VPN successful from wherever they truly physically are (North Korea oregon implicit the borderline successful China) and enactment the nighttime displacement truthful that they look to beryllium moving successful US daytime. The scam is that they are really doing the work, getting paid well, and springiness a ample magnitude to North Korea to money their amerciable programs. I don't person to archer you astir the terrible hazard of this. It's bully we person caller employees successful a highly restricted country erstwhile they start, and person nary entree to accumulation systems. Our controls caught it, but that was definite a learning infinitesimal that I americium blessed to stock with everyone.
This communicative primitively appeared on Ars Technica.