KnowBe4, a well-regarded cybersecurity training company based in the U.S., has become yet another victim of a long-running North Korean IT worker scam
The company’s CEO, Stu Sjouwerman, announced on July 23 that “a North Korean fake IT worker tried to infiltrate us.”
According to Sjouwerman, the company needed a software engineer for its IT AI team. It posted the job, received resumes, conducted interviews, performed background checks, verified references, and hired the person. The company sent him their Mac workstation, and “the moment it was received, it immediately started to load malware.”
The HR team conducted four video conference-based interviews, confirming that the individual matched the photo provided on their application. A background check and all other standard pre-hiring checks were performed and came back clear due to the stolen identity being used.
“This was a real person using a valid but stolen U.S.-based identity,” Sjouwerman said. “The picture was AI ‘enhanced.’”
[$10M reward announced for North Korean hacker attacking U.S. healthcare and defense]
Upon discovering malicious activities by the worker, the company shared the collected data with Mandiant, a leading global cybersecurity firm, and the FBI. Their investigation confirmed that the individual was a fake IT worker from North Korea.
“On July 15, the attacker performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software,” Sjouwerman said. “He used a Raspberry Pi to download the malware. Our team attempted to get more details from the worker, including getting him on a call. He stated he was unavailable for a call and later became unresponsive. At around 10:20 p.m. EST, the company contained his device.”
Sjouwerman explained that the worker used a VPN from North Korea or over the border in China and worked the night shift to appear as though he was working during U.S. daytime hours. “The scam is that they are actually doing the work, getting paid well, and giving a large amount to North Korea to fund their illegal programs,” he added.
On July 25, Sjouwerman posted another blog to further explain the incident, clarifying that KnowBe4 was not breached.
“This person never had access to any customer data, KnowBe4’s private networks, cloud infrastructure, code, or any KnowBe4 confidential information [since he was a new hire],” he wrote. “They had basic communication apps and a factory-new provisioned laptop. We detected suspicious activity and responded within minutes, quarantining the entire laptop.”
Regarding the possible reason for the worker loading malware on his new machine, Sjouwerman said, “We can only guess, but the malware was an infostealer targeting data stored on web browsers, and perhaps he was hoping to extract information left on the computer before it was commissioned to him.”
He added, “This was a skillful North Korean IT worker, supported by a state-backed criminal infrastructure, using the stolen identity of a U.S. citizen. We will now only ship new employee workstations to a nearby UPS shop and require a picture ID.”
BY YOUNGNAM KIM [kim.youngnam@koreadaily.com]
