Here’s a report from KnowBe4 about
How a North Korean Fake IT Worker Tried to Infiltrate Us
NOTE: No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems. This is not a data breach notification, there was none. See it as an organizational learning moment I am sharing with you. If it can happen to us, it can happen to almost anyone. Don’t let it happen to you. Story updated 7/24/2024.
KnowBe4 needed a software engineer for our internal IT AI team. We posted the job, received resumes, conducted interviews, performed background checks, verified references and hired the person. We sent them their Mac workstation, and the moment it was received, it immediately started to load malware.
Our HR team conducted four video-conference-based interviews on separate occasions, confirming the individual matched the photo provided on their application. Additionally, a background check and all other standard pre-hiring checks were performed and came back clear due to the stolen identity being used. This was a real person using a valid but stolen U.S.-based identity. The picture was AI “enhanced.”
The EDR software detected it and alerted our InfoSec Security Operations Center. The SOC called the new hire and asked if they could help. That’s when it got dodgy fast. We shared the collected data with our friends at Mandiant, a leading global cybersecurity expert, and the FBI, to corroborate our initial findings. It turns out this was a fake IT worker from North Korea. The picture you see is an AI fake that started out with stock photography (below). The detail in the following summary is limited because this is an active FBI investigation.
SUMMARY: This report covers the investigation of Employee ID: XXXX hired as a Principal Software Engineer. On July 15, 2024, a series of suspicious activities were detected on that user account. Based on the SOC team’s evaluation of the activities it was found this may have been intentional by the user and suspected he may be an Insider Threat/Nation State Actor. Upon initial investigation and containment of the host, a more detailed inquiry into the new hire took place.
On July 15, 2024, a series of suspicious activities were detected on the user beginning at 9:55 pm EST. When these alerts came in, KnowBe4’s SOC team reached out to the user to inquire about the anomalous activity and possible cause. XXXX responded to SOC that he was following steps on his router guide to troubleshoot a speed issue and that it may have caused a compromise.
The attacker performed various actions to manipulate session history files, transfer potentially harmful files and execute unauthorized software. He used a Raspberry Pi to download the malware. SOC attempted to get more details from XXXX including getting him on a call. XXXX stated he was unavailable for a call and later became unresponsive. At around 10:20 pm EST SOC contained XXXX’s device.
How this works is that the fake worker asks to get their workstation sent to an address that is basically an “IT mule laptop farm.” They then VPN in from where they really physically are (North Korea or over the border in China) and work the night shift so that they seem to be working in the U.S. daytime. The scam is that they are actually doing the work, getting paid well, and giving a large amount to North Korea to fund their illegal programs. I don’t have to tell you about the severe risk of this. It’s good we have “Knewbies” in a sandbox when they start. Our controls caught it, but that was sure a learning moment that I am happy to share with everyone.
TIPS TO PREVENT THIS
- Scan your remote devices, to make sure no one remotes into those
- Better vetting, making sure that they are physically where they are supposed to be.
- Better resume scanning for career inconsistencies
- Get these people on video camera and ask them about the work they are doing
- The laptop’s shipping address different from where they are supposed to live/work is a red flag
RECOMMENDED PROCESS IMPROVEMENT
- Background check appears inadequate. Names used were not consistent.
- References potentially not properly vetted. Do not rely on email references only.
- Implement enhanced monitoring for any continued attempts to access systems
- Review and strengthen access controls and authentication processes
- Conduct security awareness training for employees, emphasizing social engineering tactics
WHAT TO LOOK OUT FOR:
- Use of VOIP numbers and lack of digital footprint for provided contact information
- Discrepancies in address and date of birth across different sources
- Conflicting personal information (marital status, “family emergencies” explaining unavailability)
- Sophisticated use of VPNs or VMs for accessing company systems
- Attempt to execute malware and subsequent cover-up efforts
ALERT HR ABOUT:
The subject has demonstrated a high level of sophistication in creating a believable cover identity, exploiting weaknesses in the hiring and background check processes, and attempting to establish a foothold within the organization’s systems.
This is a well-organized, state-sponsored, large criminal ring with extensive resources. The case highlights the critical need for more robust vetting processes, continuous security monitoring, and improved coordination between HR, IT, and security teams in protecting against advanced persistent threats. Left is the original stock picture. Right is the AI fake submitted to HR.
Recommended Resources:
Frequently Asked Questions About KnowBe4’s Fake IT Worker Blog
Google: Assessed Cyber Structure and Alignments of North Korea in 2023
Mandiant Podcast on Spotify: The North Korean IT Workers
Mandiant Blog
Brian Krebs shared the post on LinkedIn and the comments are heartwarming.
ShareJUL
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com