KnowBe4 reveals it accidentally hired a North Korean hacker
Cybersecurity awareness company KnowBe4 warns of the dangers of nation-state hackers entering your perimeter.
You have to hand it to KnowBe4: not many companies in the cybersecurity business would admit that they mistakenly hired a North Korean hacker, but that’s exactly what the American cybersecurity awareness company has done.
The company went through the usual hiring process: the job was posted, applicants were interviewed, references were checked, and finally the position was filled.
KnowBe4 sent the new employee his new Mac laptop on June 15.
And then, the malware began to unfold.
“The EDR software detected it and alerted our InfoSec Security Operations Center. The SOC called the new employee and asked if they could help,” Stu Sjouwerman, founder and CEO of KnowBe4, said in a blog post overnight.
“That’s when everything became unreliable.”
What KnowBe4 had done was hire a fake IT worker, a well-known scam operated by North Korean and Chinese threat actors. His laptop had ended up in what is known as an “IT mule farm,” which the new employee connected to via a VPN from North Korea. The hacker operated the night shift to look like he was working US time.
Furthermore, the hacker even provided a deepfake profile image to KnowBe4’s human resources department.
“The scam is that they are actually doing the job, getting paid well, and giving a large amount to North Korea to fund their illegal programs,” Sjouwerman said.
“I don’t have to tell you about the serious risk of this.”
Once malicious activity was detected, KnowBe4 launched an investigation. The company contacted the suspicious employee, who said the activity was due to an attempt to troubleshoot a router issue. The hacker continued to load malware through a Raspberry Pi device while manipulating session history files.
KnowBe4 tried to call the worker, but the hacker said he was unavailable and soon after stopped responding completely. The first malicious activity was detected at 9:55 p.m. and after losing contact with the hacker, KnowBe4’s SOC locked the device around 10:20 p.m.
No harm was done.
The FBI was called and data collected during the incident was shared with cybersecurity company Mandiant. Both confirmed what KnowBe4 had suspected: that the “new employee” was, in fact, fake.
Sjouwerman said the best way to handle insider threats like this is to constantly scan remote devices for people communicating with them remotely, improve vetting processes and resume scanning for inconsistencies in a potential employee’s work history. .
“This case highlights the critical need for stronger investigation processes, continuous security monitoring, and better coordination between human resources, IT, and security teams to protect against advanced persistent threats,” Sjouwerman said.