Cybersecurity awareness training company KnowBe4 has revealed it was duped into hiring a fake IT worker from North Korea, resulting in attempted insider threat activity.
The malicious activity was identified and prevented before any illegal access was gained or any data was compromised on KnowBe4 systems.
In a blog published on July 23, 2024, KnowBe4 detailed the high level of sophistication used by North Korean attackers in creating a believable cover identity, capable of passing an extensive interview and background check.
The case demonstrates North Korea’s ongoing efforts to get fake workers employed in IT roles in Western companies, both as a means of generating revenue for the Democratic People’s Republic of Korea (DPRK) government and to conduct malicious cyber intrusions.
Stu Sjouwerman, Chief Executive Officer and President at KnowBe4, noted: “This is a well-organized, state-sponsored, large criminal ring with extensive resources. The case highlights the critical need for more robust vetting processes, continuous security monitoring, and improved coordination between HR, IT and security teams in protecting against advanced persistent threats.”
How a Fake Worker Gained Employment
KnowBe4 advertised for a software engineer role within its internal IT AI team and received a resume from an individual using a valid but stolen US-based identity. The picture provided on the application was AI ‘enhanced.’
Four video conference interviews were conducted on separate occasions, confirming the individual matched the photo provided on their application.
A background and other standard pre-hiring checks were carried out and passed due to the stolen identity being used.
Insider Threat Activity Begins Immediately
After employment was confirmed, KnowBe4 sent the remote worker a Mac workstation.
KnowBe4’s EDR software quickly detected suspicious activities taking place on the device at 21.55 EST on July 15, including the downloading of malware.
These activities included various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software. A raspberry pi was used to download the malware.
The firm’s Security Operations Center (SOC) was alerted, who evaluated that these activities may be intentional, and that the worker may be an insider threat/nation state actor.
The SOC contacted the worker about the activity, who responded that he was following steps on his router guide to troubleshoot a speed issue and that it may have caused a compromise.
The SOC also attempted to get the fake worker on a call, who stated he was unavailable for a call and then became unresponsive. The SOC then contained the device at around 22.20 EST.
KnowBe4 shared its findings with threat intelligence firm Mandiant and the FBI. This uncovered that the fake employee was part of a North Korea-sponsored criminal outfit specializing in these IT worker scams.
Once employment is gained, the fake workers requests their workstation is sent to an address that is an “IT mule laptop farm.” They then use VPNs to access the workstation from their real physical location, which is usually North Korea or China.
“The scam is that they are actually doing the work, getting paid well, and give a large amount to North Korea to fund their illegal programs,” explained Sjouwerman.
How to Detect Fake IT Worker Scams
KnowBe4 set out advice on how companies can avoid employing fake North Korean IT workers based on its experience, including:
- Stronger background checks, flagging any small discrepancies, such as inconsistencies in address and date of birth across different sources
- Do not rely on email references of employees
- Better resume scanning for career inconsistencies
- Make sure remote IT workers are physically where they are supposed to be
- Get these people on video camera and ask them about the work they are doing
- Scan all remote devices to ensure they are not accessed remotely
- Implement enhanced monitoring for any continued attempts to access systems
- Review and strengthen access controls and authentication processes
- Provide security awareness training for employees, including HR teams, that highlight these tactics