Security awareness and training provider KnowBe4 hired a fake North Korean IT worker for a software engineering role on its AI team, and only realized its mistake once the worker started using his company-provided computer for evil.

KnowBe4 'fessed up to the hire in a Tuesday post from CEO Stu Sjouwerman. He explained that his HR team conducted four video interviews with the candidate, confirmed their appearance matched a photo included with a job the application, and conducted background checks.

Everything checked out OK, the faker was hired, and a Mac dispatched so they could start work.

Which is when the trouble started.

"We sent them their Mac workstation, and the moment it was received, it immediately started to load malware," Sjouwerman wrote.

It turns out the new hire used a stolen US-based ID and a stock photo - modified with AI - to fake their identity.

Thankfully, KnowBe4's security software detected the malware, leading to a probe that uncovered the faker.

When the security operation center (SOC) called the employee to address the malware, things "got dodgy fast."

The attacker claimed he was simply troubleshooting a speed issue with his router, and that it may have caused a compromise. KnowBe4's help desk tried to call the worker, but he soon became unresponsive.

An investigation revealed the attacker had manipulated session history files, transferred potentially harmful files, and executed unauthorized software.

"No illegal access was gained, and no data was lost or compromised on any KnowBe4 systems," the somewhat chastened security biz clarified. The time from KnowBe4's security operations center identifying the malware to the Mac being neutered was around 25 minutes.

KnowBe4 reckons the laptop was sent to an "IT mule laptop farm" - facilities in North Korea or China where fake workers ply their trade, using VPNs to hide their location.

"The scam is that they are actually doing the work, getting paid well, and give a large amount to North Korea to fund their illegal programs," wrote Sjouwerman.

The FBI has been alerted. Sjouwerman suggested others could avoid such incidents by monitoring devices that offer remote access, and better vetting to confirm a candidate's location. Use of VOIP numbers and lack of digital footprint for provided contact information should be a red flag, as should conflicting personal information and sophisticated use of VPNs.

North Korea's attempts to have its citizens pose as tech workers to earn money, and find malware targets, is well documented - but not something the average employer runs across every day.

However, infiltration is quite an admission from a business that aims to help organizations manage the ongoing problem of social engineering.

Infosec luminary Brian Krebs praised KnowBe4's transparency. "Kudos to them for publishing this. If it can happen to a security awareness company, it can happen to anyone." ®

https://www.theregister.com//2024/07/24/knowbe4_north_korean/