It’s a real possibility that cybersecurity companies in the U.S. and elsewhere had better add to their checklist when hiring if it’s not there already. A bad-guy, state-backed actor based in a country like North Korea, China, or Russia may seem to be local, to have all the right credentials and background, to check out fine—but starts sabotaging your system as soon as he gains access.
According to the account by KnowBe4 CEO Stu Sjouwerman, the firm initially fell for the fake application but was quick to prevent damage when the bad guy, really in North Korea, tried to do his worst. Luckily, “No illegal access and was gained and no data was lost, compromised, or exfiltrated….” (“How a North Korean Fake IT Worker Tried to Infiltrate Us,” July 23, 2024).
Our HR team conducted four video conference–based interviews on separate occasions, confirming the individual matched the photo provided on their application. Additionally, a background check and all other standard pre-hiring checks were performed and came back clear due to the stolen identity being used. This was a real person using a valid but stolen US-based identity. The picture was AI “enhanced.”
The EDR software detected it and alerted our InfoSec Security Operations Center. The SOC called the new hire and asked if they could help. That’s when it got dodgy fast. We shared the collected data with our friends at Mandiant, a leading global cybersecurity expert, and the FBI, to corroborate our initial findings. It turns out this was a fake IT worker from North Korea. The picture you see is an AI fake that started out with stock photography [shown above; stock photo on left, enhancement on right]. The detail in the following summary is limited because this is an active FBI investigation.
See the KnowBe4 post for more about what the attacker did and how the company realized what was happening before it was too late. Sjouwerman also offers “tips to prevent this,” “recommended process improvement,” and “what to look out for.”
The attack on KnowBe4 was perpetrated by “a well-organized, state-sponsored, large criminal ring with extensive resources,” he says. “The case highlights the critical need for more robust vetting processes, continuous security monitoring, and improved coordination between HR, IT, and security teams in protecting against advanced persistent threats.”
Also see:
Associated Press: “Chinese hackers have stepped up attacks on Taiwanese organizations, cybersecurity firm says” (June 24, 2024)
“A suspected Chinese state-sponsored hacking group has stepped up its targeting of Taiwanese organizations, particularly those in sectors such as government, education, technology and diplomacy, according to cybersecurity intelligence company Recorded Future.”
