Cybersecurity company KnowBe4 is warning companies to review their hiring practices after it mistakenly hired a North Korean state-sponsored threat actor as a Principal Software Engineer.
Despite performing background checks, contacting the applicant’s references, and conducting four video interviews to verify that the applicant’s face matched that on his CV, KnowBe4 didn’t detect anything unusual.
That changed when, immediately after the new hire received his company-issued laptop, he began installing malware designed to steal data stored in web browsers, likely to obtain credentials leftover from the IT department's initial provisioning process.
When the company’s SOC reached out to assist, the new hire provided a fake reason for installing the malware and eventually ceased contact. At that point, KnowBe4 was highly suspicious and ultimately decided to sever the employee’s account. The company contacted the FBI, who advised that the employee in question was a North Korean state-sponsored threat actor.
A subsequent internal investigation revealed that the threat actor had submitted a U.S. person's stolen identity and used AI tools to create a profile picture that would match his face during the video interviews. Additionally, instead of his home address in North Korea, the threat actor had his laptop shipped to a known ‘IT mule laptop farm’ to which he would log in remotely, obscuring his true location.
Ultimately, KnowBe4’s security controls worked by preventing the threat actor from successfully installing malware and breaching its network. While the company had no legal duty to disclose this case, it felt that other companies could learn from this event and implement hiring practices to prevent similar insider threats in the future.
The company recommends that other organizations isolate new hires from their most critical networks and ensure that any new hire's external devices aren't used remotely. Furthermore, shipping address inconsistencies should be treated as a red flag and thoroughly investigated.
Source: Bleeping Computer
Analysis
The FBI has issued warnings regarding North Korea’s use of this type of insider threat since 2022. According to the FBI, there have been multiple cases of North Korea-based IT employees who have successfully obscured their true identities and gained employment with Western companies. The revenue from these workers’ paychecks is then used to fund the regimes’ weapons programs and cyber operations, as well as to collect intelligence.
While it's fortunate that this case did not result in a breach, it’s a grave reminder of the great lengths threat actors will go to compromise targets of interest. However, this type of operation would likely be limited to state-sponsored threat actors since they would have required significant resources to plan, prepare, and support the operation.
Mitigation
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for threats from advanced cyber actors engaging in malicious activities, including insider threats. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these groups pose.
Field Effect MDR users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Related Articles
