What Can Be Learned from KnowBe4’s North Korean IT Hire?
KnowBe4 shares insight into a recent insider threat experience to raise awareness of the North Korean IT worker scheme.
Do you know who you are hiring for remote work at your company? Enterprises have exhaustive hiring processes to answer that very question, but insider threats can still slip through those nets. KnowBe4 recently experienced that firsthand. The cybersecurity company hired a person for its internal IT AI team only to later discover that person was part of a common scam employed by the Democratic People’s Republic of Korea (DPRK).
KnowBe4 opted to be transparent about the incident, publishing a series of blogs and speaking to InformationWeek, in hopes of raising awareness of this particular threat. What can we learn from their experience, and how could it be prevented from happening at other companies?
Discovering an Insider Threat
KnowBe4 conducted its standard hiring process in this case, including several video interviews, reference checks, and a background check. The remote worker appeared to be a fit for the job.
“The guy knew his resume inside and out,” Brian Jack, CISO and data protection officer of KnowBe4, tells InformationWeek. “He showed examples of things that he'd done at previous companies.”
In addition to a solid work history, the candidate’s Social Security number and criminal background check were validated via the E-Verify system. The new hire was given a start date.
The IT worker requested their equipment be sent to a different location than where he told KnowBe4 he would work from. This kind of request is not unheard of, according to Jack.
“Especially new hires, they're coming out of college, and they're transitioning into their first apartment and then need the equipment sent to another place. So, it comes up sometimes,” he says.
The IT worker received the equipment. The day before his start date, he began to load malware. The infostealer malware was likely seeking credentials for privilege escalation.
“We feel like they were struggling to get the machine configured for remote access by the North Korean IT worker,” Jack explains.
KnowBe4’s endpoint security software detected the malware, and its SOC jumped into action. They reached out to the worker, who gave a suspicious story. “At that point, we never heard back from them, and so their machine was contained, their account was restricted,” Jack shares.
The IT worker’s employment was terminated before onboarding even began. No authorized system access was gained, and no data was compromised. But KnowBe4 was still left with unsettling questions about what exactly this person was hoping to accomplish.
Jack reached out to Mandiant and shared this story, and their team confirmed that this incident was a North Korean IT worker scam.
North Korean IT Workers
How does this scam work? The individual KnowBe4 hired was using a stolen identity of a US citizen. The image on the ID provided to the company was changed to one of the threat actor.
“The interviews over Zoom were very believable that we were in fact talking to the person who we thought we were talking to,” says Jack.
AI had a role to play in this particular incident as well. The IT worker provided an image for use in the employee directory. A reverse image search revealed that the image had been modified using AI.
KnowBe4 is hardly the only target of this kind of threat. Earlier this year, US Department of State’s Rewards for Justice (RFJ) program announced a $5 million reward for information on North Korean IT workers.
IT workers hired by a company might request to have their equipment sent to a specific location, often a laptop farm. People located in the US can help the IT workers by securing stolen identities and hosting the equipment sent by the hiring companies. Then, North Korean IT workers will use a VPN to work from their actual location, which may be in North Korea or in China, KnowBe4 explains in a blog.
“Say there's 10 people … IT workers, living in an apartment. Each one can run from between seven and 10 profiles or personas at different companies,” Michael Barnhart, the lead of DPRK operations with Mandiant, a cybersecurity subsidiary of Google Cloud, tells InformationWeek. “So, that's over 70 personas getting paychecks out of one apartment.”
Often the motivation for this scam is financial. The paychecks are used to fund the North Korean government. “IT workers historically are just there to supplement the regime,” explains Barnhart. “Instead of top-down funding, it's bottom up.”
But there could be motivation beyond simple financial gain. Barnhart warns that there is increasing overlap between IT worker scams and APT (advanced persistent threat) groups, such as APT45.
“IT workers at locations of strategic importance, a bank, a nuclear facility … Those guys are getting tapped by APT operators to move aside to do operations,” he says.
The US Department of Justice is offering a $10 million reward for information regarding APT45 (aka Andariel) and related threat actors. The North Korean group is linked to ransomware attacks on healthcare organizations and breaches in several other industries.
The placement of North Korean IT workers in enterprises around the world has the potential to cause significant damage, according to Barnhart. “The Sony hack, DarkSeoul … we know for a fact that if push comes to shove, they will destroy something,” he says. “Now couple that with the fact that you have IT workers with placement and access into Fortune 500 companies all over the world.”
Ongoing Insider Threats
The KnowBe4 team decided to be transparent about experiencing this scam in an attempt to raise awareness for other enterprises. What lessons can other leaders take from this incident and reduce their own risk?
This particular incident is a solid reminder of the importance of strong technical controls. As a new hire, the IT worker had limited access to KnowBe4’s systems. He was able to access email, Slack, and the human resources information system (HRIS) to declare his benefits. The principle of least privilege ensured he could not explore more systems on the KnowBe4 network. And then, the company’s endpoint software immediately detected the attempt to load malware.
“It was an appropriate incident response that showed that the technical controls to block and remediate and remove something of this nature worked,” says Jack. “So, we take the lessons learned of the areas that didn't work, which is in the hiring process, and we try to figure out how we can do that part better.”
KnowBe4 is making changes to its hiring process following this incident. Jack is working with the hiring department to raise awareness of potential red flags, such as name change requests prior to start dates and requests to ship equipment to locations not included in the original application. The company is also implementing a process for in-person ID verification.
“Organizations really have to beef up their verification process,” says Barnhart.
While enterprise teams have the ability to do so with internal hires, that process becomes more challenging with contract IT workers, a commonly used resource.
“You're not conducting background checks on contract workers. It's just written in the contract that you trust the contracting firm has done that. But what are their hiring practices?” Jack asks.
GenAI in hands of threat actors also complicates matters. In-person interviews and verification aren’t always possible, and deepfakes are becoming increasingly sophisticated and convincing. While AI was just one small element of the IT worker scam attempted at KnowBe4, it could easily be employed in video and audio interviews elsewhere.
“From a defense side of house, we're going to have to get better at actually detecting when AI is used,” Barnhart urges.
Strong technical and hiring controls are vital, but simple awareness of this threat is important, too.
“Maybe if we have a bunch of other companies and organizations out there that are looking for it, able to detect it…they can report it to the FBI. The FBI can work the case and try to make it a lot harder for this to be successful,” says Jack.
About the Author
You May Also Like