North Korean Cyberespionage Inside KnowBe4 Company – A Massive Wake-Up Call For Cybersecurity Industry

How a North Korean Agent Infiltrated KnowBe4

Primary Category: Cybersecurity

Authors:
•  SCARS Editorial Team – Society of Citizens Against Relationship Scams Inc.
•  Portions KnowBe4 and other sources

About This Article

KnowBe4 recently uncovered that a newly hired remote software engineer, who passed both interview and background checks, was actually a North Korean agent.

The discovery was made after suspicious activity linked to a company-issued MacBook raised red flags. The company’s IT and security teams acted quickly, restricting access and launching an investigation. They found that the individual had loaded malware onto the device and used a single-board computer to manipulate data.

KnowBe4 collaborated with the FBI and Mandiant, concluding that the worker was part of a North Korean operation posing as IT staff to infiltrate American companies.

The incident highlights the importance of continuous monitoring and robust security measures, even post-hiring, to safeguard against internal threats.

Incident at KnowBe4: The Unexpected Discovery of a North Korea Agent on the Payroll

KnowBe4, a leading provider of security awareness training and simulated phishing platform, recently experienced a surprising incident involving a newly hired remote software engineer. The company, known for its work in educating organizations about cybersecurity threats, discovered an anomaly after onboarding the employee, despite the individual having passed both the interview and background check processes.

The Onboarding Process

The new hire was brought on board as a remote software engineer, a common practice in the tech industry that has become even more prevalent in recent years. As part of their standard procedure, KnowBe4 sent the employee a company-issued MacBook to ensure they had the necessary tools to perform their job duties securely. This equipment provisioning step is critical for maintaining a secure working environment, especially for remote workers who may not have access to the company’s internal networks.

Discovery of the Anomaly

Shortly after sending the MacBook, KnowBe4’s IT and security teams noticed unusual activity linked to the device. This discovery prompted a more thorough investigation into the circumstances surrounding the new hire. According to internal sources, the activity raised red flags due to its unusual nature, inconsistent with standard practices expected from new employees.

In a statement, KnowBe4’s CEO, Stu Sjouwerman, emphasized the importance of vigilance even after hiring processes are complete. “Our commitment to security doesn’t end with the hiring process. We continuously monitor all aspects of our operations to ensure the highest level of security, especially in our own backyard,” Sjouwerman said.

Actions Taken by KnowBe4

According to CyberScoop:

An internal investigation started when KnowBe4’s InfoSec Security Operations Center team detected “a series of suspicious activities” from the new hire. The remote worker was sent an Apple laptop, which was flagged by the company on July 15 when malware was loaded onto the machine. The AI-filtered photo, meanwhile, was flagged by the company’s Endpoint Detection and Response software.

Later that evening, the SOC team had “contained” the fake worker’s systems after he stopped responding to outreach. During a roughly 25-minute period, “the attacker performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software,” Sjouwerman wrote in the post. “He used a [single-board computer] raspberry pi to download the malware.”

From there, the company shared its data and findings with the FBI and with Mandiant, the Google-owned cyber firm, and came to the conclusion that the worker was a fictional persona operating from North Korea.

KnowBe4 said the fake employee likely had his workstation connected “to an address that is basically an ‘IT mule laptop farm.’” They’d then use a VPN to work the night shift from where they actually reside — in this case, North Korea “or over the border in China.” That work would take place overnight, making it appear that they’re logged on during normal U.S. business hours.

Upon discovering the suspicious activity, KnowBe4 acted swiftly to mitigate any potential threats. The company immediately restricted the new employee’s access to internal systems and launched a comprehensive review of the incident. The employee was placed on administrative leave pending further investigation.

“We take any potential security breach very seriously, regardless of the source. Our protocols are designed to detect and respond to any anomalies quickly and efficiently,” Sjouwerman added.

Implications and Lessons Learned

According to Bleeping Computer

The firm detected and stopped the malicious actions in time, so no data breach occurred. However, the case highlights the continued threat posed by North Korean threat actors posing as IT staff, something that the FBI has warned about repeatedly since 2023.

The DPRK maintains a highly organized army of IT workers who obscure their true identities to get hired by hundreds of American firms.

Revenue generated by these workers are used to fund the country’s weapons programs and cyber operations, as well as to collect intelligence.

This incident underscores the importance of not only thorough vetting during the hiring process but also maintaining robust security measures post-hiring. KnowBe4, with its expertise in cybersecurity training, is in a unique position to highlight the potential vulnerabilities that can arise even from trusted internal sources.

KnowBe4’s response to the incident demonstrates the company’s commitment to its mission of enhancing security awareness and maintaining a secure environment for its operations and clients. The company is conducting a thorough review to determine if any sensitive information was accessed or compromised.

The incident also serves as a reminder to other organizations of the critical need for continuous monitoring and the importance of having protocols in place to quickly identify and address any unusual activity.

Conclusion

While the incident at KnowBe4 is still under investigation, it highlights the evolving nature of cybersecurity threats and the necessity for comprehensive security measures. Companies must remain vigilant not only against external threats but also potential risks from within. KnowBe4’s quick action in response to the anomaly reflects best practices in incident response and underscores the company’s role as a leader in cybersecurity education and awareness.

Sources:

1. https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us
2. https://blog.knowbe4.com/north-korean-fake-it-worker-faq
3. KnowBe4 Official Website

Please Rate This Article

Please Leave Us Your Comment
Also, tell us of any topics we might have missed.

Thank you for your comment. You may receive an email to follow up. We never share your data with marketers.

-/ 30 /-

What do you think about this?
Please share your thoughts in a comment above!

SCARS LINKS:   AgainstScams.org    RomanceScamsNOW.com    ContraEstafas.org    ScammerPhotos.com    Anyscam.com    ScamsNOW.com

reporting.AgainstScams.org    support.AgainstScams.org    membership.AgainstScams.org    donate.AgainstScams.org    shop.AgainstScams.org

youtube.AgainstScams.org    linkedin.AgainstScams.org    facebook.AgainstScams.org