North Korean Cyberespionage Inside KnowBe4 Company – A Massive Wake-Up Call For Cybersecurity Industry
How a North Korean Agent Infiltrated KnowBe4
Primary Category: Cybersecurity
Authors:
• SCARS Editorial Team – Society of Citizens Against Relationship Scams Inc.
• Portions KnowBe4 and other sources
About This Article
KnowBe4 recently uncovered that a newly hired remote software engineer, who passed both interview and background checks, was actually a North Korean agent.
The discovery was made after suspicious activity linked to a company-issued MacBook raised red flags. The company’s IT and security teams acted quickly, restricting access and launching an investigation. They found that the individual had loaded malware onto the device and used a single-board computer to manipulate data.
KnowBe4 collaborated with the FBI and Mandiant, concluding that the worker was part of a North Korean operation posing as IT staff to infiltrate American companies.
The incident highlights the importance of continuous monitoring and robust security measures, even post-hiring, to safeguard against internal threats.
Incident at KnowBe4: The Unexpected Discovery of a North Korea Agent on the Payroll
KnowBe4, a leading provider of security awareness training and simulated phishing platform, recently experienced a surprising incident involving a newly hired remote software engineer. The company, known for its work in educating organizations about cybersecurity threats, discovered an anomaly after onboarding the employee, despite the individual having passed both the interview and background check processes.
The Onboarding Process
The new hire was brought on board as a remote software engineer, a common practice in the tech industry that has become even more prevalent in recent years. As part of their standard procedure, KnowBe4 sent the employee a company-issued MacBook to ensure they had the necessary tools to perform their job duties securely. This equipment provisioning step is critical for maintaining a secure working environment, especially for remote workers who may not have access to the company’s internal networks.
Discovery of the Anomaly
Shortly after sending the MacBook, KnowBe4’s IT and security teams noticed unusual activity linked to the device. This discovery prompted a more thorough investigation into the circumstances surrounding the new hire. According to internal sources, the activity raised red flags due to its unusual nature, inconsistent with standard practices expected from new employees.
In a statement, KnowBe4’s CEO, Stu Sjouwerman, emphasized the importance of vigilance even after hiring processes are complete. “Our commitment to security doesn’t end with the hiring process. We continuously monitor all aspects of our operations to ensure the highest level of security, especially in our own backyard,” Sjouwerman said.
Actions Taken by KnowBe4
An internal investigation started when KnowBe4’s InfoSec Security Operations Center team detected “a series of suspicious activities” from the new hire. The remote worker was sent an Apple laptop, which was flagged by the company on July 15 when malware was loaded onto the machine. The AI-filtered photo, meanwhile, was flagged by the company’s Endpoint Detection and Response software.
Later that evening, the SOC team had “contained” the fake worker’s systems after he stopped responding to outreach. During a roughly 25-minute period, “the attacker performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software,” Sjouwerman wrote in the post. “He used a [single-board computer] raspberry pi to download the malware.”
From there, the company shared its data and findings with the FBI and with Mandiant, the Google-owned cyber firm, and came to the conclusion that the worker was a fictional persona operating from North Korea.
KnowBe4 said the fake employee likely had his workstation connected “to an address that is basically an ‘IT mule laptop farm.’” They’d then use a VPN to work the night shift from where they actually reside — in this case, North Korea “or over the border in China.” That work would take place overnight, making it appear that they’re logged on during normal U.S. business hours.
Upon discovering the suspicious activity, KnowBe4 acted swiftly to mitigate any potential threats. The company immediately restricted the new employee’s access to internal systems and launched a comprehensive review of the incident. The employee was placed on administrative leave pending further investigation.
“We take any potential security breach very seriously, regardless of the source. Our protocols are designed to detect and respond to any anomalies quickly and efficiently,” Sjouwerman added.
Implications and Lessons Learned
According to Bleeping Computer
The firm detected and stopped the malicious actions in time, so no data breach occurred. However, the case highlights the continued threat posed by North Korean threat actors posing as IT staff, something that the FBI has warned about repeatedly since 2023.
The DPRK maintains a highly organized army of IT workers who obscure their true identities to get hired by hundreds of American firms.
Revenue generated by these workers are used to fund the country’s weapons programs and cyber operations, as well as to collect intelligence.
This incident underscores the importance of not only thorough vetting during the hiring process but also maintaining robust security measures post-hiring. KnowBe4, with its expertise in cybersecurity training, is in a unique position to highlight the potential vulnerabilities that can arise even from trusted internal sources.
KnowBe4’s response to the incident demonstrates the company’s commitment to its mission of enhancing security awareness and maintaining a secure environment for its operations and clients. The company is conducting a thorough review to determine if any sensitive information was accessed or compromised.
The incident also serves as a reminder to other organizations of the critical need for continuous monitoring and the importance of having protocols in place to quickly identify and address any unusual activity.
Conclusion
While the incident at KnowBe4 is still under investigation, it highlights the evolving nature of cybersecurity threats and the necessity for comprehensive security measures. Companies must remain vigilant not only against external threats but also potential risks from within. KnowBe4’s quick action in response to the anomaly reflects best practices in incident response and underscores the company’s role as a leader in cybersecurity education and awareness.
Sources:
Please Leave Us Your Comment
Also, tell us of any topics we might have missed.
Thank you for your comment. You may receive an email to follow up. We never share your data with marketers.
Recent Reader Comments
on Contractualism and Supporting the Victims of Online Crime: “As a landlord I constantly have contractrialism in play with my tenants. I always give them a copy of the…” Sep 3, 23:31
on The Butterfly Effect And Scam Victims – 2024: “Definitely awareness and education are important to reduce the risks of scams and minimize the consequences of those crimes in…” Sep 3, 23:14
on Thoughts About Boundaries: “The importance of setting boundaries is nicely outlined in this article! Everyone needs to take the time to set their…” Sep 3, 10:00
on Why Are We More Likely To Trust Total Strangers Now? 2024: “Now that I know better, I will do better.” Sep 2, 15:34
Important Information for New Scam Victims
- Please visit www.ScamVictimsSupport.org – a SCARS Website for New Scam Victims & Sextortion Victims
- SCARS Institute now offers a free recovery program at www.SCARSeducation.org
- Please visit www.ScamPsychology.org – to more fully understand the psychological concepts involved in scams and scam victim recovery
If you are looking for local trauma counselors please visit counseling.AgainstScams.org or join SCARS for our counseling/therapy benefit: membership.AgainstScams.org
If you need to speak with someone now, you can dial 988 or find phone numbers for crisis hotlines all around the world here: www.opencounseling.com/suicide-hotlines
SCARS Resources:
- Getting Started: ScamVictimsSupport.org
- FREE enrollment in the SCARS Institute training programs for scam victims SCARSeducation.org
- For New Victims of Relationship Scams newvictim.AgainstScams.org
- Subscribe to SCARS Newsletter newsletter.againstscams.org
- Sign up for SCARS professional support & recovery groups, visit support.AgainstScams.org
- Find competent trauma counselors or therapists, visit counseling.AgainstScams.org
- Become a SCARS Member and get free counseling benefits, visit membership.AgainstScams.org
- Report each and every crime, learn how to at reporting.AgainstScams.org
- Learn more about Scams & Scammers at RomanceScamsNOW.com and ScamsNOW.com
- Learn more about the Psychology of Scams and Scam Victims: ScamPsychology.org
- Self-Help Books for Scam Victims are at shop.AgainstScams.org
- Donate to SCARS and help us help others at donate.AgainstScams.org
- Worldwide Crisis Hotlines: International Suicide Hotlines – OpenCounseling : OpenCounseling
- Campaign To End Scam Victim Blaming – 2024 (scamsnow.com)
-/ 30 /-
What do you think about this?
Please share your thoughts in a comment below!
More ScamsNOW.com Articles
SCARS LINKS: AgainstScams.org RomanceScamsNOW.com ContraEstafas.org ScammerPhotos.com Anyscam.com ScamsNOW.com
reporting.AgainstScams.org support.AgainstScams.org membership.AgainstScams.org donate.AgainstScams.org shop.AgainstScams.org
youtube.AgainstScams.org linkedin.AgainstScams.org facebook.AgainstScams.org
Leave a Reply