KnowBe4, a cybersecurity company specializing in security awareness training, recently faced a significant security threat from a North Korean nation-state actor posing as an IT worker on their AI team. The incident, which was outlined in a report published by KnowBe4’s CEO and president, Stu Sjouwerman, highlighted the increasing sophistication of cyber threats targeting organizations worldwide.
The fake IT worker, who had been hired as a principal software engineer, managed to slip through the company’s vetting process and was able to set up a malicious operation within KnowBe4’s network. Suspicious activity was detected on the new hire’s workstation starting on July 15, prompting a swift response from KnowBe4’s security team.
This deception tactic of impersonating IT workers to infiltrate U.S. enterprises is not a new phenomenon. A joint government advisory issued in 2022 had already warned organizations of the potential threat posed by North Korean threat actors masquerading as legitimate employees.
According to Sjouwerman, the attacker used a combination of deepfake technology and a VPN to successfully obtain the job and to manipulate their location. The individual managed to pass video interviews and background checks by using a stolen identity, ultimately gaining access to KnowBe4’s systems with malicious intent.
In collaboration with cybersecurity firms Mandiant and the FBI, an investigation was launched to uncover the extent of the breach. It was revealed that the threat actor had orchestrated a sophisticated scam involving a network of IT mules who assisted in setting up remote workstations and manipulating VPN locations to appear as though they were operating from within the U.S.
Brian Jack, KnowBe4’s CISO, delved further into the workings of these IT mule laptop farms, explaining how threat actors exploit the infrastructure to facilitate their malicious activities. By operating during night shifts and manipulating VPNs, these actors can make it seem like they are legitimate employees working during normal U.S. business hours.
The ultimate goal of these fake employees, as outlined in the joint government advisory, is to generate revenue for North Korea to fund various government initiatives, including weapons development. Sjouwerman emphasized the need for organizations to be vigilant in their hiring processes and to implement stricter identity validation measures to prevent such advanced persistent threats from infiltrating their systems.
Moving forward, KnowBe4 intends to enhance its vetting process for new hires, with certain roles requiring more rigorous identity verification methods. Scrutiny of requested shipping addresses for remote equipment setups will be increased to prevent similar incidents from occurring in the future.
This incident serves as a stark reminder of the evolving nature of cyber threats and the importance of robust security measures in place to safeguard against malicious actors looking to exploit vulnerabilities. Organizations must remain vigilant and proactive in their approach to cybersecurity to mitigate the risk of falling victim to sophisticated attacks.