KnowBe4, a US-based security vendor specializing in security awareness training, revealed that it accidentally hired a North Korean hacker who attempted to install malware within its systems. This incident serves as a stark reminder of the sophistication and reach of cyber threats. The company’s CEO, Stu Sjouwerman, shared the details in a blog post,[1] emphasizing that no data was compromised or stolen.
The hacker, posing as a software engineer for KnowBe4’s internal IT AI team, used a stolen US-based identity and a photo enhanced with artificial intelligence to secure the position. Despite passing background checks and video interviews, the individual began suspicious activities immediately upon receiving their workstation. The hacker’s actions included manipulating session history files, transferring harmful files, and executing unauthorized software, using a Raspberry Pi to facilitate the malware download.[2]
On the left, a stock photo. On the right, an AI-enhanced image based on the stock photo. The AI-enhanced image was submitted to KnowBe4 by a job applicant. (Image credit: KnowBe4)© Provided by DMR News (English)
KnowBe4’s Security Operations Center (SOC) detected the unusual behavior on July 15, 2024. The hacker, referred to as “XXXX” in the company’s blog post, initially claimed the activity resulted from troubleshooting a router issue. However, when SOC attempted to follow up, the hacker became unresponsive, leading the team to contain the device.
The investigation revealed that the hacker was likely working remotely from North Korea, using a VPN to appear as if they were operating during US business hours. The individual’s goal was to siphon funds to North Korea, supporting illegal activities. KnowBe4’s controls and restricted access for new employees prevented any significant damage.
The incident shows the ongoing threats posed by nation-state actors in cyberspace. KnowBe4 is cooperating with the FBI and cybersecurity experts at Mandiant as the investigation continues. The company hopes this serves as a cautionary tale for other organizations.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us
[2] https://www.msn.com/en-us/money/technology/north-korean-hacker-infiltrates-us-security-firm-attempts-malware-attack/ar-BB1qSyL5/
Comments