A US-based security training company, KnowBe4, found itself in a surprising situation where it had unknowingly hired a North Korean hacker for the position of software engineer. This was upon the realization that the newly issued computer of the employee got infected with malware almost immediately after receipt.
KnowBe4, a security awareness training firm for the education of employees about phishing attacks and other cyber threats, recently hired a remote software engineer who passed all interviews and background checks with flying colors. Something set off alarm bells when the employee received a company-issued Mac. “The moment it was received, it immediately started to load malware,” the company revealed in its blog post.
The malware was picked up by onboard security software on the Macs, prompting an investigation with assistance from the FBI and Mandiant, Google’s security arm. Investigations revealed that the hired software engineer was a North Korean posing as an IT worker.
Fortunately, KnowBe4 was able to contain the Mac remotely before the hacker could do much more in terms of compromising the internal systems of the company. The malware was detected, and the IT team at the company notified the employee, who began acting as if he were troubleshooting a speed issue on his router. However, the worker manipulated session files and ran unauthorized software to connect his Raspberry Pi, through which the malware was loaded, as observed by KnowBe4.
After the security team called the software engineer for further details, he informed them that he was not available to discuss it over a call, after which he stopped responding. The work computer was dispatched to an address that was acting as an “IT mule laptop farm,” which the North Korean hacker accessed via VPN.
Although the intrusion was foiled, the incident spotlights an emerging concern: North Korean hackers are eyeing remote IT jobs to break into US-based firms. Last May, US authorities issued an alert warning that a group of North Koreans working with identities of more than 60 actual US persons were obtaining employment remotely. Such types of remote jobs can serve to generate revenue for North Korea’s illicit programs and allow hackers to extract sensitive information and conduct other forms of attacks.
In this case, the impersonating software engineer had an AI-edited picture of a stock image and was able to pass the interview with the company. “This case serves as a reminder of the criticality of improving vetting processes, continuous security monitoring, and coordination across HR, IT, and security teams to enable organizations to defend better against advanced persistent threats,” KnowBe4 stressed.
Moreover, the company now advises its industry peers to conduct video interviews with prospective employees as a means of proving authenticity. Also, it has recommended checking references beyond fire-offs of email. Other recommendations include the scanning of remote devices to eliminate unauthorized access, upgrading resume scanning for inconsistencies in career history, and enhancement of background checks.
This incident is one of the serious reminders regarding how sophisticated state-sponsored hackers are and the kind of vigilance required while following through on cyber-security practices.