A security awareness training provider found it was nearly the victim of espionage after a newly recruited software engineer turned out to be a North Korean spy.
The company, KnowBe4, explained it was in the market for a new engineer in its internal IT and artificial intelligence team when staff came upon a seemingly suitable candidate for the job.
Company chief executive Stu Sjouwerman explained that although KnowBe4 went through its usual scouting process – which included verifying references, checking resumes, conducting interviews and performing background checks – the new hire got to the point of receiving and accessing a corporate Mac.
Sjouwerman explained how the company’s endpoint detection software – which continuously monitors end-user devices to look for signs of malware – picked up an attempted malware attack within moments of the workstation being received.
“We sent them their Mac workstation, and the moment it was received, it immediately started to load malware,” said Sjouwerman.
“The security operations centre called the new hire and asked if they could help.
“That's when it got dodgy fast.”
KnowBe4’s security team reached out to the new hire to ask about the suspicious activity coming from their machine, only to be given a dubious reply about trying to troubleshoot a “speed issue” on his router.
Meanwhile, the security team noticed workstation activity consistent with that of an attacker – including actions to execute unauthorised software and tamper with session history files.
They pressed the issue and asked him to get on a call, but he replied he was “unavailable” before later going silent on all communications.
Within half an hour of detecting the issue, KnowBe4’s security staff contained the fake worker’s device and decided to launch an investigation.
“No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems,” said Sjouwerman.
“This is not a data breach notification, there was none.”
Artificial intelligence, artificial identity
According to Sjouwerman, the insider threat attack was part of a wider-arching scheme where threat actors fool companies into hiring them, then have a corporate computer sent to an “IT mule laptop farm” which they connect to remotely via a VPN.
“They then VPN in from where they really physically are – North Korea or over the border in China – and work the night shift so that they seem to be working in US daytime,” Sjouwerman said.
“The scam is that they are actually doing the work, getting paid well, and give a large amount to North Korea to fund their illegal programs.
“I don't have to tell you about the severe risk of this.”
The attacker reportedly used an “AI enhanced” picture in their application which altered an existing stock photograph in an effort to construct a believable cover identity.
The hacker coupled this AI-faked photograph with a real, stolen US-based identity, enabling them to bypass the company’s background check.
“A background check and all other standard pre-hiring checks were performed and came back clear due to the stolen identity being used,” said Sjouwerman.
KnowBe4’s human resources team also conducted four video conference-based interviews on separate occasions, confirming the person matched the provided photo.
The attack serves as a textbook example of how artificial intelligence is being used to bolster insider threats.
A recent global survey by cyber security company Darktrace revealed some 84 per cent of respondents in the Asia-Pacific are “already feeling the impact of AI-powered threats” – while Darktrace itself expects to see more “deepfakes designed to elicit trust” in coming months.
Furthermore, 11 per cent of malicious attacks reported to the Office of the Australian Information Commissioner in the second half of 2023 involved either rogue employees or insider threats.
In October 2023 the US Department of Justice warned that North Korea had sent “thousands of skilled IT workers” outside its borders to pose as IT freelancers.
The recent attack at KnowBe4 is now under an active investigation with the US’ Federal Bureau of Investigation.
“Our controls caught it, but that was sure a learning moment that I am happy to share with everyone,” said Sjouwerman.
“If it can happen to us, it can happen to almost anyone.
“Don't let it happen to you.”
