Tricky Moves - Security company arrests North Korean spy - and catches him by chance
## A Cautious Hire by KnowBe4 Unveiled as a North Korean Hacker
The cybersecurity experts at KnowBe4 were cautious in their hiring process. They thoroughly vetted the applicant, scrutinized his resume, and conducted job interviews via videotelephony. However, it wasn't long before they discovered that everything was a disguise for a North Korean hacker. The attack had begun.
According to the blog post where the company detailed its hacking incident, they sent him a work Mac and as soon as he arrived, he began installing malicious software. Now, the FBI is investigating.
A False Employee with a Fake Identity
The security firm, active in several countries, was actually looking for a Software developer with AI experience. The applicant only referred to as XXXX in the report raised no suspicion. The HR team checked his background and even verified his references. In four video job interviews, they ensured that the person in the submitted images was indeed the applicant. But it was all a facade.
The person who applied using a real US identity had never set foot in the US. The North Korean had stolen and manipulated the data to bypass the security measures. For instance, he had replaced his face with a generic office stock photo using AI, as later investigations revealed.
25 Minutes in the System
The disguise didn't last long – thanks to the observant security department of the company. At 21:55 on his first day of work, the system triggered an alarm, reporting suspicious activity from the new employee's laptop.
He had attempted to manipulate the internet history on his computer and install malware. Confronted, he tried to explain that he was just trying to get the connection working. He refused a call, citing that he couldn't talk at the moment. Then, he stopped responding altogether. By 22:20, the company decided to isolate the computer. And they heard nothing more from the new hire.
What's Behind the North Korean Mask?
The fact that the mole was exposed might have been due to his disguise itself: Since he wasn't in the US, he couldn't use the sent work computer on-site. Instead, he likely had it sent to a so-called "Laptop Farm." These computers are manipulated to allow remote usage by the actual North Korean users. However, this ultimately backfired on him.
Exactly what the hacker hoped to gain from his deception is unknown. KnowBe4 identifies security vulnerabilities in their clients' systems, such as luring employees with fake spam emails. These emails are typically excluded from other protective measures to ensure the employees are reached. An insider could easily misuse this as well.
Perhaps there's something more mundane behind the North Korean scheme. "They work in North Korea during the night shift to give the impression they're working in the US during the day. The scam is that they actually do the job and then get paid well for it. They then transfer large portions of their salary to finance North Korea's illegal programs," the blog post explains. North Korean hackers are indeed working – and circumventing sanctions in the process. The security researchers at Mandiant have extensively documented this approach.
Warning Signal
I don't have to warn you about the risks of this procedure, the post directly addresses the customers, it states. New employees should be handled restrictively in risk areas in the beginning, and exclude them from productive systems, the post explains. The company itself is cautious during the examination of applicants. "We were fortunate that our security systems worked in the end."
The FBI is now investigating the case involving the North Korean hacker who was hired by KnowBe4 and was given a Mac to work on, where he installed malicious software.
Despite using a real US identity, the North Korean hacker who infiltrated the software company was actually based outside the United States, highlighting the need for enhanced vetting processes and cautious hiring practices.