KnowBe4 Exposes North Korean Cyber Espionage: A Fake Employee Unmasked

North Korean Cyber Espionage

KnowBe4, a cybersecurity company, has unveiled an attempt to infiltrate its IT system through a fake employee from North Korea. All company data remained secure thanks to the timely actions of the IT security department, but examining this case in detail is certainly worthwhile.

The company was seeking a software engineer for their AI development team. Job advertisements were posted, interviews were conducted, and candidate screenings were performed. The new employee passed all standard procedures, including video interviews and background checks, which did not arouse any suspicion from the company.

However, the identity used by this individual to secure the job turned out to be stolen. After the new employee was sent a work computer, malicious activity was immediately detected on the device. The Endpoint Detection and Response (EDR) software recorded suspicious actions and alerted the Security Operations Center (SOC).

The SOC promptly contacted the new employee, but his behavior raised even more suspicions. The incident was then handed over for investigation to Mandiant and the FBI. It was discovered that the man was a planted agent from North Korea. The photograph provided in the application was created using AI based on stock images.

Further investigation revealed that the suspicious employee was engaging in activities aimed at compromising the system: manipulating session files, downloading malicious software using a Raspberry Pi, and utilizing a VPN to conceal his location.

This case demonstrates the high level of organization among cybercriminals and the sophistication of the resources they employ. The perpetrators use fake identities, VPNs, and virtual machines to gain access to company systems, creating the appearance of legitimate work.

KnowBe4 has developed a set of recommendations to prevent such incidents in the future. These can be adopted by any organization:

  • Scan your remote devices, to make sure no one remotes into those.
  • Better vetting, making sure that they are physically where they are supposed to be.
  • Better resume scanning for career inconsistencies.
  • Get these people on video camera and ask them about the work they are doing.
  • Background check appears inadequate. Names used were not consistent.
  • References potentially not properly vetted. Do not rely on email references only.
  • Implement enhanced monitoring for any continued attempts to access systems.
  • Review and strengthen access controls and authentication processes.
  • Conduct security awareness training for employees, emphasizing social engineering tactics

It is important to pay attention to the use of VOIP numbers, the absence of a digital footprint, any discrepancies in personal data, and attempts to install malicious software. Timely and more thorough checks will help prevent malicious actors from infiltrating the system.

Related Posts: