KnowBe4, an American company that specializes in cybersecurity, unwittingly hired a hacker from the DPRK, who attempted to upload malware to the company’s network immediately after he began “working.” This is about told its founder and director Stu Sjouwerman (Stu Sjouwerman).
KnowBe4 operates in 11 countries and is headquartered in Florida. The company conducts cybersecurity and anti-phishing training for corporate clients. KnowBe4 once posted a vacancy and received a resume from a candidate for the position – he provided a photo that was made from a stock photo using an editor with artificial intelligence. HR conducted a remote interview, checked the applicant’s biography, references and hired him for the position of chief software engineer.
The photo attached to the resume was fake, but the person interviewed for all four interviews looked similar enough to the photo to not raise suspicion. He passed the background check because the documents used a stolen identity of a real person. An Apple Mac workstation was sent to the address he provided.
As soon as the new employee started working, he started to perform suspicious actions on the company’s network, which triggered the security system. The company’s employees contacted the new employee to clarify the situation – he stated that he was experiencing connection speed issues, he was configuring the router, and this may have led to the hack. In reality, he tried to manipulate session history files, transfer potentially dangerous files to the network, and even launch unauthorized software. He used a Raspberry Pi single-board computer to download the malware. The security service continued to monitor what was happening and even tried to call the employee, but he replied that he could not answer, and later stopped responding altogether. 25 minutes after the attack began, his computer was blocked from the network.
Subsequent analysis showed that the malware downloads were likely intentional, and that the suspect employee was an “insider threat or nation-state actor.” KnowBe4 shared the information with cybersecurity experts at Mandiant and alerted the FBI, and it turned out that the employee was indeed a fake from North Korea. They have a well-established scheme. Employers send workstations to addresses where entire “farms” of such computers are located. Hackers connect to them via VPN from the DPRK or China and work the night shift to make it look like they are working during the day in the US. Some of them actually perform tasks, get paid well, which is used to finance Pyongyang’s activities.
If you notice an error, select it with your mouse and press CTRL+ENTER.