North Korean Fake IT Worker Dupes Security Firm: A Wake-Up Call For Employers
A leading security awareness training company discovered a North Korean threat actor posing as a remote software engineer using a stolen U.S. identity and an AI-enhanced photo. Despite thorough vetting, the deception was only revealed when malware was detected. This underscores the urgent need for stronger identity verification in hiring.
In a startling incident, KnowBe4, a leading security awareness training company, discovered that a remote software engineer they had recently hired was actually a North Korean threat actor using a stolen U.S. identity and an AI-enhanced photograph. Despite the thorough hiring process that included video interviews, background checks, and reference verifications, the sophisticated deception was only uncovered after the new hire began loading malware onto a device. This incident underscores the growing risks of identity fraud in the digital age and highlights the need for robust identity verification measures in the hiring process.
The Incident
On July 15, 2024, KnowBe4’s InfoSec Security Operations Center (SOC) detected suspicious activities on the account of the newly hired Principal Software Engineer. The SOC team immediately contacted the individual, who claimed to be troubleshooting a router issue. However, further investigation revealed that the new hire was manipulating session history files, transferring potentially harmful files, and executing unauthorized software. The quick response of KnowBe4’s SOC team, including remotely containing the compromised device, prevented illegal access or data loss.
The deception was sophisticated. The North Korean hacker used a valid but stolen U.S. identity and an AI-enhanced photo derived from stock imagery to pass the company’s hiring protocols. The hacker had the workstation shipped to an address used as an “IT mule laptop farm” and accessed it via VPN to simulate working U.S. business hours from North Korea or China.
Key Lessons and Preventive Measures
Stu Sjouwerman, KnowBe4’s founder and CEO, emphasized the importance of learning from this incident. “If it can happen to us, it can happen to almost anyone. Don’t let it happen to you,” he wrote in a blog post detailing the event.
Employers can protect themselves from similar schemes by taking several critical measures.
To safeguard against such sophisticated fraud, it is essential to utilize advanced identity verification technology. Jessica Chen, product manager at HireRight, a global employment screening provider, notes that services like HireRight’s Global ID check can “validate a candidate’s national identity document to help ensure its authenticity and match the personal information provided.” Partnering with Yoti, an Identity Service Provider, HireRight allows employers to leverage Yoti’s AI-driven Optical Character Recognition technology to validate identity documents digitally. Additionally, employers are provided with an option to enable anti-spoofing liveness technology that confirms that the candidate is a real person present during the verification process, while biometric face matching can ensure that the candidate’s face matches their identity document photo. “This helps confirm that the candidate’s documentation is authentic and that their face matches their ID,” said Jessica.
Enhancing hiring processes to thwart threat-actors is also crucial. Conducting multiple rounds of video interviews can better ascertain the candidate’s authenticity. Performing thorough background checks and verifying references through more secure and reliable channels, beyond just email communications, adds an extra layer of security.
From an information security perspective, continuous security monitoring is imperative to detect and respond to suspicious activities promptly. KnowBe4’s EDR software was crucial in identifying the malware load attempt. Ensuring coordination between HR, IT, and security teams helps create a holistic defense against advanced persistent threats.
Parting Thoughts
The incident at KnowBe4 highlights the increasing sophistication of cyber threat actors and the critical need for advanced identity verification and continuous security monitoring. As remote work becomes more prevalent, employers must adopt robust measures to ensure the authenticity of their hires and protect their organizations from fraud, theft, and reputational damage. By learning from this event and implementing comprehensive verification processes, companies can better safeguard themselves against similar threats in the future.
Release Date: August 26, 2024
Alonzo Martinez
Alonzo Martinez is Associate General Counsel at HireRight, where he supports the company’s compliance, legal research, and thought leadership initiatives in the background screening industry. As a senior contributor at Forbes, Alonzo writes on employment legislation, criminal history reform, pay equity, AI discrimination laws, and the impact of legalized cannabis on employers. Recognized as an industry influencer, he shares insights through his weekly video updates, media appearances, podcasts, and HireRight's compliance webinar series. Alonzo's commitment to advancing industry knowledge ensures HireRight remains at the forefront of creating actionable compliance content.