In a sharing mood, security platform KnowBe4’s CEO revealed the company’s encounter with a remote hire who turned out to be a fake-ID-giving, malware-loading insider threat.
A blunt blog post from KnowBe4’s CEO Stu Sjouwerman (titled “How a North Korean Fake IT Work Tried to Infiltrate Us”) reminded IT pros of important verification checks against a remote fraudforce.
“It’s knowing what to spot and then becoming really good at spotting that,” Brian Jack, CISO at KnowBe4, told IT Brew.
In the July 23 blog post, KnowBe4’s CEO shared how a newly hired internal software developer, used an image modified with AI tools and passed an interview ID check. Later, the company’s IT team discovered the user manipulating session-history files and executing unauthorized software.
“It turns out this was a fake IT worker from North Korea,” Sjouwerman wrote.
As far back as May 2022, The US Department of State, the US Department of the Treasury, and the Federal Bureau of Investigation warned that the Democratic People’s Republic of Korea (DPRK, or North Korea) has dispatched thousands of skilled IT workers to fund its weapons of mass destruction (WMD) and ballistic missile programs, “In many cases, DPRK IT workers represent themselves as US-based and/or non-North Korean teleworkers,” the departments wrote in a memo at the time. (The FBI announced similar efforts in October 2023)
KnowBe4’s HR team conducted four video-conference-based interviews, according to Sjouwerman’s post, and confirmed that the individual matched the photo provided on their application. Jack emphasized the need, post-incident, for additional verifications, including closer examinations of references, verification of phone numbers, and even surprise interview questions to help confirm the location on a résumé.
Questions like: What’s something you’re excited about? What did you like to do growing up?
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“A lot of these guys are trained in knowing how to repeat the story that they’re given. So if you throw in general conversational questions, you might get some strange answers,” Jack said.
One new procedure, according to a follow-up FAQ post from KnowBe4: The company will only ship new employee workstations to a nearby UPS shop and require a picture ID.
Tim Rawlins, senior advisor and director, security, at cyberconsultancy NCC Group, has a background in background, having led screening processes for clients. He also recommends some local questions (for someone from California, he suggested: Are you experiencing wildfires at the moment?), along with a close look across the résumé and LinkedIn profiles, checking employment dates and job levels for a logical progression in work history.
“They didn’t jump in as a senior programmer. They will have started out at the bottom and would have worked their way up,” Rawlins said, who also recommends checking academic qualifications and asking applicants to not use location-disguising VPN or proxies for their interviews.
What saved the day at KnowBe4, according to Jack: The company provisions new hires with very limited permissions early on: training tools, email, and endpoint protection.
“I think the person that ran the malware and had access to the machine was someone helping them that is US based, setting up IT in the laptop farms. And I think they were struggling to get the remote connection going,” Jack said.
Rawlins said KnowBe4 did appropriate checks, but the fraudster was sloppy.
“The problem is, it’s going to get harder and harder,” Rawlins said.
Correction 08/09/2024: An early version of this piece described “permissions” as “controls.”