### KnowBe4's Unintentional Recruitment of a North Korean Hacker: A Cautionary Tale
In a startling incident, Clearwater-based cybersecurity firm KnowBe4 unwittingly hired a North Korean hacker as a remote software engineer. The individual managed to assume the identity of an American citizen and orchestrated the shipment of a company laptop to a U.S.-based laptop farm.
The situation raised immediate alarms when the new hire, upon logging into his company laptop, initiated a download of password-stealing malware. Further suspicions arose when he refused to appear on camera during a security team inquiry.
Subsequent investigations revealed that the impostor was collaborating with a laptop farm in the U.S. In retrospect, KnowBe4’s “defense evangelist,” Roger Grimes, noted several red flags throughout the hiring process. Although the candidate, whose true identity is being withheld pending an FBI investigation, participated in four video interviews, his references all used generic Gmail addresses. Additionally, the laptop was shipped to an address that differed from the one he provided.
Grimes remains uncertain about the true identity of the candidate, suspecting at least three "nefarious actors" were involved. Notably, the American citizen whose identity was stolen actively participated in the scheme, successfully completing a drug test as part of KnowBe4's background check. An unidentified individual later retrieved the laptop from a UPS facility, presenting identification that matched the stolen identity but bore a different photograph.
The investigation suggests that the device was likely picked up by an accomplice at the laptop farm—a data center that allows foreign operatives to masquerade as U.S. employees while engaging in data theft. This individual was reportedly reporting back to a North Korean scammer potentially connected to state-sponsored activities.
Following the incident, KnowBe4 promptly locked the fake employee out of the laptop and reported the situation to the FBI. Neil Khatod, chief information security officer at Hays, a recruiting agency based in Tampa, criticized the hacker's hasty actions in downloading malware, calling it a "rookie mistake." Khatod advised that a more strategic approach could have allowed the hacker to collect information without raising immediate suspicion.
The FBI has linked this scheme to a known North Korean data theft operation. Recently, a 38-year-old man was charged in Tennessee for allegedly facilitating the recruitment of North Korean nationals for IT roles in American and British firms.
At a recent national cybersecurity conference, Grimes encountered representatives from five other companies that had fallen victim to similar scams. One company reported using the same stolen identity, and some firms had unknowingly experienced data breaches that went unnoticed for months due to fake employees.
Grimes expressed bewilderment over the hacker’s choice to download malware, suggesting that it represented a significant risk in a well-planned scheme.
The KnowBe4 incident underscores the vulnerabilities associated with remote work, particularly for organizations managing sensitive client data. KnowBe4 specializes in phishing training, focusing on identifying employees most susceptible to such attacks.
Local cybersecurity experts have offered strategies to fortify remote hiring practices against foreign threats:
1. **Conduct In-Person Interviews**: Danielle Kucera, chief product and risk officer at 360 Advanced, emphasized the importance of in-person interviews for remote hires. However, Grimes cautioned that skilled scammers might still manage to deceive even during face-to-face meetings.
2. **Verify References**: Khatod recommends reaching out to contacts from a candidate’s previous employers who are not listed as references, which can help uncover fraudulent backgrounds.
3. **Enhance Background Checks**: Grimes advised connecting various components of the background check process to identify inconsistencies, such as discrepancies in identification photographs. KnowBe4 effectively monitored all activities performed on the company laptop.
In addition to fabricated hires, local firms face other cyber threats. Jeremy Rasmussen, chief technology officer of Tampa cybersecurity firm Abacode, noted instances where foreign phishers have compromised payroll administrators' credentials, redirecting funds to international accounts. One construction client suffered a loss of $250,000 due to such attacks.
Cybercrime losses continue to escalate across the nation, with the FBI reporting that companies lost $12.5 billion in 2023 alone. Recent ransomware attacks, including one targeting the Florida Department of Health, have further highlighted the urgency of robust cybersecurity measures.
For one company affected by a North Korean IT infiltrator, a curious incident occurred when the laptop farm returned the stolen device, accompanied by a sticky note bearing the company’s name—a stark reminder of the vast network of stolen devices and data trafficking in the cyber underworld.
If you are interested what Veroot Cyber Training provides, please contact us at cyber@veroot.com.