“Remote Worker” in Cyber Security Firm Turns Out to Be North Korean Hacker

A US cyber security firm recently discovered that its new remote worker was actually a North Korean hacker. In a stark warning to employers, the firm detailed how the cybercriminal evaded their background checks, including using an AI-generated picture. Below, we delve into what transpired and highlight the key lessons the company learned.

We hope you enjoy this latest employment insight. Please contact us now if you have any employment law queries or concerns. As specialists in the field, Redmans Solicitors can offer expert advice and help resolve your problem.

To begin:

Phone us directly on 020 3397 3603
Request a chat by completing our online form

North Korean Hacker Dodges Security Checks

KnowBe4 is a leading US cyber security firm specialising in security awareness training and simulated phishing platforms. In July 2024, they disclosed that a North Korean hacker had successfully eluded their background checks and met all recruitment criteria, ultimately securing a position as a software engineer without arousing suspicion.

Alerting employers globally, they stated, “No data was lost… This is not a data breach notification…See it as an organisational learning moment… If it can happen to us, it can happen to almost anyone”.

But How Did a North Korean Hacker Manage to Infiltrate a Cyber Security Firm?

The US company detailed its extensive hiring process before onboarding the remote worker. This began with advertising the job and receiving resumes before conducting interviews. KnowBe4 explained how their HR department undertook four video conference calls, confirming that this applicant matched their photograph.

Once this was complete, the firm performed a series of background checks and verified the applicant’s references. Unfortunately, the North Korean hacker successfully passed these security checks by exploiting a legitimate but stolen US-based identity. Additionally, the provided image was originally a stock photograph altered by AI, further aiding the deception.

Suspicious Activity Soon Followed Acceptance

Following the hacker’s acceptance of the role, the cyber security firm sent him an Apple laptop. Immediately after he received the equipment, malware was installed on the device. Understandably, KnowBe4 became suspicious of the activity and contacted the new hire for an explanation.

The North Korean hacker claimed that he’d attempted to resolve a speed issue, stating that this may have resulted in a compromise. However, the cyber security firm uncovered that he had, among other things, manipulated session history files and executed unauthorised software. When the company attempted further communication with the remote worker, he became unresponsive.

Subsequently, the company contained his device and forwarded its findings to the FBI and Mandiant, a cyber security subsidiary of Google. It was at this point that it was revealed that the remote worker was a North Korean hacker.

Exposing the Scheme

In their findings, KnowBe4 detailed how the hacker orchestrated the scheme by requesting that their workstation be shipped to an “IT mule laptop farm”. Using a VPN, the hacker operated from North Korea or China, working night shifts to align with US business hours. They completed their tasks, received payment, and diverted significant funds to North Korea to support illicit activities.

KnowBe4 underscored the substantial risks posed by such schemes. Thankfully, the company’s protocol of placing new employees in highly restricted areas without access to production systems allowed their security controls to identify the deception and prevent any security breaches.

Critical Takeaway From the North Korean Hacker Incident

Following the recent incident involving the North Korean hacker, KnowBe4 has issued a crucial statement. It underscores the importance of robust vetting and monitoring processes and highlights several key lessons:

Enhanced Device and Identity Checks: To prevent similar infiltrations, it’s vital to scan remote devices for unauthorised access and verify the physical location of remote employees.
Improved Vetting and Verification: Better resume screening and thorough vetting of references, beyond just email confirmation, are necessary. Video interviews and validation of discrepancies in personal details are recommended.
Rigorous Monitoring and Access Controls: Implementing strong monitoring for unauthorised system access and enhancing access controls can help prevent future breaches. Additionally, ongoing security awareness training should focus on recognising social engineering tactics.
Recognising Red Flags: Watch for signs like VOIP numbers, inconsistencies in personal information, and attempts to use sophisticated technologies such as VPNs or virtual machines to mask identity.

KnowBe4 emphasised that this case serves as a stark reminder of the need for coordination and vigilance among HR, IT, and security teams. By being aware, companies can combat advanced persistent threats and protect against sophisticated criminal activities.

If you have any employment law concerns, get in touch with Redmans Solicitors without delay. We have years of experience and can assist you through the legal process, should you be eligible.

To find out more:

Call 020 3397 3603
Complete our online form for a consultation

Please note, due to limited staff over the festive period, we remain open during Christmas and New Year but kindly ask for your patience as we respond to inquiries.