A US company accidentally hired a North Korean hacker, who immediately began downloading viruses.

The American company KnowBe4, which specializes in cybersecurity issues, unwittingly hired a hacker from the DPRK, who tried to upload malware into the company’s network as soon as he started “working.” Its founder and director Stu Sjouwerman spoke about this.

Image source: B_A / pixabay.com

KnowBe4 operates in 11 countries and is headquartered in Florida. The company provides training on cybersecurity and phishing protection for corporate clients. One day KnowBe4 posted a vacancy and received a resume from a candidate for the position – he provided a photo that was made from a stock photo using an artificial intelligence editor. HR staff conducted a remote interview, checked the applicant’s biography and recommendations, and hired him for the position of chief software engineer.

The photo attached to the resume was a fake, but the person who passed all four interviews was similar enough to this image that he did not arouse suspicion. He was able to successfully pass the test because the documents used the stolen identity of a real person. An Apple Mac workstation was sent to the specified address.

A photo from a photo bank (left) and an AI-created fake (right). Image source: blog.knowbe4.com

As soon as the new employee started work, he began to perform suspicious actions on the enterprise network, to which the security system responded. The company contacted the new employee to clarify the situation – he said that he was having problems with the connection speed, he was setting up a router, and this may have led to the hack. In reality, he attempted to manipulate session history files, transfer potentially dangerous files onto the network, and even run unauthorized software. He used a Raspberry Pi single-board computer to download the malware. Security officers continued to monitor what was happening and even tried to call this employee, but he replied that he could not answer, and subsequently stopped communicating altogether. 25 minutes after the attack began, his computer was blocked from the network.

Subsequent analysis revealed that the attempts to download the malware were likely intentional, and that the suspect employee was “an insider threat or [other] nation-state actor.” KnowBe4 shared information with cybersecurity experts at Mandiant and also notified the FBI about the incident – it turned out that it was indeed a fake employee from North Korea. They have a well-established scheme. Employers send workstations to addresses where entire “farms” of such computers are located. Hackers connect to them via VPN from North Korea or China and work night shifts to make it appear as if they are working during the day in the United States. Some of them actually carry out tasks and receive good pay, which goes to finance Pyongyang’s activities.