KnowBe4 - North Korean Fake IT Worker FAQ
Frequently Asked Questions About KnowBe4's Fake IT Worker Blog
July 23, 2024, I wrote a blog post about how KnowBe4 inadvertently hired a skillful North Korean IT worker who used the stolen identity of a US citizen. He participated in several rounds of video interviews and circumvented background check processes commonly used.
The intent was to share an organizational learning moment, so you can make sure this does not happen to you. The story went viral, which is exactly what I had hoped for. Do we have egg on our face? Yes. And I am sharing that lesson with you. It's why I started KnowBe4 in 2010. In 2024 our mission is more important than ever.
Q1: Was any KnowBe4 system breached in this North Korean IT worker incident?
No. KnowBe4 was not breached. When we hire new employees, their user account is granted only limited permissions that allow them to proceed through our new hire onboarding process and training. They can access only a minimal amount of necessary apps to go through our new employee training.
Q2: What access do new employees get?
These are apps such as their email inbox, slack, and zoom. The workstation they receive is locked down and has no data residing on it, it is essentially a laptop with nothing on it except our endpoint security and management tools
Q3: Did the new employee get access to customer data?
No. This person never had access to any customer data, KnowBe4's private networks, cloud infrastructure, code, or any KnowBe4 confidential information. They had basic communication apps and a factory-new provisioned laptop. We detected suspicious activity and responded within minutes, quarantining the entire laptop.
Q4: Was any malware executed on the machine?
No. No malware was executed on the machine as it was blocked by our security tooling. A complete review of all processes, commands, network connections, and other activity on the laptop was conducted and we concluded that no further action was needed as there was suspicious activity outside of what was detected and blocked.
Q5: What access did this worker have on his work station that could have compromised customer data or "weaponized" the simulated phishing platform?
There was nothing provided on the laptop. All of KnowBe4 data is kept in the cloud and a review of this individual's user account determined they did not access anything other than their own email inbox. We provision access to our KnowBe4 platform through Okta. New hires are not granted access into the KnowBe4 platform until after completion of their onboarding, which this person had not completed and therefore never have access to the platform.
Q6: Why would someone hired as a software developer try to load malware on their new machine?
We can only guess, but the malware was an infostealer targeting data stored on web browsers, and perhaps he was hoping to extract information left on the computer before it was commissioned to him.
Q7: How did this bad actor pass your hiring process?
This was a skillful North Korean IT worker, supported by a state-backed criminal infrastructure, using the stolen identity of a US citizen participating in several rounds of video interviews and circumvented background check processes commonly used by companies.
Q8: The press made it sound like a data breach disclosure. Was it?
No. It was a Public Service Announcement. We could have kept quiet while wiping the egg off our face. However, our mission is to make the world aware of cybercrime. If something like this can happen to us, it can happen to almost anyone. This blog post was meant to warn organizations about of this particular danger. It looks like we have succeeded.
Q9: Has KnowBe4 changed their hiring process?
You bet we have! Several process changes were made so that this thing will be caught earlier. One example is that in the US we will only ship new employee workstations to a nearby UPS shop and require a picture ID.
Q10: How can I learn more about this particular risk?
On the blog post at the end, we link to a podcast from Mandiant where they go in depth about this particular danger. I strongly recommend you listen to it.
Where was this covered in the press?
-
Bleeping Computer: KnowBe4 mistakenly hires North Korean hacker, faces infostealer attack
-
MSN (syndicated from PCMag): Security Firm Discovers Remote Worker Is Really a North Korean Hacker
-
CybersecurityNews: KnowBe4 Hired Fake North Korean IT Worker, Catches While Installing Malware
-
Search Security: KnowBe4 catches North Korean hacker posing as IT employee
-
Cybersecurity Insiders: KnowBe4 targeted by North Korea with Insider Threat
from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/north-korean-fake-it-worker-faq
Comments
Post a Comment