AI Engineer Hire Revealed as North Korean Cyber Spy at KnowBe4

In a concerning incident, KnowBe4 identified a gap within their hiring process that led to the employment of an individual with malicious intent, allegedly connected to North Korea. KnowBe4 blog post details the incident and prefaces "No illegal access was gained, and no data was lost or compromised on any KnowBe4 systems." The individual, hired for the company's AI team, used a stolen U.S.-based identity with an AI-enhanced photo to pass through four video conference interviews, background checks, and reference verifications. This person, following the possession of their Mac workstation, began to trigger alerts on July 15, 2024, at 9:55 PM ET, with the company's EDR software alerting KnowBe4's Security Operations Center (SOC) of a series of malware being downloaded.

The SOC team intervened, and the situation became suspicious when the new hire began providing dubious explanations and eventually became unresponsive. "The attacker performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software.  He used a raspberry pi to download the malware. SOC attempted to get more details from XXXX including getting him on a call. XXXX stated he was unavailable for a call and later became unresponsive. At around 10:20pm EST SOC contained XXXX's device,"

KnowBe4 reports.KnowBe4's actions, included containment of the compromised device in order to prevented further damage and engagement with cybersecurity experts Mandiant and the FBI, uncovering the individual’s ties to a North Korean cyber group. The incident highlighted several critical issues in the hiring process, such as reliance on email references and inadequate background checks. The scam’s objective was assessed to earn income while funneling funds to North Korea to support illegal activities. KnowBe4 emphasized the need for enhanced vetting procedures, robust access controls, and continuous security monitoring to prevent similar incidents in the future.

Recommendations from KnowBe4 include scanning remote devices to detect unauthorized access, ensuring physical location verification, and implementing better resume scanning techniques. Furthermore, enhancing monitoring for continued attempts to access systems and conducting comprehensive security awareness training for employees is vital.