The US-based security vendor KnowBe4 recently revealed that it had inadvertently employed a North Korean hacker who tried to infect the company’s network with malware. In a blog post, Stu Sjouwerman, the CEO and creator of the company, described the incident in detail and called it a cautionary story that was discovered before causing serious harm.
“First of all: No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems,” wrote Sjouwerman. “There was no data breach; this is not a notification of one. Consider it a sharing of a moment of organizational learning with you. Almost everyone can experience it if it can happen to us. Keep that from happening to you.”
KnowBe4, headquartered in Florida and operating in 11 countries, specializes in security awareness training, including phishing security tests. The firm was searching for a software engineer for its internal IT AI team when it hired a North Korean individual using a stolen US identity and an AI-enhanced photo. The FBI is now investigating the case, suspecting the worker to be an “Insider Threat/Nation State Actor.”
Despite thorough pre-employment procedures, including video interviews and background checks, the hacker managed to deceive KnowBe4’s hiring process. “We posted the job, received resumes, conducted interviews, performed background checks, verified references, and hired the person. We sent them their Mac workstation, and the moment it was received, it immediately started to load malware,” the company reported.
The hacker, referred to as “XXXX,” was hired as a principal software engineer. Suspicious activities were flagged by KnowBe4’s Security Operations Center (SOC), prompting an investigation. On July 15, 2024, the SOC detected and contained the malicious activity, suspecting an intentional malware installation by the user. The collected data was shared with cybersecurity experts Mandiant and the FBI, confirming the fake IT worker’s North Korean origin.
Sjouwerman highlighted the broader implications of the incident, emphasizing the severe risk of such scams. He reassured that new employees are initially restricted from accessing production systems, which helped contain the threat. “Our controls caught it, but that was sure a learning moment that I am happy to share with everyone,” Sjouwerman concluded.