Cybersecurity firm accidentally hires North Korean hacker

The cybersecurity company KnowBe4 was looking for a Principal Software Engineer. But instead of hiring a security expert, the corporation put a state-sponsored threat actor from North Korea on their payroll.

In a detailed blog post, founder and CEO of KnowBe4, Stu Sjouwerman, explains that his company was looking for a software engineer for its internal IT artificial intelligence (AI) team.

“We posted the job, received resumes, conducted interviews, performed background checks, verified references, and hired the person,” Sjouwerman said as he described the application process. But as soon as the new employee got his Mac workstation, he immediately started to load malware.

The attacker performed a series of suspicious activities to manipulate session history files, transfer potentially harmful files, and execute unauthorized software. He also used a Raspberry Pi to download malware. A KnowBe4 spokesperson told BleepingComputer that the malware was an info stealer targeting data stored on web browsers, including login credentials from a user’s online sessions.

Luckily, the company’s Endpoint Detection and Response (EDR) software detected the malicious software before it could cause harm.

KnowBe4’s Security Operations Center (SOC) collected and shared data with an external cybersecurity firm and the FBI. They confirmed the newly hired employee wasn’t a software engineer but a fake IT worker from North Korea.

The attacker got his hands on a stock photo and used AI to make subtle changes to it. The background check came back clean because the man used a valid but stolen US citizen's identity.

“This is a well-organized, state-sponsored, large criminal ring with extensive resources. The case highlights the critical need for more robust vetting processes, continuous security monitoring, and improved coordination between HR, IT, and security teams in protecting against advanced persistent threats,” KnowBe4 concludes.

Sjouwerman emphasizes that the state-sponsored North Korean hacker didn’t gain illegal access to KnowBe4’s systems, and no data was lost, compromised, or exfiltrated. “See it as an organizational learning moment I am sharing with you. If it can happen to us, it can happen to almost anyone. Don't let it happen to you,” he says.