A North Korean operative using the stolen identity of a person in the United States navigated his way through a background check, reference verifications, and four video conferenced-based interviews before being hired as a software engineer by cybersecurity firm KnowBe4.

He was only caught when, immediately after receiving the corporate-issued Mac he was to use in his remote job, started to load malware into KnowBe4’s systems.

“The EDR [endpoint detection and response] software detected it and alerted our InfoSec Security Operations Center,” KnowBe4 founder and CEO Stu Sjouwerman wrote in a blog post this week. “The SOC called the new hire and asked if they could help. That’s when it got dodgy fast.”

The company shared the data it had collected with Google-owned cybersecurity company Mandiant and the FBI.

“It turns out this was a fake IT worker from North Korea,” Sjouwerman wrote. “The picture [used by the operative in his application] is an AI fake that started out with stock photography.”

The FBI is investigating the case, but the CEO said the operative wasn’t able to gain illegal access into the systems and wasn’t able to steal or compromise data. Instead, he said he was sharing the story as a cautionary tale for other businesses that may run into the same scam that ensnared KnowBe4, whose business revolves around security awareness training.

An Ongoing Scam

The North Korean regime, which is one of the world’s top exporter of cybercrime, for years has been planting IT workers from the country in businesses around the globe to steal information in extortion and espionage campaigns and to money, which is then fed back into North Koreas ballistic and nuclear weapons programs.

Often the country will send workers out of the country, most often to China and Russia, in hopes of giving them the air of legitimacy and entice organizations to hire them for remote IT positions on a freelance basis. The workers use false names and email addresses, fake websites, social media platforms, payment methods, and online job site accounts, according to the U.S. Justice Department (DOJ). They at times will use proxy computers in the United States and other countries.

They can collectively make millions of dollars a year that is funneled back to North Korea.

The FBI and U.S. State and Treasury departments in 2022 in an advisory warned companies about the scams, pointing to North Korean programs used to train citizens in mathematics and science before they area used to trick companies. A fake IT worker can earn up to $300,000 a year and collectively bring in more than $3 million, the agencies wrote.

Law Enforcement Actions

In October 2023, the DOJ said that U.S. law enforcement agencies over the year had seized 17 web domains and almost $1.5 million in a long-term initiative to shut down such North Korean operations.

Earlier this year, the agency announced another major effort to disrupt such IT worker scams directed by North Korea, unsealing indictments, seizing property, and taking other legal actions. In court documents, the DOJ outlined how the North Korean government had dispatched thousands of skilled IT workers around the world posing as domestic workers. In this particular operation, more than 300 U.S. companies were infiltrated.

Charges were filed against an Arizona woman and a Ukrainian man, as well as three unidentified foreign nationals. Christina Marie Chapman of Arizona was charged with running a “laptop farm” inside her home, hosting the computers of overseas IT workers to make it appear that those workers were located in the United States. She also received and forged payroll checks and had the direct deposits of those workers wages sent to her U.S. financial accounts.

Taking the Bait

KnowBe4 fell into a similar trap. The worker in questioned answered a KnowBe4 ad seeking a software engineer for its internal IT AI team, according to Sjouwerman. After making it through the interview and vetting process, he was hired as a principal software engineer. On July 15, the EDR software detected a series of suspicious activities on the person’s account.

The SOC contacted the worker, who said he was following steps on his router guide to troubleshoot a speed issue, which may have led to a compromise. He took steps to manipulate history files, transfer potentially harmful files, and launch unauthorized software. The worker also used a Raspberry Pi to download the malware, the CEO wrote. Later that day, he told the SOC team he was wasn’t available for a call and then later stopped responding.

KnowBe4 then contained his device.

“How this works is that the fake worker asks to get their workstation sent to an address that is basically an ‘IT mule laptop farm,’” Sjouwerman wrote. “They then VPN in from where they really physically are (North Korea or over the border in China) and work the night shift so that they seem to be working in US daytime.”

Greater Diligence in Hiring Needed

He suggested that companies scan their remote device to ensure no one is remotely using them, make sure people are physically where they should be, look deeper at resumes for career inconsistencies, and get workers on video. Also, shipping a company-issued laptop to an address that’s different from where they say they live is suspicious.

They also have to be better at the hiring process, including with background checks and references. Don’t rely on email references.

“This is a well-organized, state-sponsored, large criminal ring with extensive resources,” Sjouwerman wrote. “The case highlights the critical need for more robust vetting processes, continuous security monitoring, and improved coordination between HR, IT, and security teams in protecting against advanced persistent threats.”