www.wired.com Open in urlscan Pro
2600:9000:2670:ca00:14:11ee:9340:93a1  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Skip to main content

Open Navigation Menu
Menu
Story Saved

To revisit this article, visit My Profile, then View saved stories.

Close Alert


A North Korean Hacker Tricked a US Security Vendor Into Hiring Him—and
Immediately Tried to Hack Them
 * Security
 * Politics
 * Gear
 * The Big Story
 * Business
 * Science
 * Culture
 * Ideas
 * Merch

Story Saved

To revisit this article, visit My Profile, then View saved stories.

Close Alert

Sign In

SUBSCRIBE


GET WIRED


FOR JUST $30 $5

SUBSCRIBE


Search
Search
 * Security
 * Politics
 * Gear
 * The Big Story
 * Business
 * Science
 * Culture
 * Ideas
 * Merch

 * Podcasts
 * Video
 * Newsletters
 * Magazine
 * Travel
 * Steven Levy's Plaintext Column
 * WIRED Classics from the Archive
 * Events
 * WIRED Insider
 * WIRED Consulting
 * Jobs
 * Coupons

Chevron
ON SALE NOWGet WIRED - now only $30 $5This is your last free article. See the
future here first with 1 year of unlimited access.SUBSCRIBE NOW
Already a member? Sign in

Get WIRED - now only $30 $5.SUBSCRIBE NOW



Jon Brodkin, Ars Technica
Security
Jul 26, 2024 8:00 AM


A NORTH KOREAN HACKER TRICKED A US SECURITY VENDOR INTO HIRING HIM—AND
IMMEDIATELY TRIED TO HACK THEM

KnowBe4 detailed the incident in a recent blog post as a warning for other
potential targets.
Courtesy of Ars Technica

Save this storySave
Save this storySave

KnowBe4, a US-based security vendor, revealed that it unwittingly hired a North
Korean hacker who attempted to load malware into the company's network. KnowBe4
CEO and founder Stu Sjouwerman described the incident in a blog post this week,
calling it a cautionary tale that was fortunately detected before causing any
major problems.

"First of all: No illegal access was gained, and no data was lost, compromised,
or exfiltrated on any KnowBe4 systems," Sjouwerman wrote. “This is not a data
breach notification, there was none. See it as an organizational learning moment
I am sharing with you. If it can happen to us, it can happen to almost anyone.
Don't let it happen to you.”

KnowBe4 said it was looking for a software engineer for its internal IT AI team.
The firm hired a person who, it turns out, was from North Korea and was "using a
valid but stolen US-based identity" and a photo that was "enhanced" by
artificial intelligence. There is now an active FBI investigation amid suspicion
that the worker is what KnowBe4's blog post called "an Insider Threat/Nation
State Actor."

Featured Video



Jeremy Renner Answers The Web's Most Searched Questions

KnowBe4 operates in 11 countries and is headquartered in Florida. It provides
security awareness training, including phishing security tests, to corporate
customers. If you occasionally receive a fake phishing email from your employer,
you might be working for a company that uses the KnowBe4 service to test its
employees' ability to spot scams.


PERSON PASSED BACKGROUND CHECK AND VIDEO INTERVIEWS

KnowBe4 hired the North Korean hacker through its usual process. "We posted the
job, received résumés, conducted interviews, performed background checks,
verified references, and hired the person. We sent them their Mac workstation,
and the moment it was received, it immediately started to load malware," the
company said.

Ars Technica

This story originally appeared on Ars Technica, a trusted source for technology
news, tech policy analysis, reviews, and more. Ars is owned by WIRED's parent
company, Condé Nast.

Even though the photo provided to HR was fake, the person who was interviewed
for the job apparently looked enough like it to pass. KnowBe4's HR team
"conducted four video conference based interviews on separate occasions,
confirming the individual matched the photo provided on their application," the
post said. "Additionally, a background check and all other standard pre-hiring
checks were performed and came back clear due to the stolen identity being used.
This was a real person using a valid but stolen US-based identity. The picture
was AI 'enhanced.'"



The two images at the top of this story are a stock photo and what KnowBe4 says
is the AI fake based on the stock photo. The stock photo is on the left, and the
AI fake is on the right.



The employee, referred to as "XXXX" in the blog post, was hired as a principal
software engineer. The new hire's suspicious activities were flagged by security
software, leading KnowBe4's Security Operations Center (SOC) to investigate:



> On July 15, 2024, a series of suspicious activities were detected on the user
> beginning at 9:55 pm EST. When these alerts came in KnowBe4's SOC team reached
> out to the user to inquire about the anomalous activity and possible cause.
> XXXX responded to SOC that he was following steps on his router guide to
> troubleshoot a speed issue and that it may have caused a compromise.
> 
> The attacker performed various actions to manipulate session history files,
> transfer potentially harmful files, and execute unauthorized software. He used
> a Raspberry Pi to download the malware. SOC attempted to get more details from
> XXXX including getting him on a call. XXXX stated he was unavailable for a
> call and later became unresponsive. At around 10:20 pm EST SOC contained
> XXXX's device.





“FAKE IT WORKER FROM NORTH KOREA”

The SOC analysis indicated that the loading of malware "may have been
intentional by the user," and the group "suspected he may be an Insider
Threat/Nation State Actor," the blog post said.

"We shared the collected data with our friends at Mandiant, a leading global
cybersecurity expert, and the FBI, to corroborate our initial findings. It turns
out this was a fake IT worker from North Korea," Sjouwerman wrote.

KnowBe4 said it can't provide much detail because of the active FBI
investigation. But the person hired for the job may have logged into the company
computer remotely from North Korea, Sjouwerman explained:

> How this works is that the fake worker asks to get their workstation sent to
> an address that is basically an "IT mule laptop farm." They then VPN in from
> where they really physically are (North Korea or over the border in China) and
> work the night shift so that they seem to be working in US daytime. The scam
> is that they are actually doing the work, getting paid well, and give a large
> amount to North Korea to fund their illegal programs. I don't have to tell you
> about the severe risk of this. It's good we have new employees in a highly
> restricted area when they start, and have no access to production systems. Our
> controls caught it, but that was sure a learning moment that I am happy to
> share with everyone.

This story originally appeared on Ars Technica.

Most Popular
 * The Big Story
   How Soon Might the Atlantic Ocean Break? Two Sibling Scientists Found an
   Answer—and Shook the World
   By Sandra Upson
 * Gear
   Wear This AI Friend Around Your Neck
   By Boone Ashworth
 * Security
   J.D. Vance Left His Venmo Public. Here’s What It Shows
   By Dhruv Mehrotra
 * Gear
   The Best Barefoot Shoes for Walking or Running
   By Scott Gilbertson
 * 








YOU MIGHT ALSO LIKE …

 * Politics Lab: Get the newsletter and listen to the podcast

 * What happens when you give people free money

 * Not everyone loses weight on Ozempic

 * The Pentagon wants to spend $141 billion on a doomsday machine

 * Event: Join us for the Energy Tech Summit on October 10 in Berlin

Jon Brodkin is Senior IT Reporter at Ars Technica.
 * X
 * X

TopicsArs Technicacybersecurityhacksnorth korea
Read More
J.D. Vance Left His Venmo Public. Here’s What It Shows
The Republican VP nominee's Venmo network reveals connections ranging from the
architects of Project 2025 to enemies of Donald Trump—and the populist's close
ties to the very elites he rails against.
Dhruv Mehrotra
Saboteurs Cut Internet Cables in Latest Disruption During Paris Olympics
Long-distance cables were severed across France in a move that disrupted
internet connectivity.
Matt Burgess
How Infostealers Pillaged the World’s Passwords
Infostealer malware is swiping millions of passwords, cookies, and search
histories. It’s a gold mine for hackers—and a disaster for anyone who becomes a
target.
Lily Hay Newman

This Machine Exposes Privacy Violations
A former Google engineer has built a search engine, webXray, that aims to find
illicit online data collection and tracking—with the goal of becoming “the Henry
Ford of tech lawsuits.”
Brian Merchant
How One Bad CrowdStrike Update Crashed the World’s Computers
A defective CrowdStrike update sent computers around the globe into a reboot
death spiral, taking down air travel, hospitals, banks, and more with it. Here’s
how that’s possible.
Lily Hay Newman
At the Olympics, AI Is Watching You
A controversial new surveillance system in Paris foreshadows a future where
there are too many CCTV cameras for humans to physically watch.
Morgan Meaker
The Pentagon Wants to Spend $141 Billion on a Doomsday Machine
The DOD wants to refurbish ICBM silos that give it the ability to end
civilization. But these missiles are useless as weapons, and their other main
purpose—attracting an enemy’s nuclear strikes—serves no end.
Matthew Gault






GET 1 YEAR FOR $30 $5

SUBSCRIBE
WIRED is where tomorrow is realized. It is the essential source of information
and ideas that make sense of a world in constant transformation. The WIRED
conversation illuminates how technology is changing every aspect of our
lives—from culture to business, science to design. The breakthroughs and
innovations that we uncover lead to new ways of thinking, new connections, and
new industries.

More From WIRED

 * Subscribe
 * Newsletters
 * FAQ
 * WIRED Staff
 * Editorial Standards
 * Archive
 * RSS
 * Accessibility Help

Reviews and Guides

 * Reviews
 * Buying Guides
 * Mattresses
 * Electric Bikes
 * Fitness Trackers
 * Streaming Guides
 * Coupons
 * Submit an Offer
 * Become a Partner
 * Coupons Contact
 * Code Guarantee

 * Advertise
 * Contact Us
 * Customer Care
 * Jobs
 * Press Center
 * Condé Nast Store
 * User Agreement
 * Privacy Policy
 * Your California Privacy Rights

© 2024 Condé Nast. All rights reserved. WIRED may earn a portion of sales from
products that are purchased through our site as part of our Affiliate
Partnerships with retailers. The material on this site may not be reproduced,
distributed, transmitted, cached or otherwise used, except with the prior
written permission of Condé Nast. Ad Choices

SELECT INTERNATIONAL SITE

United StatesLargeChevron
 * Italia
 * Japón
 * Czech Republic & Slovakia

 * Facebook
 * X
 * Pinterest
 * YouTube
 * Instagram
 * Tiktok


Manage Preferences





WE CARE ABOUT YOUR PRIVACY

We and our 177 partners store and/or access information on a device, such as
unique IDs in cookies to process personal data. You may accept or manage your
choices by clicking below, including your right to object where legitimate
interest is used, or at any time in the privacy policy page. These choices will
be signaled to our partners and will not affect browsing data.More Information


WE AND OUR PARTNERS PROCESS DATA TO PROVIDE:

Use precise geolocation data. Actively scan device characteristics for
identification. Store and/or access information on a device. Personalised
advertising and content, advertising and content measurement, audience research
and services development. List of Partners (vendors)

I Accept
Your Privacy Choices