Florida security awareness training firm KnowBe4 on Tuesday said a North Korean operative posing as a software engineer slipped past its hiring background checks and spent the first 25 minutes on the job attempting to plant malware on a company workstation.
KnowBe4 said its security team detected suspicious activities coming from a newly hired Principal Software Engineer’s workstation and quickly determined the malicious insider was using a Raspberry Pi to download malware, manipulate session history files, and execute unauthorized software.
“We sent them their Mac workstation, and the moment it was received, it immediately started to load malware,” KnowBe4 chief executive Stu Sjouwerman said.
Sjouwerman said the employee, whose identity was revealed as an AI deepfake, is one of hundreds of cases of North Korean nation-state operatives posing as IT workers to infiltrate hundreds of US companies. Just last month, the US government announced charges, seizures and arrests to disrupt a scheme in which North Korean IT workers infiltrated hundreds of companies and earned millions of dollars for North Korea.
KnowBe4 said it first flagged the incident on July 15, 2024 at 9:55pm EST when an anti-malware software sent alerts about anomalous activity. Upon investigation, the new employee said he was following steps on his router guide to troubleshoot a speed issue and that it may have caused a compromise.
However, Sjouwerman said the attacker performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software.
“He used a Raspberry Pi to download the malware. We attempted to get more details from [the employee] including getting him on a call [but] he said he was unavailable for a call and later became unresponsive.”
At around 10:20pm EST, Sjouuwerman said the company contained the infected workstation and stressed that “no access was gained or compromised on KnowBe4 systems.”
“How this works is that the fake worker asks to get their workstation sent to an address that is basically an “IT mule laptop farm”. They then VPN in from where they really physically are (North Korea or over the border in China) and work the night shift so that they seem to be working in US daytime,” Sjouwerman added.
“The scam is that they are actually doing the work, getting paid well, and giving a large amount to North Korea to fund their illegal programs. I don’t have to tell you about the severe risk of this.‘’
The KnowBe4 CEO warned that the unidentified North Korean operative showed “a high level of sophistication in creating a believable cover identity, exploiting weaknesses in the hiring and background check processes, and attempting to establish a foothold” within his company.
Related: North Korean IT Workers Infiltrating Hundreds of US Firms
Related: North Korean APT Caught Hacking Security Researchers
Related: Mandiant Catches Another North Korean Gov Hacker Group
Related: North Korean Gov Hackers Caught Rigging Legit Software