KnowBe4 warns of North Korean fake employee hiring scam

KnowBe4 has issued a warning to organisations regarding a North Korean fake employee hiring scam. The announcement follows an incident where the security firm inadvertently hired a fake employee, whose activities were swiftly detected and neutralised.

The fake employee in question was discovered shortly after beginning their role when they accessed a provided laptop in unusual ways. KnowBe4's systems flagged the activity within 25 minutes, leading to the immediate termination of the employee's access privileges. This prompt action ensured that no illegal access or data compromise occurred.

"There are common signs of this fake employee hiring scheme both during and after the hiring process," stated Stu Sjouwerman, CEO of KnowBe4. "Every organisation should educate all employees involved in the hiring process about the risks and consider various mitigation tactics such as updating the organisation's hiring process to include asking the candidate to submit fingerprints for identity verification purposes, threat model the organisation's hiring process, and more. We were inspired to share our experience with this unfortunate situation to bring awareness to how pervasive this situation is and to use it as a warning to help protect other organisations from falling victim."

To provide further guidance, KnowBe4 has released a white paper detailing the prevalence of the North Korean fake employee industry. The document highlights signs to look out for and suggests ways organisations can bolster their hiring policies to prevent such occurrences. Recommendations include enhanced screening methods, such as background checks and video interviews, and improvements in access controls and authentication processes.

KnowBe4's experience underscores the sophistication of these scams. The hired individual underwent four video conference interviews, had their background checked, and their references verified – all standard pre-hiring checks. Despite these measures, the individual's use of a stolen US-based identity and AI-enhanced images enabled them to join the company. The individual began downloading malware immediately upon receiving their Mac workstation, which triggered the company's endpoint detection response (EDR) software.

The security operations centre (SOC) at KnowBe4 took immediate action and reached out to the new hire to discuss the detected anomalies. The responses from the fake employee raised further suspicions, leading to the containment of the device around 25 minutes after the initial alert. Subsequent investigations showed that the individual was using a raspberry pi device to download malware and was physically located in North Korea or possibly just over the border in China, remotely accessing company systems using a virtual private network (VPN).

KnowBe4 collaborated with Mandiant and the FBI to corroborate their findings and address the issue. The case is currently under active investigation by the FBI. In the interim, KnowBe4 has shared various preventative tips and recommended process improvements to help other organisations avoid similar incidents. These include better vetting of remote devices, improved monitoring of hiring inconsistencies, and stricter enforcement of access controls.

Key signs to look out for include the use of VOIP numbers and a lack of a digital footprint, discrepancies in personal information, the sophisticated use of VPNs, and efforts to cover up suspicious activities. Organisations are encouraged to alert HR about potentially fraudulent hires that show a high level of sophistication in creating credible cover identities.

The incident at KnowBe4 serves as a stark reminder of the continuous and evolving nature of threats posed by advanced persistent actors. The organisation's quick response prevented any data breach, but the case highlights the critical necessity for robust vetting processes, continuous security monitoring, and strong coordination between HR, IT, and security teams.