Writing in the company blog, KnowBe4 CEO Stu Sjouwerman detailed a seemingly thorough interview process that included background checks, verified references, and four video conference-based interviews. The worker avoided being caught by using a valid identity stolen from a US-based individual.
The scheme was further enhanced by the actor using a stock image augmented by artificial intelligence.
An internal investigation began when KnowBe4's InfoSec Security Operations Center team noticed "a series of suspicious activities" from the new hire.
The remote worker was sent an Apple laptop, which the company flagged on July 15 when malware was found. The company's Endpoint Detection and Response software also flagged the AI-filtered photo.
Later that evening, the SOC team had "contained" the fake worker's systems after he stopped responding to outreach. During a roughly 25-minute period, "the attacker performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorised software," Sjouwerman wrote in the post.
"He used a [single-board computer] Raspberry Pi to download the malware."
The company then shared its data and findings with the FBI and Mandiant, the Google-owned cyber firm. It concluded that the worker was a fictional persona operating from North Korea.
KnowBe4 said the fake employee likely had his workstation connected "to an address that is an 'IT mule laptop farm.'" They would then use a VPN to work the night shift from where they live—in this case, North Korea "or over the border in China."
This work would take place overnight, making it look like they were logged on during normal US business hours. "The scam is that they are actually doing the work, getting paid well, and giving a large amount to North Korea to fund their illegal programs,"
Sjouwerman wrote. "I don't have to tell you about the severe risk." Despite the intrusion, Sjouwerman said "no illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems."
He attributed the incident to a threat actor that "demonstrated a high level of sophistication in creating a believable cover identity" and identified "weaknesses in the hiring and background check processes."