In a startling incident, KnowBe4, a US-based security training company, discovered it had mistakenly hired a North Korean hacker as a software engineer. The revelation came to light after the hacker’s newly issued company computer became infected with malware.
KnowBe4, known for developing security awareness programs to combat phishing attacks and other cyber threats, recently onboarded a remote software engineer who successfully passed the interview and background check process. However, last week, suspicions arose when the employee received a company-issued Mac, which immediately began loading malware.
“The moment it was received, it immediately started to load malware,” KnowBe4 detailed in a blog post on Tuesday.
The malware was detected by the Mac’s onboard security software. With the assistance of the FBI and Google’s security arm, Mandiant, KnowBe4’s investigation revealed that the supposed software engineer was, in fact, a North Korean hacker posing as an IT worker.
Fortunately, KnowBe4’s swift response contained the infected Mac before the hacker could compromise the company’s internal systems. Initially, the company’s IT team reached out to the employee, who claimed he was troubleshooting a speed issue by following steps on his router guide. In reality, the employee was manipulating session files and executing unauthorized software, including using a Raspberry Pi to load the malware.
When the security team attempted to call the employee, he “stated he was unavailable for a call and later became unresponsive.”
Further investigation revealed that KnowBe4 had shipped the work computer to an address linked to an “IT mule laptop farm,” which the hacker accessed via a VPN.
Although the breach was thwarted, the incident highlights the growing threat of North Korean hackers exploiting remote IT jobs to infiltrate US companies. And this is not a new problem. In May, the US government warned that North Korean operatives had been using identities from over 60 real US citizens to secure remote positions.