SecurityBrief India - Technology news for CISOs & cybersecurity decision-makers

Exclusive: How KnowBe4 stopped a North Korean hacker from joining the company

Fri, 29th Nov 2024

A North Korean hacker recently attempted to infiltrate KnowBe4, the world's largest human risk management provider, in what's been described as a "daring cybersecurity breach."

The incident, marked by quick intervention from the company's security operations team, has highlighted the increasing sophistication of state-sponsored cyber threats.

Dr Martin Jonas Kraemer, Security Awareness Advocate at KnowBe4, shared details of the event in an exclusive interview.

"This isn't your normal or everyday kind of cyber security event," he explained.

"Honestly speaking, our CEO said, 'Well, we've got egg on our face.' That doesn't necessarily look good on us."

How did it all unfold?

The breach occurred when an individual, nicknamed 'Kyle' to protect the integrity of ongoing investigations, applied for a remote artificial intelligence position.

"We received a number of applications, and one stood out," Kraemer explained.

"This person went through our typical hiring process, which involves four online interviews, background checks, and a technical assessment."

All references on the applicant's CV appeared legitimate, and a new company laptop was shipped to their address.

However, the very first day "Kyle" accessed the system, KnowBe4's Security Operations Center (SOC) noticed irregularities.

"There were attempts to install illicit software from a USB flash drive and later from a local network drive," Kraemer revealed.

Despite the hacker's excuses, such as blaming the activity on a "router update," the SOC team acted swiftly.

"At 10:20 PM, 25 minutes after the laptop came online, the device was isolated, and the situation was contained," Kraemer said. Importantly, no company data was accessed during the breach.

KnowBe4 informed authorities, including the FBI, which quickly identified the hacker as part of a North Korean scheme involving fake employees.

This operation, known to U.S. authorities since 2022, is part of a broader pattern of state-sponsored cyberattacks targeting industries worldwide.

Red flags in the hiring process
Reflecting on the incident, Kraemer admitted the recruitment process missed some subtle cues. "The references were all private email addresses, and the phone numbers were untraceable VoIP numbers," he said. The applicant's profile photo was later identified as a deepfake, a modified stock image used in various fraudulent contexts.

To prevent future incidents, KnowBe4 has overhauled its hiring practices. "We've stopped delivering laptops blindly to an address. Either they're picked up in person, or verified by an employee," Kraemer explained. In addition, references are now rigorously cross-verified, sometimes with questions like, "What's the mascot of the college team you claim to have played for?"

The role of AI and deepfakes
Deepfake technology played a significant role in this breach. "The profile picture was a sophisticated deepfake, and even during the interviews, the individual used techniques to avoid detection," Kraemer said.

"AI has made it nearly impossible to differentiate real from fake content," he highlighted.

He added that recent scams have involved deepfake videos of CEOs to defraud companies out of millions. "The sophistication is staggering. Organizations must now assume all digital content could be synthetic."

Advice for organisations
Kraemer emphasised the importance of training employees to detect and respond to AI-enhanced social engineering.

"Focus on the basics," he advised. "Social engineering attacks rely on emotional manipulation and urgency. Teach employees to critically evaluate requests and avoid knee-jerk reactions."

He also encouraged companies to implement robust multi-channel verification processes.

"When in doubt, verify through an alternate method. A simple phone call can make all the difference," he said.

Growing threats in the Asia-Pacific region
While this incident occurred in the U.S., Kraemer warned of increasing cyber threats in the Asia-Pacific (APAC) region.

"Defence and cybersecurity sectors are prime targets, particularly in Australia and South Korea," he said.

Recent reports from cybersecurity firms have revealed North Korean-backed groups running schemes like "Operation Dream Jobs," which lures individuals with fake job postings. Kraemer highlighted the urgent need for regional organisations to strengthen their defences.

"Whether it's critical infrastructure or cutting-edge technology, the stakes are higher than ever," Kraemer said, urging vigilance against evolving tactics like spear phishing and ransomware attacks.

In the wake of the incident, KnowBe4 remains committed to transparency and collaboration within the cybersecurity community.

"The industry lives from information sharing and helping each other," Kraemer explained. "That's why we're sharing our story, so others can learn from it."

"Stay alert, stay vigilant, and stay protected," Kraemer concluded.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X