Frequently Asked Questions About KnowBe4's Fake IT Worker Blog
July 23, 2024, I wrote a blog post about how KnowBe4 inadvertently hired a skillful North Korean IT worker who used the stolen identity of a US citizen. He participated in several rounds of video interviews and circumvented background check processes commonly used. Updated 7/27/2024
The intent was to share an organizational learning moment, so you can make sure this does not happen to you. The story went viral, which is exactly what I had hoped for, but the press coverage was uneven. Do we have egg on our face? Yes. And I am sharing that lesson with you. It's why I started KnowBe4 in 2010. In 2024 our mission is more important than ever.
Q1: Was any KnowBe4 system breached in this North Korean IT worker incident?
No. KnowBe4 was not breached. When we hire new employees, their user account is granted only limited permissions that allow them to proceed through our new hire onboarding process and training. They can access only a minimal number of necessary apps to go through our new employee training.
Q2: What access do new employees get?
These are apps such as their email inbox, slack, and zoom. The workstation they receive is locked down and has no data residing on it, it is essentially a laptop with nothing on it except our endpoint security and management tools
Q3: Did the new employee get access to customer data?
No. This person never had access to any customer data, KnowBe4's private networks, cloud infrastructure, code, or any KnowBe4 confidential information. They had basic communication apps and a factory-new provisioned laptop. We detected suspicious activity and responded within minutes, quarantining the entire laptop.
Q4: Was any malware executed on the machine?
No. No malware was executed on the machine as it was blocked by our security tooling. A complete review of all processes, commands, network connections, and other activity on the laptop was conducted and we concluded that no further action was needed as there was no suspicious activity outside of what was detected and blocked.
Q5: What access did this worker have on his workstation that could have compromised customer data or perhaps used the simulated phishing platform?
There was nothing provided on the laptop. All of KnowBe4 data is kept in the cloud and a review of this individual's user account determined they did not access anything other than their own email inbox. We provision access to our KnowBe4 platform through Okta. New hires are not granted access into the KnowBe4 platform until after completion of their onboarding, which this person had not completed, and therefore never had access to the platform.
Q6: Why would someone hired as a software developer try to load malware on their new machine?
We can only guess, but the malware was an infostealer targeting data stored on web browsers, and perhaps he was hoping to extract information left on the computer before it was commissioned to him.
Q7: How did this bad actor pass your hiring process?
This was a skillful North Korean IT worker, supported by a state-backed criminal infrastructure, using the stolen identity of a US citizen participating in several rounds of video interviews and circumvented background check processes commonly used by companies.
Q8: The press made it sound like a data breach disclosure. Was it?
No. It was a Public Service Announcement. We could have kept quiet while wiping the egg off our face. However, our mission is to make the world aware of cybercrime. If something like this can happen to us, it can happen to almost anyone. The blog post was meant to warn organizations about this particular danger. It looks like we have succeeded.
Q9: Has KnowBe4 changed their hiring process?
You bet we have! Several process changes were made so that this thing will be caught earlier. One example is that in the US we will only ship new employee workstations to a nearby UPS shop and require a picture ID.
Q10: How can I learn more about this particular risk?
On the blog post at the end, we link to a podcast from Mandiant where they go in depth about this particular danger. I strongly recommend you listen to it. The U.S. Government is aware of this threat and has been warning against it since 2022. Here is the link!
Q11: How has the press been covering this?
Uneven. Many technical media outlets have been cool, calm and collected, consider this a great cautionary tale, and appreciated us being transparent. Other outlets took the "If it bleeds, it leads" sensational angle. They turned it into "data breach" clickbait and only casually mentioned at the end that no harm was done.
Here is a fun exercise. Check out the coverage and see who got it right. Draw your own conclusions.
- Ars Technica: North Korean hacker got hired by US security vendor, immediately loaded malware
-
Bleeping Computer: KnowBe4 mistakenly hires North Korean hacker, faces infostealer attack
-
CybersecurityNews: KnowBe4 Hired Fake North Korean IT Worker, Catches While Installing Malware
-
Search Security: KnowBe4 catches North Korean hacker posing as IT employee
-
Cybersecurity Insiders: KnowBe4 targeted by North Korea with Insider Threat
- Axios: North Korean workers infiltrate cyber industry