North Korean Hacker Tricked US Cyber Firm Using AI Tech
US security vendor KnowBe4 has just revealed that a North Korean hacker tricked them with an AI image and stolen ID.
The hacker immediately attempted to load malware into the company’s system but was not successful. According to CEO and founder Stu Sjouwerman, “no data was lost, compromised, or exfiltrated on any KnowBe4 systems.”
The incident is now an active FBI investigation, although the hacker has not been confirmed as a nation-state actor just yet. Here’s how this somewhat embarrassing mistake happened, and how it could have been a lot worse.
Hacker Passed Background Check With Stolen ID
The hacker was able to get through all of the company’s typical new-hire routines: He responded to a job posting, sent resumes, attended four video conference interviews, passed background checks and “all other standard pre-hiring checks,” and provided references.
Once hired and sent a Mac workstation, the hacker loaded malware.
How did the hacker beat the background checks? With a genuinely valid but stolen US identity, paired with an AI-enhanced image that matched the hacker’s own face.
The image was eventually detected by software, and the company’s InfoSec Security Operations Center was able to flag the issue, bringing on cybersecurity company Mandiant and the FBI.
Any Tips to Avoid This in the Future?
Sjouwerman notes in his blog post about the incident that new employees have “highly restricted” access to information when they first start, which proved to be the right move in this case.
He also offered further general advice for businesses that want to avoid this specific problem themselves:
- Scan remote devices to ensure no one is accessing them remotely
- Improve vetting with a focus on the employee’s physical presence being where they claim it is
- Improve resume scanning
- Use video interviews and verify past work
- Check that the laptop’s shipping address is the same as where the new employee claims to live
The “what to look out for” section also lists “attempt to execute malware.” If you’re ever hired at a cybersecurity firm, don’t do that!
How Did KnowBe4 Handle It All? Very Publicly
You’ve got to hand it to KnowBe4: If some cybersecurity companies were compromised by a hacker, they might be tempted to protect their reputation by keeping quiet about the whole matter. In sharp contrast, KnowBe4 broke the news itself in a blog post, with a follow-up FAQ page about the entire incident to boot.
“Do we have egg on our face? Yes. And I am sharing that lesson with you. It’s why I started KnowBe4 in 2010. In 2024 our mission is more important than ever.” – CEO Stu Sjouwerman
By sharing the news themselves, the company can control their own narrative. More importantly, though, they can highlight just how easily a hacker can slip through the cracks of even the best security systems.
Thanks to the prevalence of stolen databases online, millions of IDs are already leaked and available. Yours might even be among them, if you’ve ever used companies as popular and widespread as, say, Xfinity (more than 35 million customers were affected in a 2023 breach) or Ticketmaster (well over half a billion customers were impacted in a breach earlier this year).
Protecting Your Organization: 10 Key Takeaways for HR Managers
Here are 10 points for HR managers to protect themselves from fake employee scenarios and what to do if they’ve been compromised:
Prevention
- Rigorous Vetting: Implement multi-layered background checks that go beyond basic criminal records. Utilize third-party services specializing in identity verification and social media analysis.
- Video Interviews: Conduct video interviews for all candidates, especially remote positions. Pay close attention to inconsistencies between the candidate’s appearance and their online presence.
- Reference Checks: Verify references thoroughly, going beyond confirming employment dates. Speak to previous supervisors and colleagues to gain a deeper understanding of the candidate’s work ethic and character.
- Behavioral Assessments: Incorporate behavioral assessments into the hiring process to evaluate a candidate’s personality traits, work style, and potential for deception.
- Red Flag Awareness: Train hiring managers to recognize red flags such as inconsistencies in resumes, evasive answers during interviews, and overly eager or insistent candidates.
- Cybersecurity Training: Make cybersecurity training a must in your organization. Any employee with access to the company’s data or electronic device must be trained in identifying phishing scams, social engineering tactics, and identifying fake profiles.
Response
- Immediate Containment: If suspicious activity is detected, immediately isolate the affected user account and restrict access to sensitive systems.
- Forensic Investigation: Engage a cybersecurity firm to conduct a thorough forensic investigation to determine the extent of the breach and identify the attacker’s methods.
- Law Enforcement Notification: Report the incident to the FBI and other relevant law enforcement agencies.
- Data Breach Response Plan: Have a comprehensive data breach response plan in place to guide actions in the event of a security incident.
- Employee Communication: Communicate transparently with employees about the incident, outlining the steps taken to mitigate the risk and protect their data.
Remember, common sense and a multi-layered approach are vital for protecting your organization from such sophisticated cyberattacks.