Company hires 'remote worker' who turns out to be North Korean hacker
A tech firm that hired a remote-working engineer for an IT team was shocked to discover that the ‘American’ worker was in fact a North Korean hacker.
Cybersecurity firm KnowBe4 posted a job advert and received a CV from, and later conducted video interviews with, the 'employee' - who also passed background checks and provided references before being hired as a principal software engineer.
The employee was sent a machine to start his remote job in the US - but the machine went to an address shared by other ‘IT mules’ while the ‘employee’ used a VPN to access it from North Korea, Knowbe4 said.
It’s not the first such case of its kind, with the FBI issuing a warning late last year that ‘fake’ IT workers from North Korea were contracting in well-paid roles.
How did the rogue employee get a job?
The ‘employee’ had passed through four video screenings, with his profile picture matching the person who appeared in the interviews (the image was a stolen image from Amazon and doctored using AI software).
KnowBe4's chief information security officer Brian Jack says that the hacker had applied "through the standard application process on a common job posting website".
"It looks like the face and likeness were modified from a photo of another individual to better resemble the identity of the person being interviewed," he told Yahoo News.
Incredibly, the worker also passed background checks. His identity was based on a real person with valid ID, which had been stolen, although checkers failed to spot certain discrepancies during the background checks.
What happened?
The company sent the ‘employee’ a Mac workstation, but as soon as it arrived, it began to perform suspicious actions including loading malicious software (malware).
Jack said: "We detected malware attempting to be loaded and run on his laptop. This kicked off our security incident response process that resulted in a conversation with the individual."
When challenged, the ‘employee’ claimed he was troubleshooting problems with his router – and then said he was unavailable for a call.
Jack said: "When the story the person was giving did not match the commands we saw being run we became highly suspicious and quickly contained the device and terminated their access."
Knowbe4 immediately informed the FBI and shared data with Mandiant, a global cybersecurity firm.
How does the scam work?
Knowbe4 explained that these fake workers ask to get their workstation sent to an address in the US that is basically an "IT mule laptop farm".
The workers then VPN in from where they really physically are (North Korea or over the border in China) and work a night shift so that they seem to be working in US daytime.
IT workers have used VPNs and other secretive tactics to work at US hi-tech firms for years, according to the FBI.
In a warning issued late last year, the FBI and the U.S. Department of Justice (DOJ) said that IT workers have been secretly sending millions of dollars back to North Korea.
It’s believed that the funds are being used for the country’s ballistic missile programme.
What are the warning signs of 'rogue' employees?
Knowbe4 urges companies to ensure background checks are rigorous, acknowledging that when they investigated, they found that the names and other details the worker used were not consistent
The company also urges employers not to rely on email references only.
Warning signs of ‘rogue’ employees include people who use VOIP numbers rather than ‘real’ phone numbers; a lack of a ‘digital footprint’; and discrepancies in details such as date of birth.
Jack advises that companies should: "Review their pre-hire screening practices to ensure that they are thoroughly validating the identity of the person. This can mean requiring more strict identity validation for certain roles".
Read more
Companies play catch-up on cybersecurity (Bloomberg)
How to keep children safe on mobile phones(Yahoo News)
Head teachers warned on cyber risk(National World)
