Security Firm Accidentally Hires North Korean Hacker, Did Not KnowBe4

A software engineer hired for an internal IT AI team immediately became an insider threat by loading malware onto his workstation.

A security firm recently hired a software engineer for its internal AI team that turned out to be
a North Korean threat actor,
who immediately began loading malware to his company-issued workstation.
KnowBe4
, which provides security awareness and training, conducted standard pre-hiring background checks for the employee and four separate video-conference interviews with him before his hiring, Stu Sjouwerman, KnowBe4s founder, shared in
a blog post
about the situation. The company also verified that the person interviewed was the same one in the photo sent in with a resume.
The checks came back clean and the candidate for the position (principal software engineer) appeared credible and qualified, though later the company realized he was using a stolen identity and his photo was AI-enhanced.
Once the verification and hiring process was complete, KnowBe4 sent the new employee, who is referred to in KnowBe4s post as XXXX, his Mac workstation, and the moment it was received, it immediately started to load malware, Sjouwerman wrote.
On July 15, 2024, a series of suspicious activities were detected on the user beginning at 9:55pm EST,

he detailed. When these alerts came in, KnowBe4s security operations center (SOC) team reached out to the user to inquire about the anomalous activity and possible cause. XXXX responded to the SOC that he was following steps on his router guide to troubleshoot a speed issue and that it may have caused a compromise.
What the employee was really doing, however, was performing various actions to manipulate session history files, transferring potentially harmful files, and executing unauthorized software using a Raspberry Pi.
KnowBe4s
SOC attempted to get him on a call to investigate further, but he said he was unavailable and later became unresponsive. By 10:20am, the SOC had quarantined XXXXs device.
KnowBe4 shared the data it collected about the employee and his activities with cybersecurity firm Mandiant and the FBI, to corroborate the companys initial findings. The company eventually discovered that XXXX was a fake IT worker from North Korea, and an FBI investigation is still ongoing.
Sjouwerman stressed to customers that no data breach occurred due to the activity, as security tooling blocked the malware before it was executed. His aim in sharing what happened at his company is to provide an organizational learning moment, he said.
Do we have egg on our face? Yes,
he wrote
. And I am sharing that lesson with you.
KnowBe4 grants new employees accounts only limited permissions for proceeding through the new hire onboarding process and training, with access to only necessary apps such an an email inbox, Slack, and Zoom. This means that XXXX never had access to any customer data, KnowBe4s private networks, cloud infrastructure, code, or any KnowBe4 confidential information, Sjouwerman said.
No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems, Sjouwerman wrote. However, if it can happen to us, it can happen to almost anyone, he added.
Indeed, North Korean threat actors are notorious for engaging in
successful cybercriminal activities
by posing as credible IT workers. Last October, the
Department of Justice warned
that the freelance IT market was
being flooded
by operatives working on behalf of the North Korean government, urging caution to companies when hiring new workers. The department found that these workers are

quietly directing their earnings to the governments sanctions-ridden nations nuclear weapons program.
“Most of these individuals who attempt to obtain employment are not physically located in the US, Sjouwerman explained. In order for them to conduct work, they require a US location for the equipment to be sent. There are small networks set up at drop locations where a US-based individual will turn on the received computers and configure them to be accessed remotely. The remote worker will then connect into the laptop farm network, and from there remote into the received device. This will cause security and access logs for that person to show up as being US-based and coming from the correct device.”
KnowBe4 has made several process changes to hiring to help ensure any potential bad actor will be detected earlier, according to the post. In the US, for example, the company now will only ship new employee workstations to a nearby UPS shop and require a picture ID to obtain it.
Other process improvements that organizations can make are to ensure all background and reference checks are verified for inconsistencies and properly vetted; review and strengthen access controls and authentication processes; and conduct security awareness training for employees to stress
social-engineering tactics
used by threat actors.
The company also made recommendations so other organizations can avoid a similar scenario, including scanning remote devices for any suspicious access or activity; improving vetting and resume scanning for inconsistencies; and checking for red flags, like a laptop shipping address thats different from where the person is supposed to live and work.
Other red flags to look out for in potential employees include the use of VoIP numbers and/or lack of digital footprint for provided contact information, and any discrepancies in addresses, personal information, or date of birth across different sources. A remote employees sophisticated use of VPNs or virtual machines should raise an alarm.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Security Firm Accidentally Hires North Korean Hacker, Did Not KnowBe4