A “U.S.-based security vendor,” KnowBe4, revealed that they were tricked into hiring a North Korean hacker. The first thing he did when he got his access codes was attempt “to load malware into the company’s network.” They didn’t know he was a North Korean before they sent him a laptop. The good news is that they caught him instantly and he didn’t do a bit of damage. They were rattled about being breached so easily that they went public to alert the whole industry.
This hacker was busted
This particular North Korean hacker got busted before he could do any real damage. There are a whole unit of them still working diligently, undercover. There hasn’t been any arrest because they have no clues to the infiltrator’s real identity.
The photo the person used isn’t even a real person. It’s an AI composite made from a publicly available stock photo. It was convincing enough to match the face on video conference at the interviews.
CEO and founder Stu Sjouwerman described the incident in a blog post on Wednesday, July 24. “First of all: No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems,” Sjouwerman assures.
American cybersecurity company KnowBe4 says a person it recently hired as a Principal Software Engineer turned out to be a North Korean state actor who attempte…
Source: BleepingComputer https://t.co/anSUIExVnD
— Khairul Shukeri ✨ (@khairulshukeri) July 26, 2024
“This is not a data breach notification, there was none. See it as an organizational learning moment I am sharing with you.” If they can get conned by a hacker, anyone can. “If it can happen to us, it can happen to almost anyone. Don’t let it happen to you.”
They wanted to fill a position on their internal IT AI team as “software engineer.” The Florida based security awareness training consultants used their standard recruiting process. They didn’t think a hacker could get through it but one obviously did.
“We posted the job, received resumes, conducted interviews, performed background checks, verified references, and hired the person.”

Valid but stolen ID
The person they hired doesn’t actually match the identity they verified. “We sent them their Mac workstation, and the moment it was received, it immediately started to load malware.”
The workstation was mailed to a U.S. address but the machine was accessed by the hacker remotely from North Korea. It’s one of their favorite pastimes.
Sjouwerman explained how it works. “The fake worker asks to get their workstation sent to an address that is basically an ‘IT mule laptop farm.‘ They then VPN in from where they really physically are (North Korea or over the border in China) and work the night shift so that they seem to be working in U.S. daytime.”
fascinating story from @KnowBe4: "How a North Korean Fake IT Worker Tried to Infiltrate Us"
one can only wonder how many fake workers are currently active in companieshttps://t.co/l1S8F1DiK7 pic.twitter.com/uwNnNviszD— Philipp Krenn (@xeraa) July 25, 2024
This hacker was way too bold and went for a major attack right from the beginning.
“The new hire’s suspicious activities were flagged by security software, leading KnowBe4’s Security Operations Center to investigate.” Specifically, “on July 15, 2024, a series of suspicious activities were detected on the user beginning at 9:55 pm EST.” As soon as the alarms started beeping, “KnowBe4’s SOC team reached out to the user to inquire about the anomalous activity and possible cause.”
The hacker “responded to SOC that he was following steps on his router guide to troubleshoot a speed issue.” Wrong answer. He did a lot more than that. “The attacker performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software. He used a Raspberry Pi to download the malware.” They pulled his plug and haven’t heard from him since. The FBI now has their entire file. Maybe they might have some luck.