COMMENTARY: So our HR team posts a new position to a job board. The opening calls for a “Principal Engineer of AI,” a full-stack developer and highly-specialized technical leader.
It’s a remote because it's challenging to recruit such a talent. A resume screening and series of video interviews follow. The individual passes all standard tests, including personality and cognitive tests. The candidate speaks eloquently about their accomplishments, demonstrating a full grasp of AI technology. We present an offer, and then do a background check and I-9 verification. The person is then hired.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
The onboarding process begins, IT ships a laptop to the new hire. Suddenly, the security team gets woken up by an alert – someone has attempted to run malware and escalate privileges. Yikes, it’s the newly-hired employee. The security team springs into action, responds to the user via Slack, asking why malware was installed on the system. The individual claims to be troubleshooting a router speed issue, following recommendations found in a guide. When the security team asks to see this guide, the conversation suddenly goes into radio silence.
This is exactly how events unfolded at my company, KnowBe4.
Unmasking the North Korean operative
We initiated a lockdown on the individual’s machine when the threat was discovered. In our investigation we noticed something odd about this person’s photograph. Using Google Lens, we discovered the photo was a stock image, edited using AI. Turns out the remote employee was an imposter.
Following some analysis, it was determined that the malware was a type that aimed to escalate privileges by targeting stored cookies or sessions from the previous laptop user. We sought guidance from Mandiant and the FBI, and they were able to use one of the artifacts related to the resume to link it to another case they were handling.
The investigators concluded that we had been infiltrated by a North Korean advanced persistent threat (APT) operation, known as DPRK remote IT workers or North Korean IT workers.
The U.S. government believes that thousands of DPRK (Democratic People’s Republic of Korea) IT workers have been using fake identities to infiltrate hundreds of organizations via remote working jobs, secretly sending funds back to the home country in hopes of supporting its political and military ambitions.
Operatives working for North Korean IT workers aims to secure employment, earn money, and send it back to their government. But the true danger lies in their collaboration with the APT sector of North Korea's cyber army. Essentially, if an APT group wishes to infiltrate a specific company, they will leverage its inside man to run tasks like installing malware, providing credentials, or facilitating illicit activities. While the objective may be financial gain, there’s also potential for more severe threats.
Why didn’t we detected this threat?
As I mentioned in the intro summary, the candidate passed our recruitment background checks and several rounds of interviews. When the laptop was shipped to the remote worker, we believe it’s final destination was a laptop farm where a U.S.-based handler operates a small network enabling remote access for offshore hackers.
Since VPNs are relatively easy to pick up, it’s suspected that hackers use technologies like kernel-based virtual machines (KVMs), which have a remote access signature or footprint entirely different from a VPN. They also use a remote desktop protocol (RDP) connection, which lets it fly under the radar of endpoint security systems. Its signature looks more like a plugged-in keyboard or mouse, where adversaries can control the machine remotely using an ordinary web browser.
With the benefit of some hindsight, here are some important lessons learned from our experience for companies to consider:
- Tighten recruitment policies and security procedures: Potential employees, especially remote, should be interviewed in person by someone the organization trusts to verify their identity, work history and references. Impose stricter vigilance and monitoring on remote devices, data, and unusual activity.
- Deploy strong security and segmentation: There were two reasons we were able to detect, prevent and contain the threat quickly. First, we limit access to new hires to only specific systems (principle of least privilege). The hacker could not execute lateral movement. Second, because we had an endpoint, detection and response (EDR) tool in place, it immediately blocked the malware from executing and triggered an alert to our team. We also use phishing-resistant multi factor authentication (MFA) to prevent hackers from exploiting stolen credentials.
- Leverage automation: Consider platforms and systems that have fraud detection built-in, that let hiring teams review resumes in an automated way, able to inspect images and photographs, looking for signs of AI tampering.
- Improve education and preparedness: Educate interviewers about the possibility of fake employee candidates. Human intuition and intelligence is a superpower in such situations. Our minds can identify signals, read between the lines and sense risks. Organizations must invest in employee training, preparedness and procedures, to help identify, resist and report risks.
This experience with the North Korean remote worker scams shows that even companies like KnowBe4 that specialize in security awareness can get tricked by today’s relentless state-sponsored threat actors. It’s an old cliché, but it’s not a matter of if, it’s when a company will get hacked. But by using the principle of least privilege and having the proper EDR tools on-the-ready, we were in a position to respond quickly and contain any damage.
Stu Sjouwerman, founder and CEO, KnowBe4
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.