Frequently Asked Questions About KnowBe4’s Fake IT Worker Blog
July 23, 2024, I wrote a
blog post about how KnowBe4 inadvertently hired
a skillful North Korean IT worker who used the stolen identity of a US citizen. He participated in several rounds of video interviews and circumvented background check processes commonly used.
blog post about how KnowBe4 inadvertently hired
a skillful North Korean IT worker who used the stolen identity of a US citizen. He participated in several rounds of video interviews and circumvented background check processes commonly used.
The intent was to share an organizational learning moment, so you can make sure this does not happen to you. The story went viral, which is exactly what I had hoped for. Do we have egg on our face? Yes. And I am sharing that lesson with you. It’s why I started KnowBe4 in 2010. In 2024 our mission is more important than ever.
Q1:
Was any KnowBe4 system breached in this North Korean IT worker incident?
Was any KnowBe4 system breached in this North Korean IT worker incident?
No.
KnowBe4 was not breached. When we hire new employees, their user account is granted only limited permissions that allow them to proceed through our new hire onboarding process and training. They can access only a minimal number of necessary apps to go through our new employee training.
KnowBe4 was not breached. When we hire new employees, their user account is granted only limited permissions that allow them to proceed through our new hire onboarding process and training. They can access only a minimal number of necessary apps to go through our new employee training.
Q2:
What access do new employees get?
What access do new employees get?
These are apps such as their email inbox, slack, and zoom. The workstation they receive is locked down and has no data residing on it, it is essentially a laptop with nothing on it except our endpoint security and management tools
Q3:
Did the new employee get access to customer data?
Did the new employee get access to customer data?
No. This person never had access to any customer data, KnowBe4’s private networks, cloud infrastructure, code, or any KnowBe4 confidential information. They had basic communication apps and a factory-new provisioned laptop. We detected suspicious activity and responded within minutes, quarantining the entire laptop.
Q4:
Was any malware executed on the machine?
Was any malware executed on the machine?
No.
No malware was executed on the machine as it was blocked by our security tooling. A complete review of all processes, commands, network connections, and other activity on the laptop was conducted and we concluded that no further action was needed as there was suspicious activity outside of what was detected and blocked.
No malware was executed on the machine as it was blocked by our security tooling. A complete review of all processes, commands, network connections, and other activity on the laptop was conducted and we concluded that no further action was needed as there was suspicious activity outside of what was detected and blocked.
Q5:
What access did this worker have on his workstation that could have compromised customer data or perhaps used the simulated phishing platform?
What access did this worker have on his workstation that could have compromised customer data or perhaps used the simulated phishing platform?
There was nothing provided on the laptop. All of KnowBe4 data is kept in the cloud and a review of this individual’s user account determined they did not access anything other than their own email inbox. We provision access to our KnowBe4 platform through Okta. New hires are not granted access into the KnowBe4 platform until after completion of their onboarding, which this person had not completed, and therefore never had access to the platform.
Q6:
Why would someone hired as a software developer try to load malware on their new machine?
Why would someone hired as a software developer try to load malware on their new machine?
We can only guess, but the malware was an infostealer targeting data stored on web browsers, and perhaps he was hoping to extract information left on the computer before it was commissioned to him.
Q7:
How did this bad actor pass your hiring process?
How did this bad actor pass your hiring process?
This was a skillful North Korean IT worker, supported by a state-backed criminal infrastructure, using the stolen identity of a US citizen participating in several rounds of video interviews and circumvented background check processes commonly used by companies.
Q8:
The press made it sound like a data breach disclosure. Was it?
The press made it sound like a data breach disclosure. Was it?
No. It was a Public Service Announcement. We could have kept quiet while wiping the egg off our face. However, our mission is to make the world aware of cybercrime. If something like this can happen to us, it can happen to almost anyone. The blog post was meant to warn organizations about this particular danger. It looks like we have succeeded.
Q9:
Has KnowBe4 changed their hiring process?
Has KnowBe4 changed their hiring process?
You bet we have! Several process changes were made so that this thing will be caught earlier. One example is that in the US we will only ship new employee workstations to a nearby UPS shop and require a picture ID.
Q10:
How can I learn more about this particular risk?
How can I learn more about this particular risk?
On the
blog post at the end, we link to a podcast from Mandiant where they go in depth about this particular danger. I strongly recommend you listen to it.
blog post at the end, we link to a podcast from Mandiant where they go in depth about this particular danger. I strongly recommend you listen to it.
Where was this covered in the press?