Mastodawn

BrianKrebs Jul 23, 2024

Wild, true story from the security awareness and training company KnowBe4 that details how they inadvertently hired a North Korean hacker who was posing as a Western tech worker.

Kudos to them for publishing this. If it can happen to a security awareness company, it can happen to anyone (full disclosure: they've been an advertiser on my site for ages).

https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us

How a North Korean Fake IT Worker Tried to Infiltrate Us

Show thread

Joe ❌👑Jul 23, 2024

@briankrebs Sounds like they caught him almost as soon as he got a machine and connected to their network, if the blog entry is reporting it correctly. Lucky for them that he messed up immediately and triggered all the alarms.

Show thread

Tay

@not2b @briankrebs It’s not that he messed up tbh, it’s that they actually proper monitors/logs on employee devices.

The reason dude shamelessly went about installing whatever he wanted and crawling for sensitive dox was bc 99.99% of organizations DON’T detect this type of activity. 😱

They are currently working at thousands of based companies, especially as remote engineers in tech, ai, crypto, etc.

Show thread

Joe ❌👑Jul 24, 2024

@tay @briankrebs Sure, but if he had started out acting like a normal employee and didn't get more aggressive until he'd built up a rep as a good worker, he might have gotten away with it, even if he trigged an alarm or two. Seems he almost instantly went nuts.

Show thread

Tay Jul 24, 2024

@not2b @briankrebs Oh, 100%. It’s just that they don’t need to. DPRK guys tend to do *exactly* what is necessary to execute their goals.

For example, we saw resumes, GitHubs rapidly evolve when orgs started to notice mismatched geo’s / work history (and GH started whack-a-moling 🙇‍♀️)

They started interviewing on-cam when orgs began to flag no-cam candidates during initial screens.

No doubt they’ll delay/obfuscate initial activity if orgs start to monitor and detect it, too.