North Korean hacker tries to access KnowBe4, security leaders react

On July 23, 2024, KnowBe4 announced that a North Korean hacker attempted to infiltrate its systems. According to the statement, the hacker constructed a believable identity by leveraging a valid yet stolen identity based in the United States and using an AI-enhanced image. After interviews were conducted, the hacker passed background checks and reference checks and received the job. The hacker was sent a company device, and they began to load malware onto it. Once the SOC recognized something was amiss, the device was contained and the hacker’s infiltration attempts were unsuccessful. The announcement asserts that this incident is a part of an organized, state-sponsored criminal ring. 

Security leaders weigh in 

Stephen Kowski, Field CTO at SlashNext Email Security+:

“The KnowBe4 incident reveals how state-sponsored attackers are evolving to create convincing fake identities. It’s clear we need to rethink our approach to security. This means implementing more rigorous vetting, constant monitoring and fostering seamless collaboration across HR, IT and security teams. By harnessing the power of machine learning and behavioral analysis, we can stay one step ahead of these sophisticated threats and safeguard our digital ecosystems.” 

Mr. Piyush Pandey, CEO at Pathlock:

“This incident at KnowBe4 is a great example as to why organizations need to establish continuous controls monitoring capabilities to detect and respond to suspicious activities promptly. Regular audits of employee access activities can help identify anomalies early, allowing them to initiate identity threat response protocols before a breach becomes too widespread.

“Also, strict access controls layered with technologies, such as data masking and dynamic access controls, can limit access to sensitive information. This is an important component of least privilege, ensuring employees only have access to the data necessary for their role.” 

Callie Guenther, Senior Manager, Cyber Threat Research at Critical Start:

“North Korean operatives are increasingly infiltrating Western companies by posing as legitimate IT workers, using sophisticated methods to bypass hiring processes. They create fake identities, use proxies and exploit remote work trends to avoid detection. Companies can identify potential threats by scrutinizing resumes, verifying identities and monitoring for unusual behavior. Federal agencies like the FBI, CISA, DOJ and the Treasury Department can assist businesses by providing guidance, intelligence and legal support. The geopolitical threat includes generating revenue for North Korea’s regime, facilitating cyber espionage and straining international relations, particularly with China’s implicit support. Businesses must adopt stringent security practices and collaborate with federal agencies to mitigate these risks.” 

John Bambenek, President at Bambenek Consulting:

“Ensuring employees, and especially contractors, has been a weak spot in corporate security for as long as there have been businesses. The World Bank / Satyam debacle is probably the most extreme example. Unfortunately, this problem has gotten significantly worse since the pandemic with many companies remaining fully remote. However, the 100% in-office workplaces are far from immune. There just aren’t good answers except trying to find the obvious bad actors up front and maintaining vigilant behavioral monitoring of key employees in the workplace looking for problematic activities.”