US security vendor KnowBe4 has just revealed that a North Korean hacker tricked them with an AI image and stolen ID.
The hacker immediately attempted to load malware into the company’s system but was not successful. According to CEO and founder Stu Sjouwerman, “no data was lost, compromised, or exfiltrated on any KnowBe4 systems.”
The incident is now an active FBI investigation, although the hacker has not been confirmed as a nation state actor just yet. Here’s how this somewhat embarrassing mistake happened, and how it could have been a lot worse.
Hacker Passed Background Check With Stolen ID
The hacker was able to get through all of the company’s typical new-hire routines: He responded to a job posting, sent resumes, attended four video conference interviews, passed background checks and “all other standard pre-hiring checks,” and provided references.
Once hired and sent a Mac workstation, the hacker loaded malware.
🔎 Want to browse the web privately? 🌎 Or appear as if you're in another country?
Get a huge 86% off Surfshark with this special tech.co offer.
How did the hacker beat the background checks? With a genuinely valid but stolen US identity, paired with an AI-enhanced image that matched the hacker’s own face. Here’s the original stock photo image on the left, with the enhanced version on the right.
The image was eventually detected by software, and the company’s InfoSec Security Operations Center was able to flag the issue, bringing on cybersecurity company Mandiant and the FBI.
Any Tips to Avoid This in the Future?
Sjouwerman notes in his blog post about the incident that new employees have “highly restricted” access to information when they first start, which proved to be the right move in this case.
He also offered further general advice for businesses that want to avoid this specific problem themselves:
- Scan remote devices to ensure no one is accessing them remotely
- Improve vetting with a focus on the employee’s physical presence being where they claim it is
- Improve resume scanning
- Use video interviews and verify past work
- Check that the laptop’s shipping address is the same as where the new employee claims to live
The “what to look out for” section also lists “attempt to execute malware.” If you’re ever hired at a cybersecurity firm, don’t do that!
How Did KnowBe4 Handle It All? Very Publically.
You’ve got to hand it to KnowBe4: If some cybersecurity companies were compromised by a hacker, they might be tempted to protect their reputation by keeping quiet about the whole matter. In sharp contrast, KnowBe4 broke the news itself in a blog post, with a follow-up FAQ page about the entire incident to boot.
“Do we have egg on our face? Yes. And I am sharing that lesson with you. It’s why I started KnowBe4 in 2010. In 2024 our mission is more important than ever.” – CEO Stu Sjouwerman
By sharing the news themselves, the company can control their own narrative. More importantly, though, they can highlight just how easily a hacker can slip through the cracks of even the best security systems.
Thanks to the prevalence of stolen databases online, millions of IDs are already leaked and available. Yours might even be among them, if you’ve ever used companies as popular and widespread as, say, Xfinity (more than 35 million customers were affected in a 2023 breach) or Ticketmaster (well over half a billion customers were impacted in a breach earlier this year).
