North Korean spy successfully managed to infiltrate cybersecurity training firm using stolen credentials and a fake VPN — here's how you could avoid becoming a victim

North Korean flag made of binary code
(Image credit: Shutterstock)

Remote hiring, once a niche practice, has become the norm for many organizations worldwide. 

However cybersecurity awareness training company KnowBe4 recently discovered it had inadvertently hired a North Korean spy, who managed to bypass its security measures, highlighting critical vulnerabilities in modern recruitment processes.

The deception was uncovered when the company-provided laptop immediately began downloading malware upon its first use. Fortunately, KnowBe4’s security systems detected the threat early, preventing any data compromise.

The deception uncovered: How a spy infiltrated KnowBe4

In July 2024, KnowBe4’s US branch hired “a qualified candidate” for a remote position.

Despite rigorous background checks and multiple video interviews, the individual, who was later revealed to be a North Korean spy, managed to infiltrate the company. 

The incident serves as a stark reminder that even the most security-conscious organizations must remain vigilant and continually adapt their practices to counter emerging threats.

Brian Jack, CISO at KnowBe4 told TechRadar Pro, "There was no VPN involved in our case and no stolen credentials. We don't know if the ID that they provided was stolen or like other DPRK cases used with the knowledge of the person whose real identity it was."

One of the key takeaways from KnowBe4’s experience is the importance of recognizing potential red flags during the recruitment process. Fraudsters are becoming increasingly sophisticated, using advanced techniques to create fake but believable identities. Here are some common signs that may indicate a candidate is not who they claim to be:

  • Inconsistencies in birth dates, educational backgrounds, or unexplained gaps in employment history should raise suspicion. Fraudsters may provide incomplete or misleading information to avoid detection.
  • Simple email verifications are no longer sufficient. It’s essential to conduct phone calls with listed references to confirm their legitimacy. Direct conversations can reveal more than what is written in an email.
  • Candidates who seem too qualified for the role and appear to be just what the company needs may be trying to avoid scrutiny by relying on their impressive credentials. This tactic is often used by fraudsters to speed up the hiring process.
  • A candidate’s reluctance to appear on camera during interviews is a significant red flag. While there may be legitimate reasons for this, fraudsters often avoid video interviews to conceal their true identity.
  • In today’s connected world, most people have some form of online presence. A candidate with no digital footprint, or a “digital ghost,” should be investigated further.

One crucial step in protecting against incidents such as these is the use of Multi-Factor Authentication (MFA) from the outset. By requiring new employees to verify their identity using hardware tokens sent to verified physical addresses, companies add an essential layer of security, ensuring that only the intended recipient can access company systems.

Additionally, providing new hires with pre-configured, secure devices and limiting their access to sensitive information until their identity is thoroughly verified is vital. This approach, which was instrumental in detecting the malware in KnowBe4’s case, helps mitigate the risk of malicious activity. Organizations should also adopt a zero trust approach by restricting system access for new employees until they have completed all necessary training and security checks.

Furthermore, enhancing the verification process for remote workers by shipping company devices to trusted third-party locations, such as UPS stores, where recipients must present a valid ID, can prevent bad actors from gaining physical access to sensitive hardware, with KnowBe4 activating this strategy after the breach.

“For a cybersecurity company like us to get caught with egg on our face was a big wake-up call," admitted Anna Collard, Senior Vice President of Content Strategy & Evangelist at KnowBe4 AFRICA.

"We could have kept quiet, but instead we shared our story hoping other organisations could learn from it."

More from TechRadar Pro

Efosa Udinmwen
Freelance Journalist

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics. His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, in addition to privacy and technology policy, he is also focused on B2B security products. Efosa can be contacted at this email: udinmwenefosa@gmail.com