North Korean spy successfully managed to infiltrate cybersecurity training firm using stolen credentials and a fake VPN — here's how you could avoid becoming a victim

News
By published

Remote recruitment now poses some risk and even cybersecurity firms are potential targets

North Korean flag made of binary code
(Image credit: Shutterstock)

Remote hiring, once a niche practice, has become the norm for many organizations worldwide. 

However cybersecurity awareness training company KnowBe4 recently discovered it had inadvertently hired a North Korean spy, who managed to bypass its security measures, highlighting critical vulnerabilities in modern recruitment processes.

The deception was uncovered when the company-provided laptop immediately began downloading malware upon its first use. Fortunately, KnowBe4’s security systems detected the threat early, preventing any data compromise.

The deception uncovered: How a spy infiltrated KnowBe4

In July 2024, KnowBe4’s US branch hired “a qualified candidate” for a remote position.

Despite rigorous background checks and multiple video interviews, the individual, who was later revealed to be a North Korean spy, managed to infiltrate the company. 

The incident serves as a stark reminder that even the most security-conscious organizations must remain vigilant and continually adapt their practices to counter emerging threats.

Brian Jack, CISO at KnowBe4 told TechRadar Pro, "There was no VPN involved in our case and no stolen credentials. We don't know if the ID that they provided was stolen or like other DPRK cases used with the knowledge of the person whose real identity it was."

One of the key takeaways from KnowBe4’s experience is the importance of recognizing potential red flags during the recruitment process. Fraudsters are becoming increasingly sophisticated, using advanced techniques to create fake but believable identities. Here are some common signs that may indicate a candidate is not who they claim to be:

  • Inconsistencies in birth dates, educational backgrounds, or unexplained gaps in employment history should raise suspicion. Fraudsters may provide incomplete or misleading information to avoid detection.
  • Simple email verifications are no longer sufficient. It’s essential to conduct phone calls with listed references to confirm their legitimacy. Direct conversations can reveal more than what is written in an email.
  • Candidates who seem too qualified for the role and appear to be just what the company needs may be trying to avoid scrutiny by relying on their impressive credentials. This tactic is often used by fraudsters to speed up the hiring process.
  • A candidate’s reluctance to appear on camera during interviews is a significant red flag. While there may be legitimate reasons for this, fraudsters often avoid video interviews to conceal their true identity.
  • In today’s connected world, most people have some form of online presence. A candidate with no digital footprint, or a “digital ghost,” should be investigated further.

One crucial step in protecting against incidents such as these is the use of Multi-Factor Authentication (MFA) from the outset. By requiring new employees to verify their identity using hardware tokens sent to verified physical addresses, companies add an essential layer of security, ensuring that only the intended recipient can access company systems.

Additionally, providing new hires with pre-configured, secure devices and limiting their access to sensitive information until their identity is thoroughly verified is vital. This approach, which was instrumental in detecting the malware in KnowBe4’s case, helps mitigate the risk of malicious activity. Organizations should also adopt a zero trust approach by restricting system access for new employees until they have completed all necessary training and security checks.

Furthermore, enhancing the verification process for remote workers by shipping company devices to trusted third-party locations, such as UPS stores, where recipients must present a valid ID, can prevent bad actors from gaining physical access to sensitive hardware, with KnowBe4 activating this strategy after the breach.

“For a cybersecurity company like us to get caught with egg on our face was a big wake-up call," admitted Anna Collard, Senior Vice President of Content Strategy & Evangelist at KnowBe4 AFRICA.

"We could have kept quiet, but instead we shared our story hoping other organisations could learn from it."

More from TechRadar Pro

Efosa Udinmwen
Efosa Udinmwen
Freelance Journalist

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics. His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, in addition to privacy and technology policy, he is also focused on B2B security products. Efosa can be contacted at this email: udinmwenefosa@gmail.com

Read more
Hacker silhouette working on a laptop with North Korean flag on the background
FBI claims North Korean workers are hacking the US companies which hired them
Hacker silhouette working on a laptop with North Korean flag on the background
North Korean hackers are targeting LinkedIn jobseekers with new malware - here's how to stay safe
A hand reaching out to touch a futuristic rendering of an AI processor.
North Korean fake job hackers are going the extra mile to make sure their scams seem legit
A digital representation of a lock
Looking for a new job? Watch out you don't fall for this new malware scam
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
China-linked cyberespionage group PlushDaemon used South Korean VPN service to inject malware
North Korean flag with a hooded hacker
North Korean hackers are posing as software development recruiters to target freelancers
Latest in Pro
A person using a smartphone with a cybersecurity lock symbol appearing over it.
The growing threat of device code phishing and how to defend against It
Cybersecurity
Why OT security needs exposure management to break the cycle of endless patching
Employees sat around together discussing business issues.
AI deregulation: what smart leaders do when the rules go off the rails
Branch office chairs next to a TechRadar-branded badge that reads Big Savings.
This office chair deal wins the Amazon Spring Sale for me and it's so good I don't expect it to last
Saily eSIM by Nord Security
"Much more than just an eSIM service" - I spoke to the CEO of Saily about the future of travel and its impact on secure eSIM technology
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Latest in News
DeepSeek
DeepSeek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring
More about pro
A person using a smartphone with a cybersecurity lock symbol appearing over it.

The growing threat of device code phishing and how to defend against It
Cybersecurity

Why OT security needs exposure management to break the cycle of endless patching
DJI Osmo Action 4

Forget GoPro – the DJI Osmo Action 4 is the action camera deal I'd go for in Amazon's Spring Sale
See more latest
Most Popular
Nimo N172 laptop
This obscure laptop brand sells a 64GB AMD Ryzen 9 laptop for just over $700 which is faster than the Apple's M4 CPU
DeepSeek
DeepSeek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Student with headphones around her neck using a phone while sitting in a cafe in front of a laptop
One of the world's richest men criticizes the spending of billions of dollars on buying laptops for US classrooms with no apparent improvement in results
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring
Tesla Model Y 2025
Tesla’s EU sales are in freefall as VW races ahead, but the Model Y could change all that
Asus NUC 15 Pro+
Asus unveils its most powerful mini PC to date — but I don't think the Intel-powered NUC 15 Pro+ will compete with Strix Halo models
HDD
Seagate teams with Nvidia to build an NVMe hard drive proof of concept, more than 3 years after its last effort
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event