Sometimes cyber-attacks enter your company network when an employee stumbles upon a virus-filled web page. Other times the cyber-attack begins when an employee falls victim to a phishing attack, or is tricked into downloading a virus-filled file. Other times it’s a brute force attack on your network. Now here’s something else to worry about...a technique that might seem new but is as old as commerce itself: Dishonest employees willing to allow the bad guys to penetrate your network security for cash.
The FBI announced that on August 22 it arrested a man who bribed a Tesla company employee with a $1 million payment. What did they ask him to do? Plant one piece of malware -- Ransomware, actually -- onto his office computer. The story actually unfolds like a spy novel, and holds a cautionary tale for any company’s cyber-security team.
The Insider is Approached
Egor Igorevich Kriuchkov is a 23 year old Russian citizen. According to an article on ClearanceJobs.com, Kriuchkov and his colleagues had inside information about which Tesla employees had access to the resources necessary to place the intended malware. They identified and contacted a non-U.S. citizen working in Tesla’s Sparks, NV facility, who spoke Russian, as their inside man.
Kriuchkov and the employee’s early contact, beginning mid-July, was through WhatsApp, a communications tool owned by Facebook that features end-to-end encryption for all communications. The two, along with other Tesla colleagues, met in Lake Tahoe between August 1 through 3. Initially all contact was social, but on August 3, Kriuchkov asked the insider to participate in a "project."
Kriuchkov asked the insider if he would place some malware that Kriuchkov and his associates would customize and provide. In exchange, the insider would receive $500,000. After being contacted by Kriuchkov, the employee reported the contact to company officials, who then notified the FBI.
How the Malware Attack Would Work
According to the insider, he was told how the attack would work.
- The malware would be placed by the insider.
- Kriuchkov’s colleagues would initiate a Red Herring -- a Distributed Denial of Service (DDOS) attack, with the goal of keeping Tesla’s CyberSecurity team busy.
- While the CyberSecurity team was busy fighting the DDOS attack, Kriuchkov would spread the malware throughout the network.
- Sensitive corporate data would be exfiltrated, and the network files would be encrypted.
It’s at this point that a ransom demand would be made on the company, for many millions of dollars.
How The CyberCriminals Were Captured
For his fee, the insider was expected to provide additional inside information about Tesla so that its ransomware software could be customized. Communication happened via burner cell phones, WhatsApp, TOR and Bitcoin wallets.
Working with the FBI, the employee extracted additional information about the plans for the attack, and also demanded a higher payment, eventually settling on $1 million. During these conversations, Kriuchkov boasted that they had done this several other times, and that one of their previous insiders was still working at his company three and a half years later.
How To Defend Against Threats To Penetrate Your Network Security
You would want to believe that a company as large and sophisticated as Tesla would have network infrastructure strong enough to defend against such an attack. The cybercriminals seem to think otherwise, and fortunately, Tesla didn’t have to find out.
Would you be so lucky?
So what does this all mean to companies like yours? The first and most obvious question is whether your own employees would be honest enough to forego a huge payday in order to take down your company. Although this wasn’t mentioned in the research for this story, employees with large debts, gambling problems, and other serious issues and secrets would be most vulnerable to an approach like that received by Tesla’s insider. Background checks for current employees and new candidates could be helpful here.
It’s also possible that companies like yours might have already been targeted by cybercriminals, who may have already sent compatriots to apply for and take jobs in your company, with the express purpose of placing malware from the inside. These scenarios suggest it may be wise to add thorough candidate and employee background checks to your normal cyber security procedures.
The problem is that firewalls alone can’t protect against an inside job like this, and typical antivirus software isn’t strong enough to defend against more sophisticated malware. Most cybersecurity defenses exist in a silo and are designed to look at only a very narrow range of activities.
It’s only with a sophisticated SIEM (Security Information and Event Management) system can such threats be identified. That’s because SIEMs collect data from all parts of your organization -- every workstation, firewall, server, network appliance, access point, browser, email program -- and views it all holistically, finding clues in one system that it can follow into another system in order to get a complete picture of the attacks you are facing.
Having a Security Operations Center (SOC) review the SIEM’s findings and other data makes the SIEM even more effective.
What Should You Do Now?
As you can see, attacks designed to penetrate your network security are getting more sophisticated every day. If your cyber security system isn’t designed to withstand these more modern, more sophisticated, and more elaborately planned and patient attacks, you might find that you’re on the losing side of a Ransomware attack...and that wouldn’t be good for you, your company, your employees, your vendors and your customers. Let Digital Uppercut help prevent that. Call us at 818-913-1335 or contact us online to set up an initial conversation, and a preliminary risk assessment. Keeping your company safe is our business. Let’s talk.