The risk of the insider as a formidable point of vulnerabilityThe Tesla cyberattack highlights the vulnerability posed by insiders (such as employees) to corporate data. Even if organizations have hardened their security by deploying firewalls, antivirus systems, penetration tests and malware protection, the human element remains the weakest point of vulnerability. That’s why many companies nowadays consider it critical to even perform security scans in the personal phones, laptops or tablets of their staff members. After all, malicious hackers have multiple approaches for breaking into one’s phone and will often attack personal devices that may contain valuable professional information. While it didn’t ultimately prove successful in this instance, direct sabotage by employees is a known attack vector, while social engineering attacks mounted against an organization’s staff succeed far more often than they should. A prime example is the successful attack mounted against Twitter this July by teenagers who gained access into Twitter’s internal Slack messaging channel and hoodwinked employees to hand over their Twitter’s internal network credentials. The brazen attack then targeted the accounts of high-profile personalities in a cryptocurrency hack.
How it all went downThey say truth is stranger than fiction sometimes. This story unfolds like a film’s plot, with members of a criminal gang attempting to perpetrate a heist across geopolitical borders on a well-known target. Like all story plots, this one starts with the main character: Egor Igorevich Kriuchkov, a 27-year-old Russian citizen who arrived in the United States on a tourist visa in July. He promptly made contact with a Russian-speaking Tesla employee at the company's Gigafactory. According to the information released by the FBI, Kriuchkov met with the Tesla employee, who remained anonymous in the complaint, in an apparent attempt to groom him. Kriuchkov later propositioned him to introduce malware into Tesla’s computer systems for a reported $1 million fee. Once released into Tesla's system, the malware would proceed to gather corporate secrets and sensitive information, most likely of a proprietary nature. The plan was to use this exfiltrated data to later blackmail Tesla into paying for the stolen information. In furtherance of the crime, Kriuchkov was alleged to have provided the employee with a burner phone, directing him to leave it on airplane mode until after the money was transferred. Then came the next plot twist: instead of succumbing to the temptation of financial crime, the vigilant employee reported the encounter to Tesla, which alerted the authorities. With the aid of the Tesla employee who agreed to wear a wire, the FBI was able to conduct a sting operation in which it arrested Kriuchkov and obtained relevant electronic communication. The indictment claims that Kriuchkov was part of a group behind the attempt to extort millions of dollars from Tesla. Interestingly, soon after Kriuchkov’s arrest, Apple and Tesla split their stocks, causing major headaches and unrest to many traders who are now worried about their investments.
How ransomware worksRansomware is extortion, plain and simple. The general intent behind a ransomware attack is to lock a business organization out of its computer system by encrypting important files and data. The criminals responsible later demand a ransom before they will provide the decryption key needed to unlock the files. Once the ransom is paid, these criminals often renege on their promise to provide the decryption key. Therefore, law enforcement discourages organizations to pay these ransoms, as it will only embolden them and help to fund more criminal activity. This year has already seen some successful ransomware attacks like the one in January against Communications & Power Industries (CPI), a California-based defense contractor which was held up for $500,000. The malware responsible for the CPI ransomware was introduced into the contractor’s system through a phishing attack. A CPI user with the highest level of privileges called a domain admin and unsuspectingly clicked a malicious link while logged into the system, which triggered the file-encryption payload. Perhaps the damage could have been limited, but it was an unsegmented domain with thousands of computers sharing the same network. This allowed the malware to propagate quickly to every CPI office, even infecting its backups. According to Steve Durbin, managing director of the Information Security Forum:
Ransomware is one of the most prevalent threats to an organization’s information and is more and more profitable for criminals. An affected organization will have to face the likelihood of a double financial hit as it is forced to pay a large ransom to protect its people to resume normal operations, and then to retrospectively build in security.To work effectively, ransomware needs unrestricted access to a target system. Hence, ransomware seeks to perpetuate itself through the escalation of privilege attacks. Therefore, criminals using this tool often look for access to privileged entities linked to services, hosts and accounts that usually have unrestricted access in order to ease replication and propagation through the system. That is why the recruitment of the Tesla employee was pivotal to Kriuchkov. Matt Walmsley, EMEA Director at Vectra, echoed this sentiment: "In this case, the recruitment or coercion of a Tesla insider to aid the attempted deployment of malware tools to stage their attack demonstrates the lengths ransomware groups will go to.”
SummaryPreventing the Tesla attack wasn’t the only bright spot in this ransomware saga. Though the details haven't been disclosed because of the ongoing nature of the investigation, the FBI was also able to obtain pertinent information relating to other criminal activities perpetrated by Kriuchkov’s group. Kudos to the unnamed Tesla employee, who from all indications went above and beyond the call of duty to save Tesla the headache of a massive attack. Ransomware is nothing new, but with the proliferation and importance of information systems, the practice is becoming more lucrative, not to mention harmful and vicious. While Tesla was fortunate to dodge a bullet, organizations should take the growing threat of ransomware seriously. To forestall ransomware attacks, businesses must take steps to protect themselves against this growing threat.