It has been said that anything is for sale for the right price, and that includes your most trusted employees. These bribes can turn trusted employees into malicious insiders who secretly help launch a ransomware attack against your organization.
The Department of Justice recently announced that charges have been filed in a high-dollar bribery case involving ransomware operators. The target was Tesla Motors and its Gigafactory in Sparks, Nevada. The court documents in this case lay out a story of money, deceit, and the opportunity for revenge. This incident expresses dire warnings for every company around the world.
How did it start?
According to the court documents, July 16, 2020; a Russian national Egor Igorevich Kriuchkov, used WhatsApp to send a message to an employee at Tesla’s Gigafactory. Kriuchkov asked if the employee would host him during a visit to the U.S. The two of them had a mutual acquaintance and the connection was there. The employee was willing to have the Russian man visit, and Kriuchkov flew from Russia to the United States on July 28, 2020; using his Russian passport and a tourist visa to enter the U.S.
He arrived in Nevada and met with the employee several times. During early August 2020, Kriuchkov even drove the employee and his friends up to Lake Tahoe and paid for all their expenses. When a criminal, or hacker is gathering intelligence, they will often spend large sums of money while trying to recruit someone to help them with their crime.
The plan then progresses
Kriuchkov has established a rapport with the employee. On August 3, Kriuchkov asks the employee if he will help with a "special project" he is trying to coordinate. He tells the employee that he will do the following:
- He would provide the employee with malware to surreptitiously transmit into the Gigafactory computer system.
- This would kick off a Distributed Denial of Service (DDoS) attack to divert attention from the malware.
- The malware would allow Kriuchkov and his team to extract data from the Gigafactory network.
- Once the data was extracted, Kriuchkov would extort the Gigafactory for a substantial payment.
- Both Kriuchkov and the employee would then be compensated.
Kriuchkov and his cybercrime group agreed to pay the employee $1,000,000 for inside help to carry out the ransomware attack. Tesla and their Gigafactory were very lucky though. The employee decided that he couldn’t be bought. They contacted the FBI, and a plan was put in place to catch Kriuchkov red handed.
The Take Down
The employee set up a meeting with Kriuchkov at a gas station in Reno, Nevada; while the FBI watched and listened to their meeting. The employee Kriuchkov was trying to bribe got Kriuchkov to go into detail about how the attack would go down. Kriuchkov described the malware attack as he did before, adding that the first part of the attack would be successful for the 'group' but the Gigafactory security officers would think the attack had failed.
Kriuchkov went on to explain to the employee that this was not the first time he and his hacker group had done this. They had a history going back three years of successfully pulling off this scam and that none of the people employed by those companies lost their jobs. Kriuchkov said that his technical staff would ensure the malware could not be traced back to the employee. Kriuchkov went on to tell the employee that they would get away with the attack and as an extra added benefit, his technical staff could arrange for the attack to be attributed to another employee, if the employee wanted to see an enemy at work fired.
The employee had another meeting with Kriuchkov on August 17, 2020; at a Reno restaurant. At this meeting Kriuchkov told the employee while the FBI was listening, that victim companies usually negotiate with the group to pay less ransom money than they initially request. For example, one company was blackmailed with a ransom amount of $6 million and ultimately paid $4 million. He said only one company paid the full initial ransom amount requested. The hacking group believed the data the employee would steal could be worth a $4 million in ransom from the company.
Despite this, the group was second guessing its promise of a down payment to the employee. Kriuchkov said that the group has never provided an advance payment to co-optees and was not comfortable giving money upfront to the employee, but that the money would be put in escrow. Kriuchkov went on to say that once the employee collected some files and information about the network, the hacker group would design custom malware for the attack.
On August 21st the employee met with Kriuchkov again. During this meeting the employee was given a burner cellphone and told to leave it in airplane mode. Once the employee received a Bitcoin down payment, he was told to enable connectivity and communicate with the group to help with the attack. That was the final meeting and the arrests started. On August 22, the FBI moved in and arrested 27-year-old Egor Kriuchkov in Los Angeles as he was attempting to return to Russia.
What you need to know
Insider threats are not viewed as seriously as external threats like a cyberattack. However, when companies have an insider threat, they are generally much more costly than external incidents. The cost of an insider threat can be extremely high because the insider often has the right skills to hide the crime, sometimes forever.
If Kriuchkov is telling the truth, this means at least some of the recent surge in ransomware attacks may be linked to employees who are helping cybercriminals carry out ransomware attacks. This case should raise a lot of questions for any company.
- Does your company have an insider threat management program that can help mitigate an attack facilitated by one of your own employees?
- Do you know the signs or red flags that can tip you off to an impending internal attack?
- What if rogue employees are helping carry out ransomware attacks and still working within the organization they helped attack?
- If your company was hit with ransomware, was it preceeded by a Distributed Denial of Service (DDoS) or some other cyberattack?
What you can do
The cybersecurity teams at Velta Technology are experts at securing and helping protect organizations from a cyberattack. We know how to put measures in place that can prevent serious, costly and disruptive attacks to your critical infrastructure, proprietary data and operational technology.