It has been said that anything is for sale for the right price, and that includes your most trusted employees. Bribes can turn trusted employees into malicious insiders who secretly help launch a ransomware attack against your organization. This insider threat is every bit as dangerous as an external cyberattack.
The Department of Justice recently announced that charges have been filed in a high-dollar bribery case involving ransomware operators. The target was Tesla Motors and its Gigafactory in Sparks, Nevada. The court documents in this case lay out a story of money, deceit and the opportunity for revenge. This incident expresses dire warnings for every company around the world.
How did it start?
According to the court documents, on July 16, 2020, a Russian national, Egor Igorevich Kriuchkov, used WhatsApp to send a message to an employee at Tesla’s Gigafactory. Kriuchkov asked if the employee would host him during a visit to the U.S. The two had a mutual acquaintance, and the connection was there. The employee was willing to have the Russian man visit, and Kriuchkov flew from Russia to the United States on July 28, 2020, using his Russian passport and a tourist visa to enter the U.S.
He arrived in Nevada and met with the employee several times. During early August 2020, Kriuchkov even drove the employee and his friends up to Lake Tahoe and paid for all their expenses. When a criminal or hacker is gathering intelligence, they will often spend large sums of money while trying to recruit someone to help them with their crime.
The plan progresses
Kriuchkov has established a rapport with the employee. On Aug. 3, Kriuchkov asks the employee if he will help with a “special project” he is trying to coordinate. He tells the employee he will do the following:
- He will provide the employee with malware to surreptitiously transmit into the Gigafactory computer system.
- This will kick off a distributed denial of service (DDoS) attack to divert attention from the malware.
- The malware will allow Kriuchkov and his team to extract data from the Gigafactory network.
- Once the data is extracted, Kriuchkov will extort the Gigafactory for a substantial payment.
- Both Kriuchkov and the employee will then be compensated.
Kriuchkov and his cybercrime group agreed to pay the employee $1,000,000 for inside help to carry out the ransomware attack. Tesla and their Gigafactory were very lucky though. The employee decided that he couldn’t be bought. They contacted the FBI, and a plan was put in place to catch Kriuchkov red-handed.
The employee set up a meeting with Kriuchkov at a gas station in Reno, Nevada, while the FBI watched and listened to their meeting. The employee Kriuchkov was trying to bribe got Kriuchkov to go into detail about how the attack would go down. Kriuchkov described the malware attack as he did before, adding that the first part of the attack would be successful for the ‘group,’ but the Gigafactory security officers would think the attack had failed.
Kriuchkov went on to explain to the employee that this was not the first time he and his hacker group had done this. They had a history going back three years of successfully pulling off this scam, and none of the people employed by those companies lost their jobs. Kriuchkov said his technical staff would ensure the malware could not be traced back to the employee. Kriuchkov went on to tell the employee that they would get away with the attack, and as an extra added benefit, his technical staff could arrange for the attack to be attributed to another employee, if the employee wanted to see an enemy at work fired.
The employee had another meeting with Kriuchkov on Aug. 17, 2020, at a Reno restaurant. At this meeting, Kriuchkov told the employee, while the FBI was listening, that victim companies usually negotiate with the group to pay less ransom money than they initially request. For example, one company was blackmailed with a ransom amount of $6 million and ultimately paid $4 million. He said only one company paid the full initial ransom amount requested. The hacking group believed the data the employee would steal could be worth a $4 million in ransom from the company.
Despite this, the group was second-guessing its promise of a down payment to the employee. Kriuchkov said the group had never provided an advance payment to cooptees and was not comfortable giving money up front to the employee, but that the money would be put in escrow. Kriuchkov went on to say that once the employee collected some files and information about the network, the hacker group would design custom malware for the attack.
On Aug. 21, the employee met with Kriuchkov again. During this meeting, the employee was given a burner cellphone and told to leave it in airplane mode. Once the employee received a Bitcoin down payment, he was told to enable connectivity and communicate with the group to help with the attack. That was the final meeting, and the arrests started. On Aug. 22, the FBI moved in and arrested 27-year-old Egor Kriuchkov in Los Angeles as he was attempting to return to Russia.
What you need to know about insider threat
Insider threat is not viewed as seriously as external threats like a cyberattack. However, when companies have insider threats, they are generally much more costly than external incidents. The cost of an insider threat can be extremely high because the insider often has the right skills to hide the crime, sometimes forever.
If Kriuchkov is telling the truth, this means at least some of the recent surge in ransomware attacks may be linked to employees who are helping cybercriminals. This case should raise a lot of questions for any company.
- Does your company have an insider threat management program that can help mitigate an attack facilitated by one of your own employees?
- Do you know the signs or red flags that can tip you off to an impending internal attack?
- What if rogue employees are helping carry out ransomware attacks and still working within the organization they helped attack?
- If your company was hit with ransomware, was it preceded by a DDoS or some other cyberattack?