Throwback attack: Contractor plants Siemens logic bomb to keep income flowing

Courtesy: CFE Media
Courtesy: CFE Media

In 2014, a Siemens building in Monroeville, Pennsylvania, began to experience unusual crashes in their custom automated spreadsheets. Little did they know that this would be the first of many crashes in the two years that would follow.

Siemens assumed that these crashes were just bugs and glitches. That couldn’t be further from the truth.

These different crashes would be identified as logic bomb attacks in 2016, after the threat actor went on vacation and left the passwords to his files in the hands of the Siemens information technology (IT) team. Once the IT team identified the virus, Siemens was quick to put two and two together and alert the authorities of the threat actor’s doings.

What is a logic bomb?

Logic bombs are a Trojan-style cyberattack meant to overwhelm a server, causing it to crash. They are coded to be triggered by different actions or events previously determined by the threat actor. These are meant to bring businesses and even critical infrastructure (as you will soon see) to its knees.

The first-ever logic bomb was developed by the U.S. military to cripple Russian critical infrastructure during the Cold War. The U.S. had received intel that the Russians — or Soviets, at the time — were stealing software and hardware from the United States. Because of this, Gus W. Wiess, a White House policy advisor, created a plan called the Deception Program, which sought to plant a logic bomb in different pieces of technology that the adversaries were stealing, with the intention of causing the technology to malfunction after a certain period of time. These different pieces of technology were used to create the Soviets’ Siberian Pipeline.

In June of 1982, the pipeline exploded, causing a fire so massively violent that it could be seen from space.

Making (and breaking) the spreadsheets

David Tinley, a middle-aged software developer, was contracted out by Siemens for many projects over the span of a decade, starting in 2006. Sometime during his employment by Siemens, he was tasked with creating a spreadsheet that would “update the content of the file based on current orders stored in other, remote documents, allowing the company to automate inventory and order management.”

However, Tinley had other plans.

While he was creating the software for Siemens, he placed a logic bomb in the spreadsheet software and set it to overload the systems every couple of months. The idea was that Siemens would need to pay him to fix it, guaranteeing him a steady stream of business. For two years, this worked. The software would crash, Tinley would be called in and he would fix it — lather, rinse, repeat.

Everything came crashing down when Tinley made the mistake of taking a vacation. The spreadsheet crashed again and urgently needed to be fixed. Luckily for Siemens — and the opposite for Tinley — he left his password with Siemens employees, giving them everything they needed to fix the crash.

Tinley didn’t do a great job of actually concealing the logic bomb in the spreadsheet software, so the Siemens employees were able to find it fairly quickly while fixing the spreadsheet and reported it to higher-ups.

Light sentences

Shortly after the logic bomb discovery, Tinley was arrested. In the summer of 2019, Tinley finally received his sentence. He was charged with intentional damage to a protected computer and faced up to 10 years in federal prison and a $250,000 fine. His trial date was set for November of 2019.

However, similar to many other threat actors in history, he received a significantly less aggressive sentence: six months in prison, two years of supervised release and a $7,500 fine.

This means, in 2022, he is a free man again.

In a similar fashion, Kevin Poulsen, an infamous hacker from the 1980s and ’90s, faced several charges (a steep 19) for wiretapping, hacking into military bases and some “lesser” crimes, with 100 years of prison time and $5 million in restitution staring him down. He was charged only with smaller crimes like money laundering and wire fraud, and was in custody for five years before being released on probation. Poulsen was not allowed access to a computer for three years after his release. However, he is now a successful journalist who helps the government from time to time.

So why is it that hackers so frequently get let off the hook? Perhaps it is because they can provide (or easily access) valuable information that businesses can use to address vulnerabilities in their systems. Or it could be because it’s more difficult to charge threat actors with wishy-washy laws in place.

While there is no information on Tinley’s whereabouts or what he is doing now, that probably means he is leading a normal life. In this case, no news is likely good news for him.

Logic bombs have the potential to be extremely detrimental to businesses and, by extension, to society. Tinley’s logic bomb is a fairly tame example of how easy it can be for threat actors to gain access to a system and make it bend to their will. However, businesses must continue to be on the lookout for ALL potential threats by consistently monitoring their systems for unusual activity. If they don’t, they could be the next headline.




Keep your finger on the pulse of top industry news