Malware-Wielding Extortionists Target Tesla: 8 TakeawaysHow Many Organizations' Threat Models Feature Russian Criminals Bribing Insiders?
News that a malware-wielding gang of Russians targeted Tesla by attempting to work with an insider should have all organizations asking: What would happen if extortionists attempted to bribe one of our employees $1 million to install malicious code designed to steal corporate secrets and hold them to ransom?
Elon Musk, CEO of electric vehicle, energy storage device and solar panel manufacturer Tesla, based in Palo Alto, California, on Thursday said that Tesla was, indeed, the target of a shakedown scam revealed by the FBI (see: Elon Musk Says Tesla Saved From 'Serious' Ransom Attempt).
The FBI has charged Russian national Egor Igorevich Kriuchkov, 27, with being part of a gang that attempted to recruit a Tesla employee working at its Gigafactory near Reno, Nevada. Kriuchkov is accused of offering the employee $500,000, later raised to $1 million, to share particulars of Tesla's network to facilitate custom malware development and installation.
Here are eight takeaways from the case.
1. Revise Your Threat Model
"So who had Russian criminals paying an insider to install malware as part of your threat model?" asks Rob Joyce, the senior adviser for cybersecurity strategy to the director of the National Security Agency, via Twitter. "Be honest now."
So who had Russian criminals paying an insider to install malware as part of your threat model? Be honest now...— Rob Joyce (@RGB_Lights) August 28, 2020
The case is a reminder that criminals - as well as nation states - have a variety of tools at their disposal, including blackmailing, coercing or bribing employees.
Last November, for example, the U.S. Department of Justice charged three men with perpetrating a campaign to infiltrate Twitter and spy on critics of the Saudi government. Instead of hacking Twitter, the Saudis allegedly just paid off two insiders to glean information they could use to track, kidnap or assassinate critics (see: 'Crypto' Scammers Weren't the First to Crack Twitter).
2. Keep Insiders Happy
Tesla's relationship with its employees has not always appeared to be a happy one. Of course, not every employee who joins every company will be a fit.
In 2018, Tesla filed a lawsuit against Martin Tripp, a former process technician at the company's Gigafactory in Nevada, alleging that he "unlawfully hacked the company's confidential and trade secret information and transferred that information to third parties," and sought $1 million in damages. Tripp, however, told the BBC that he was seeking to highlight dangerous practices at the company and that he's a whistleblower whose reputation was being smeared.
The FBI's investigation into Kriuchkov, however, began after an unnamed Twitter employee, referred to in court documents as CHS1 - for "confidential human source" - reported to Tesla management that Kriuchkov had traveled to Reno in July, wined and dined the employee, then requested that he assist with a "special project."
3. Alert Law Enforcement
It's worth emphasizing that the Tesla employee felt empowered enough to go to senior management and reveal the recruitment effort. In addition, he also chose to work with the FBI after Tesla alerted it early this month.
Court documents the FBI submitted emphasize that the employee did not ask for anything in return for his cooperation. "CHS1 has not asked for and has not been offered any form of payment, including consideration regarding immigration or citizenship," according to an FBI affidavit, which says the employee was assisting the investigation "because of patriotism to the United States and a perceived obligation to victim company A," aka Tesla.
4. Gangs Target Many Victims
Tesla was allegedly not the first company to be targeted by Kriuchkov and his associates.
In a meeting recorded by the FBI, Kriuchkov allegedly told the Tesla employee when they met at a Reno restaurant on Aug. 17 that he'd already been involved in two prior shakedowns, outlining how the gang approached them.
"Kriuchkov said that victim companies usually negotiate with the group to pay less ransom money than the group initially requests, for example one company was ransomed at $6 million and ultimately paid $4 million," according to court documents. "He said only one company paid the full initial ransom," claiming that victims paid "because it is easier for the companies to pay the ransom than to fight the group."
During the course of their interactions, Kriuchkov told the employee that the Tesla malware attack had to be temporarily delayed because "the group was in the final stage of another project which was supposed to provide a large payout" that they needed to pay the employee, according to court documents.
5. The Cybercrime Ecosystem Is Alive and Well
In the bigger crime picture, security experts say this case demonstrates how proceeds paid by a victim to a crime gang - for example, in response to a ransomware attack - are then used by the crime gang to attack others, thus creating fresh victims (see: Please Don't Pay Ransoms, FBI Urges).
"This is what happens when you hand billions to ransomware groups," says Brett Callow, a threat analyst at security vendor Emsisoft. "If they can’t access a network via their usual methods, they can afford to simply buy their way in. Or try to."
6. Criminals Tap WhatsApp, Tor
Over the course of their meetings, Kriuchkov allegedly gave the employee a "burner" cellular telephone, downloaded the Tor browser onto it and then told him to use the Tor browser to open a bitcoin wallet and leave the phone in airplane mode until he received a message from "Kisa" via WhatsApp with a prearranged signal - "a smiley face emoji" - to know the plan would be moving forward.
The FBI was very particular about how the Tesla employee should attempt to receive proffered funds from the suspect, including not allowing him to set up the bitcoin wallet, but instead having the employee claim that he wanted to do it himself. "CHS1 was instructed by the FBI to prevent Kriuchkov from setting up a wallet so the FBI could set it up on behalf of CHS1, which would give the FBI access to the wallet."
7. Escrow Services Support Cybercrime
One challenge for criminals who offer to pay someone in return for services: What happens if they never provide the agreed service?
Kriuchkov allegedly told the Tesla employee that his group had never paid the insiders they co-opted upfront, saying that they instead typically used an online escrow service called "Exploit."
On cybercrime forums, escrow "describes an arrangement where, after a deal has been agreed upon, the buyer sends their funds through to a neutral third party known as a 'guarantor,'" according to security firm Digital Shadows, which says these services often take a 3% to 10% cut of the money being moved.
"Only after the buyer has confirmed that the goods or services they receive from the seller meet their expectations or the deal’s agreed conditions will the guarantor release the money to the seller," it says. "The system is designed to reduce buyers’ and sellers’ chances of falling victim to a scam and ensure that everyone gets what they were expecting."
Based on the allegations contained in the criminal complaint, Kriuchkov didn't get what he was expecting from his trip to the U.S. If convicted of the charge filed against him, he faces up to five years in prison.
8. Beware of Potential Russian Intelligence Agency Crossover
What remains to be seen is if the arrested Russian national might reach a plea deal that leads to him sharing information with the FBI in return for the possibility of a reduced sentence.
Security experts say numerous Russian crime groups have government ties or can be required to assist intelligence services in return for their overlooking criminal behavior (see: Russia's Cybercrime Rule Reminder: Never Hack Russians).
"Given that certain ransomware groups are believed to act as contractors for the Russian government - Evil Corp, for example - Kriuchkov could potentially provide some very valuable intel," says Emsisoft's Callow.
Evil Corp. is the cybercrime gang behind the infamous Dridex malware, which has been tied to attacks against hundreds of banks across 40 countries (see: Two Russians Indicted Over $100M Dridex Malware Thefts).
In December 2019, the U.S. Treasury Department said in a statement that "in addition to his involvement in financially motivated cybercrime, the group’s leader, Maksim Yakubets, also provides direct assistance to the Russian government’s malicious cyber efforts, highlighting the Russian government’s enlistment of cybercriminals for its own malicious purposes."