Ex-Cisco Engineer Pleads Guilty in Insider Threat CaseSudhish Kasaba Ramesh Caused $1.4 Million in Damages to Former Employer
A former Cisco engineer has pleaded guilty to causing $1.4 million in damages to his former employer by deleting hundreds of virtual machines, which disrupted nearly 16,000 WebEx customer accounts for weeks, according to the U.S. Justice Department.
Sudhish Kasaba Ramesh, 30, pleaded guilty to one charge of intentionally accessing a protected computer without authorization and recklessly causing damage, according to the U.S. Attorney's Office for the Northern District of California, which is overseeing the case.
Under Justice Department guidelines, Ramesh could face up to five years in federal prison and a $250,000 fine, although his sentence is likely to be lower after pleading guilty. He remains free on $50,000 bond, according to the Justice Department. Ramesh's sentencing is scheduled for Dec. 9.
While no customer data was damaged or compromised during the incident, the Justice Department estimates that Ramesh caused about $1.4 million worth of damage to Cisco's internal systems and other expenses, including the time employees needed to restore the WebEx accounts and virtual machines. In addition, the networking giant was forced to refund $1 million to customers whose accounts had been affected.
While the criminal charge against Ramesh was brought in July, the incident that led to the damage of the virtual machines and the WebEx accounts took place in September 2018.
In April 2018, Ramesh resigned from his position at Cisco for unstated reasons, according to the Justice Department. Sometime after he left, federal prosecutors allege that Ramesh accessed Cisco's internal cloud infrastructure, which was hosted on Amazon Web Services.
During this time, Ramesh deployed malicious code from his own Google Cloud Platform account, which then deleted 456 virtual machines used to support Cisco's WebEx applications that provide video conference and collaboration tools to customers, according to the Justice Department.
The wiping of these virtual machines affected about 16,000 WebEx accounts over the course of two weeks, which forced Cisco to restore part of its cloud infrastructure and then refund customers, according to federal prosecutors.
"[Ramesh] further admitted that he acted recklessly in deploying the code and consciously disregarded the substantial risk that his conduct could harm to Cisco," the Justice Department notes.
After assessing the damage, Cisco contacted the FBI, which started a criminal investigation, a company spokesperson says.
"Cisco addressed the issue in September 2018 as quickly as possible, ensured no customer information was compromised and implemented additional safeguards," the spokesperson tells Information Security Media Group. "We brought this issue directly to law enforcement and appreciate their partnership in bringing this person to justice. We are confident processes are in place to prevent a recurrence."
The court documents in the case do not mention how Ramesh maintained his access to Cisco's cloud infrastructure after he left or what led to the FBI to press criminal charges. The guilty plea agreement remains under seal.
Ramesh is currently employed with another company as a engineer, according to court documents.
Cause for Concern
In the 2020 Verizon Data Breach Investigations Report released in May, analysts found that insider threats now account for about 30% of breaches and security incidents (see: Verizon: Breaches Targeting Cloud-Based Data Doubled in 2019).
"Admittedly, there is a distinct rise in internal actors in the data set these past few years, but that is more likely to be an artifact of increased reporting of internal errors rather than evidence of actual malice from internal actors," according to the Verizon report.
Rick Holland, CISO at security firm Digital Shadows, notes before the COVID-19 pandemic, spotting malicious insider behavior might have been easier, but now with so many employees working remotely, finding these types of threats is more difficult.
"Organizations need to conduct an insider threat risk assessment on their critical business functions that could be leveraged by an insider to conduct fraud," Holland tells ISMG. "In the pre-pandemic world, identifying shadow IT was easier. Outbound web traffic would often be used to identify services procured outside of the IT department. Now that traffic is being routed through ISPs, organizations should work with accounting departments to identify shadow IT expenses. Once identified, these services and applications should be incorporated into single sign-on solutions with multifactor authentication enabled."