Insider threat report: Tesla employee thwarts $1 million bribery attempt
Tesla’s insider threat
The specter that is the insider threat is alive and well and can still pose cybersecurity challenges that may go overlooked. One angle of the insider threat that gets little attention is when an outsider attempts to exert influence over an insider at a company to exfiltrate insider information and trade secrets such as security practices, IT systems and business practices.
Recently, this very situation occurred regarding an employee of the next-generation auto company Tesla.
Just meeting with an old acquaintance
This tale of insider threat and industrial espionage not going bad begins with a non-U.S. citizen, a Russian-speaking Tesla employee working at the Tesla Gigafactory located in Nevada. Since the identity of this Tesla employee has not been revealed to the public, we will refer to him simply as “the employee.”
On July 16, 2020, the employee was contacted on WhatsApp by a former associate known as Egor Igorevich Kriuchkov. Kriuchkov invited the employee to a seemingly benevolent meeting in Sparks, Nevada, for drinks. Between August 1 and August 3, the employee, some Tesla co-workers and Kriuchkov met up for some fun which included a trip to Lake Tahoe, a popular recreation spot. This was supposed to be a business trip and by all appearances, this seems like standard practice for well-paid, hard-working tech professionals looking to catch up.
Proposing a DDoS attack on Tesla
During the getaway, Kriuchkov made his intentions clear. He proposed to the employee a “special project” where Kriuchkov and his associates provide ransomware to the employee so he can introduce it to Tesla’s systems.
This ransomware would create a distributed denial of service, or DDoS attack, to occupy Tesla’s security team while the ransomware exfiltrates sensitive company and network data to the attackers. This information would be held for ransom until Tesla paid up. The employee was initially offered $500,000 for his participation in this proposed DDoS attack, which was later increased to $1 million, payable in either Bitcoin or cash.
The Tesla employee’s reaction to the “special project”
Unbeknownst to Kriuchkov, the employee reported this “special project,” which was a classic industrial espionage cyberattack, to Tesla. Soon after, Tesla informed the FBI which quickly joined the ranks of the employee and Tesla to help thwart the cyberattack and make an arrest. The employee kept communicating with Kriuchkov, but with the focus of getting information about the cybercriminal.
Among the information gathered, Kriuchkov had boasted about receiving over $4 million from a high-profile travel company. When the FBI looked into this boast, it was discovered that he was paid $4.5 million from CWT Travel.
The end of the “special project”
Another meeting was had between the employee and Kriuchkov on August 19, but this time the employee was equipped with an FBI wire. During this meeting, Kriuchkov agreed to pay $11,000 in advance to the employee. On August 21, Kriuchkov contacted the employee and informed him that the “special project” was going to be delayed and funds would not be transferred to the employee until August 22. Kriuchkov would be leaving the area.
The FBI was successful in contacting Kriuchkov during this time and they determined that the hacker was going to travel from Reno, Nevada, to Los Angeles to flee the country. Kriuchkov had told the employee that he would return to the United States on his birthday if the plan was successful. On August 22, 2020, the FBI arrested Kriuchkov in Los Angeles as he was attempting to flee the country, thereby putting an end to this insider threat.
On March 18, 2021, Kriuchkov pleaded guilty to one charge of conspiracy to intentionally damage a protected computer.
An exemplary response
This case presents us with a textbook example of how some insider threats are born. Here, Kriuchkov attempted to turn the employee into an insider threat to steal trade secrets for ransom from Tesla. This is how some insider threats are created — with the motivation of financial gain. Going deeper, this case was the result of social engineering conducted by Kriuchkov and associates by using the connection of being a former classmate of the employee to quickly gain the trust of the employee to increase the likelihood of his participation in the plan.
The most important thing to take away from this case is how to handle it if you are approached with a proposition of becoming an insider threat to your organization. Keep in mind that the employee had all of the financial motivation in the world to betray the trust that Tesla had in the employee. In the grand scheme of things, $1 million is nothing and arguably far less valuable than the trust the employee had built up with Tesla. The employee put his safety on the line to team up with Tesla and the FBI to bring Kriuchkov to justice.
Being an insider threat costs organizations more than just the ransom that is paid for the return of information. For example, the cost to remediate a cyberattack similar to what Kriuchkov had planned has been estimated to cost between $5,000-$10,000. When you count in the cost to the organization’s reputation and brand, and enticing other attack groups, the true costs to remediate a cyberattack caused by an insider threat add up fast.
Tesla’s near cyberattack a model to follow
What occurred between Kriuchkov and the employee was an example of a hacker trying to turn a Tesla employee into an insider threat to hold Tesla trade secrets for ransom. Instead of participating in the “special project,” the employee reported Kriuchkov to Tesla and with the help of the FBI, Kriuchkov was arrested.
The case represents an example for others to follow when enticed to become an insider threat.