author photo
By Bruce Sussman
Wed | Aug 26, 2020 | 3:45 AM PDT

The U.S. Department of Justice just unsealed charges in a bombshell case involving Tesla that everyone in the corporate world should read.

Court documents are taking us inside an FBI cyber sting that reveals high-dollar bribery efforts by ransomware operators.

These bribes can turn trusted employees into malicious insiders who secretly help launch a ransomware attack against your organization.

The cybercriminals targeted Tesla through an employee who works at its Gigafactory in Sparks, Nevada.

As of publication, CEO Elon Musk has said little, except thanking Tesla fans for their support.

elon-musk-reply

However, we do know an incredible number of details about this attack because of the newly released court documents.

The case reads like a John Grisham novel: the money, the deceit, the opportunity for revenge—it is all here. But in this case, it is real, with real lessons for information security professionals.

Genesis: how the ransomware attack effort began

According to the U.S. DOJ, this ransomware scheme bubbled to the surface on July 16, 2020.

Prosecutors say this is when Russian national Egor Igorevich Kriuchkov used WhatsApp to send a message to someone in the United States. The message was not just to a random person, of course, but rather a specific target: an employee at a company Kriuchkov wanted to attack. 

According to the DOJ, Kriuchkov and his "group" are ransomware operators. They launch ransomware attacks against companies, steal the data, and then threaten to publish the information unless a massive ransom is paid.

It's a 2020 twist on a type of cybercrime that used to simply encrypt, or lock up, data during an attack. Backups made it too easy not to pay, so now, sophisticated ransomware operators steal the data, as well. And surprise, surprise, more organizations are deciding to pay.

As it turns out, this ransomware operator likes bribing insiders to help launch an attack against their own employer.

Now, more details in the case. Prosecutors say Kriuchkov identified his next ransomware victim (an organization we now know was Tesla) and messaged one of its employees in Nevada, asking if the employee would host him during a visit to the U.S.

The two of them had a mutual acquaintance, so the connection was there. The employee said he was willing to have the Russian man visit, and Kriuchkov flew from Russia to the United States on July 28, 2020, using his Russian passport and a tourist visa to enter the U.S.

He then rented a Toyota Corolla in San Francisco, bought a cell phone, and drove to Reno, Nevada, to meet repeatedly with the employee—the employee he had messaged on WhatsApp, the employee who worked at the next corporation being targeted by ransomware. At Tesla.

During early August 2020, Kriuchkov even drove the employee and his friends up to Lake Tahoe and paid for all their expenses. FBI Special Agent Michael Hughes, who investigated the case, says it appears Kriuchkov was grooming his mark:

"Through my training and experience I know individuals involved in intelligence collection and/or criminal activity often spend extravagantly on individuals they are attempting to recruit and/or co-opt for participation in criminal activity."

And that is what unfolded next.

Ransomware operator tries to recruit employee as insider threat

So now, the suspect in this case, Egor Kriuchkov, has established a rapport with an employee at a company that his group wants to launch a ransomware attack against.

The employee, the mark, doesn't know this yet. But according to court documents, he finds out on August 3. Kriuchkov asks the employee if he will help with a "special project" he and his group are trying to coordinate. The FBI explains what he means:

  • The co-conspirators would provide the employee with malware to surreptitiously transmit into Victim Company A's (the target) computer system.
  • The co-conspirators would engage in a Distributed Denial of Service (DDoS) attack to divert attention from the malware.
  • The malware would allow the conspirators to extract data from Victim Company A's network.
  • Once the data was extracted, the conspirators would extort Victim Company A for a substantial payment.
  • Both Kriuchkov and the employee would be compensated. 

And this is not a $1,000 job. Eventually, Kriuchkov and his cybercrime group agreed to pay the employee $1 million for inside help to carry out the ransomware attack.

What this ransomware gang did not know is that the employee in this case, the mark for the ransomware gang, reached out to his employer and the FBI. And that set the stage for an FBI sting operation.

FBI sting catches cybercriminals in the planning stages

If you're in information security, governance and risk, or corporate leadership, you're already getting a picture of how far a cybercrime gang will go to get inside your network through an insider. It is a chilling thought.

But as we're about to see, the techniques of ransomware operators are about to be revealed as well, during the FBI cyber sting.

The sting took place at a gas station in Reno, Nevada, as investigating agents watched, recorded, and photographed the meeting.

Just like you see in detective shows, the employee Kriuchkov's group was trying to bribe got Kriuchkov talking, in detail, about how the attack would go down. From the court documents:

"Kriuchkov described the malware attack as he did before, adding that the first part of the [DDoS] attack would be successful for the 'group' but the Victim Company's security officers would think the attack had failed."

Wow. If your organization has been attacked by ransomware, did you have a cyberattack leading up to it that you seemingly stopped? It could have been just a distraction to hide the real attack.

The FBI sting continues.

Agents are listening to the discussion between Kriuchkov and the employee he tried to turn into a cybercriminal. The employee is listed here as CHS1 (confidential human source 1):

"KRIUCHKOV again listed prior companies the 'group' had targeted. KRIUCHKOV stated each of these targeted companies had a person working at those companies who installed malware on behalf of the 'group.' To ease CHS1's concerns about getting caught, KRIUCHKOV claimed the oldest 'project' the 'group' had worked on took place three and a half years ago and the 'group's' co-optee still worked for the company. KRIUCHKOV also told CHS1 the 'group' had technical staff who would ensure the malware could not be traced back to CHS1."

If Kriuchkov is telling the truth, that means at least some of the recent surge in ransomware attacks may be linked to employees who are helping cybercriminals carry out ransomware attacks.

It brings to mind the AT&T Wireless insider threat case, which SecureWorld News covered, where employees took bribes. And it makes us think of an interview we did last year with Dr. Larry Ponemon, one of the world's leading IT and IT security researchers.

"Insider threats are not viewed as seriously as external threats, like a cyber attack. But when companies had an insider threat, in general, they were much more costly than external incidents.  

The cost of the insider threat can be very high, because the insider that is smart often has the right skills to hide the crime, sometimes forever."

What if rogue employees are helping carry out ransomware attacks and still working at the organization they helped attack?

Now, let's go back to the FBI sting.

Egor Kriuchkov tells his mark (CHS1) he can attack his company and get away with it and he can also get revenge against someone else if he would like to:

"KRIUCHKOV also told CHS1 the 'group' had technical staff who would ensure the malware could not be traced back to CHS1. In fact, KRIUCHKOV claimed the group could attribute the attack to another person at Victim Company A, should there be someone in mind CHS1 wants to teach a lesson."

During the meeting, the FBI say Kriuchkov agreed again to the $1 million payout for the employee's help, which included an up-front down payment of $50,000.

FBI cyber sting part 2: how much money are cybercrime gangs making?

The informant in this case, the employee Kriuchkov was trying to bribe, had another meeting with Kriuchkov on August 17, 2020, at a Reno restaurant. The FBI was watching and listening to this meeting, as well.

And it appears to answer a question about ransomware attacks: how much are organizations willing to pay to either get their data returned or have it destroyed instead of published?

Much more, it turns out, than the million dollar bribe required for the crime. From the court documents:

"KRIUCHKOV said that victim companies usually negotiate with the group to pay less ransom money than the group initially requests, for example one company was ransomed at US $6 million and ultimately paid US $4 million. He said only one company paid the full initial ransom."

And the hacking group believed the data the employee would steal could fetch a $4 million ransom from the company. Despite this, the group was second guessing its promise of a down payment to the employee:

"KRIUCHKOV stated the group has never provided an advance payment to co-optees and was not comfortable giving money upfront to CHS1."

But there was a work around: a criminal escrow account.

"KRIUCHKOV said that the group had previously used a program called 'Exploit' for an online escrow arrangement."

What would the employee have to do for the ransomware operators to get his full payment? Court documents say it involved the following:

  • Download all the files requested by the cybercriminals.
  • Plan on an entire shift of downloads, taking 6 to 8 hours.
  • Share details of the company network so custom malware can be developed for the attack, which was costing the group six figures.

And during this conversation, more details of the cybercrime group emerged:

"CHS1 stated KRIUCHKOV also mentioned another member of the group (not by name) who is a hacker and a high level employee of a government bank in Russia. CHS1 said this group member specializes in encryption and works to ensure the malware cannot be traced back to CHS1 after CHS1 installs it in the network. KRIUCHKOV said the group would be expecting to get US $4 million dollars from Victim Company A.

CHS1 reported that KRIUCHKOV said the group had to pay US $250,000 for the malware, which would be written specifically for targeting Victim Company A's computer network. CHS1 reported KRIUCHKOV said after CHS1 and the group come to an agreement it would take ten to twelve days for the group to prepare the malware because it would be designed for Victim Company A's network."

Custom malware for a single attack? Teams that can manipulate attack attribution? Escrow accounts to ensure financial promises are kept?

This is starting to sound a lot like the enterprise business model of cybercrime, which you can hear more about in this recent SecureWorld podcast featuring a U.S. Secret Service cybercrime investigator:

In this attempted attack on Tesla, the FBI also learned the group communicated through the anonymizing TOR browser and the Jabber chat system.

Next, more meetings occurred between Kriuchkov and the employee he wanted to bribe. The employee stalled and the FBI recorded. This included a meeting on August 21.

This is when the FBI says Kriuchkov gave the employee a burner phone and instructed him to leave it in airplane mode. Once the employee received a Bitcoin down payment, he was told to enable connectivity and communicate with the group to help with the attack.

That was the final meeting; the FBI sting was over.

Suspect arrested in ransomware investigation

On August 22, the FBI moved in and arrested 27-year-old Egor Kriuchkov  in Los Angeles as he was attempting to return to Russia. The suspect, a citizen of Russia, is now being held until his trial sometime in the future.

Not surprisingly, he had had some operational security slip-ups that helped the FBI track his movements. He used his Mastercard to pay for a hotel room through Booking.com. He rented that Toyota Corolla through Hertz.

And remember that Lake Tahoe "grooming" trip? There was a beautiful sunset that night, and after resisting at first, he reluctantly agreed to be in a photo with the employee has was trying to turn into an insider threat.

Now all of these things will be used in the case against him.

FBI ransomware sting conclusions

For those in cybersecurity, there are certainly things to ponder as a result of this investigation.

It is a chance to look outward at a sophisticated cybercrime operation and how far these groups will go to make their millions.

It is also a chance to look inward: does your organization have an insider threat management program that can help prevent or mitigate an attack facilitated by one of your own employees?

And here's a final question we were wondering about; perhaps you are, as well: why did the Tesla employee who could have made a million dollars help the FBI and thwart the attack, instead?

Based on the court documents, it sounds like the employee is not a U.S. citizen but is a big fan of the USA. Here is a footnote from the court documents regarding Confidential Human Source 1 (CHS1):

"CHS1 is cooperating with the FBI because of patriotism to the United States and a perceived obligation to Victim Company A. CHS1 has not asked for and has not been offered any form of payment, including consideration regarding immigration or citizenship."

Perhaps someone, somewhere, will help change that as a thank you for preventing a multi-million dollar cyberattack and helping to reveal the inner-workings of these schemes.

Want more details? Read the U.S. District Court ransomware insider threat probable cause affidavit.

Comments