Do your employees have a price?
Is there a point where your staff would knowingly compromise your organization's computer network and abuse their credentials to help cybercriminals?
AT&T Wireless can certainly answer that question for you: yes.
This is the story of "activated" insider threats at AT&T Wireless, revealed in court documents just reviewed by SecureWorld. It is one of the most egregious cases of insider threats we've ever seen.
And it is also a critical reminder for cybersecurity and IT teams of how damaging insider threats can be.
Insider threat arrest reveals what employees will do for money
The AT&T Wireless call center in Bothell, Washington, would be easy to miss if you didn't know what to look for in the Seattle suburb.
But 34-year-old Muhammad Fahd found it, even though he was half a world away.
Fahd was arrested in Hong Kong and extradited to the United States in early August.
Prosecutors say he was one of the masterminds behind bribing AT&T Wireless employees to install both malware and hardware in this Washington call center.
These efforts allegedly gave Fahd and other cybercriminals years of unauthorized access to AT&T's network so they could carry out their scheme.
And several call center employees also knowingly shared their login credentials with the cybercriminals.
Why would employees (plural) do such a thing? Money.
The U.S. Department of Justice says the call center employee who made the most was paid "$428,500 over the five-year scheme."
And in total, the indictment reveals Fahd and another co-conspirator paid AT&T Wireless employees more than $1 million in bribes.
There was so much money being sent from overseas that some employees even set up shell corporations just to accept the payments without raising red flags.
It's amazing what employees were willing to do for that kind of cash. Or, maybe it's not.
What did insider threat employees do for cybercriminals?
The Department of Justice indictment could be a movie script. And for cybersecurity and business leaders, it may create chills.
Here are three key things that rogue AT&T Wireless employees did for Muhammad Fahd and others.
1. Employees installed malware
"... bribed insiders to plant malware on AT&T's internal protected computers for the purpose of gathering confidential and proprietary information on how AT&T's computer network and software applications functioned."
2. Employees installed access points
"... bribed insiders to use their access to AT&T's physical work space to install unauthorized computer hardware devices, including wireless access points designed to provide the conspiracy with unauthorized access to AT&T's internal protected computers...."
3. Employees installed new variants of malware
"Once the malware was perfected, Muhammad Fahd instructed the insiders to plant the unlocking malware on AT&T's internal protected computers and to run unlocking malware while they were at work. The unlocking malware used valid AT&T network credentials that belonged to co-conspirators and others...."
What, exactly, was this unlocking malware all about? As it turns out, it was the point of this entire scheme.
Insiders help cybercriminals unlock millions of phones
You probably know that mobile phones are expensive. They are, after all, a computer in your pocket.
Still, you often see ads for cheap phones if you sign up for service with a certain wireless carrier. The carrier subsidizes the cost of the phone upfront and then makes its money back from you during the full term of the contract.
Typically, that phone is "locked," which means it will only work on that carrier's network. This leads to endless posts and YouTube videos on how to "jailbreak" your phone, and the like.
And there is a huge market for phones that are "unlocked" or "jailbroken" that you can take to any wireless carrier. That's the main selling point of many phones being sold on eBay or other online auction sites.
Court documents say this unlocked phone market was what Fahd and his co-conspirators took advantage of.
"During the course of the conspiracy, the conspirators caused more than 2,000,000 cellular telephones fraudulently to be unlocked by AT&T through the AT&T insiders' submission of fraudulent unlocking requests and through the conspirators' use of malware and hardware installed on AT&T's systems by the AT&T insiders to conduct unauthorized unlocks."
Millions of subsidized phones were able to leave AT&T's network before the company recouped its upfront costs.
Surprise twist: AT&T catches insider threats
According to the indictment, this scheme began in 2012, and about a year later AT&T caught on.
"In or about October 2013, AT&T discovered the unlocking malware and identified several insiders who were operating the unlocking malware at Muhammad Fahd's direction. Those insiders subsequently left AT&T after being approached by AT&T investigators."
The next year, however, Fahd recruited a fresh round of insiders at the same AT&T call center in Washington State because this is where unlocking requests are handled.
Court documents say he used Facebook and other tools to recruit these employees, and at one point he even flew an insider from Washington to Dubai, where Fahd and a partner made an in-person bribe payment.
Somehow, the scheme continued to operate until September 2017, although it's not exactly clear why or how considering AT&T had detected it the first time.
What we do know is that AT&T worked with the federal government for help. And that's why Muhammad Fahd is now in jail.
"This arrest illustrates what can be achieved when the victim of a cyber attack partners quickly and closely with law enforcement," says Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division.
"When companies that fall prey to malware work with the Department of Justice, no cybercriminal—no matter how sophisticated their scheme—is beyond our reach."
Fahd now awaits trial in Washington State, not far from the AT&T Wireless call center he allegedly targeted. And at least three of the call center insiders have pleaded guilty to taking bribes in the scheme.
Thoughts for cybersecurity and business leaders on insider threats
This case raises some questions every company should be asking.
1. What do we have of value that outsiders want and insiders can access?
2. Does our Identity and Access Management (IAM) program take a least privileged approach?
We've been hearing a lot about that approach—also known as zero trust—at regional SecureWorld conferences this year.
3. Will we recognize an insider threat gone rogue when we see it?
This question is raised in research by the Ponemon Institute on how organizations view insider threats.
Dr. Larry Ponemon himself told us as much during a SecureWorld interview:
"We found that companies err on the side of goodness. They don't want to accuse somebody without full evidence of a crime, so they write it off as negligence.
And we discovered insider threats are not viewed as seriously as external threats, like a cyber attack. But when companies had an insider threat, in general, they were much more costly than external incidents. This was largely because the insider that is smart has the skills to hide the crime, for months, for years, sometimes forever."
That is a chilling thought.
Then again, so is the revelation that several AT&T Wireless employees became "activated insiders" and took more than $1 million in bribes.
Do your employees have a price?