A Russian national tried to bribe a Tesla employee into planting malware into the IT network of the company’s electric vehicle subassembly factory near Reno, Nevada, but the employee contacted the FBI instead to help nab the hacker.
This Tuesday, the U.S. Department of Justice said a Russian national had been made to appear in a federal court for conspiring “to recruit an employee of a company to introduce malicious software into the company’s computer network, extract data from the network, and extort ransom money from the company.”
After entering the United States using his Russian passport and a tourist visa, 27-year-old Egor Igorevich Kriuchkov conspired with his associates to recruit an employee of a Nevada-based company by planning to offer a bribe of $1 million. In return, the employee was to be asked to plant malware into his company’s IT network which could then enable the Russians to gain access to the company’s internal files, exfiltrate data, and blackmail the company into paying a ransom.
The conspiracy began on 22nd July and Kriuchkov conducted numerous meetings with the said employee, promised to pay the employee $1 million, and even gave him a burner phone, instructing him to leave the burner phone in airplane mode until after the money was transferred. However, Kriuchkov was arrested on 22nd August after making a desperate attempt to fly out of the country.
According to Teslarati, the employee was a Russian-speaking, non-US citizen, enjoyed direct access to the company’s computer networks, and was initially contacted by Kriuchkov via WhatsApp following which the hacker along with his associates tried to build rapport with him by taking him to Lake Tahoe on a hiking trip.
After Kriuchkov shared his plans with him over a discreet meeting, the employee contacted the FBI and continued to communicate with Kriuchkov to extract as much information from him as possible. Kriuchkov reportedly boasted about extracting a ransom of over $4 million from CWT Travel and on 19th August, agreed to pay the employee an advance of $11,000 as part of the $1 million deal.
On 21st August, the FBI sprung into action after Kriuchkov told the Tesla employee that the plan was being delayed and that the agreed payments would be made on a later date. After the FBI contacted Kriuchkov, he drove overnight from Reno, Nevada to Los Angeles in an attempt to flee the U.S. but was arrested the following day.
Earlier today, Tesla CEO Elon Musk confirmed via a tweet that the Russian hacker was, in fact, attempting to target Tesla by offering a bribe to one of the company’s employees. The targeted infrastructure was Giga Nevada, Tesla’s giant lithium-ion battery and electric vehicle subassembly factory near Reno, Nevada.
Much appreciated. This was a serious attack.
— Elon Musk (@elonmusk) August 27, 2020
Also known as Gigafactory 1, the factory is the manufacturing hub for lithium-ion batteries that power Tesla’s electric vehicles. The company’s target is to manufacture as many as 500,000 batteries in 2020 alone and as per reports, the factory employs over 7,000 people and also manufactures solar tiles, battery chargers, and battery packs for stationary storage systems.
Egor Kriuchkov will face trial in the U.S. District Court of Nevada on charges under Section 371 of the U.S. Code that covers “Conspiracy to IntentionallyCause Damage to a Protected Computer”.
Commenting on the attempted ransomware attack on Tesla, Matt Walmsley, EMEA Director at Vectra, said that ransomware attackers seek internal access to privileged entities associated with accounts, hosts and services given the unrestricted access they can provide and the ease of replication and propagation.
“In this case the recruitment or coercion of a Tesla insider to aid the attempted deployment of malware tools to stage their attack shows the lengths ransomware groups will go to. Ransomware operators have evolved into using “name and shame” tactics whereby victim’s data is exfiltrated prior to encryption and used to leverage ransomware payments.
“These bullying tactics are making attacks even more expensive, and they are not going to stop any time soon, particularly within the current climate. These attackers will attempt to exploit, coerce, and capitalise on organisations’ valuable digital assets.
“Attackers will manoeuvre themselves through a network and make that step from a regular user account, to a privileged account, which can allow them to deploy their tools and identify the data they need in order to finalise their ransomware attack and bribe their victims.
“Kudos to Tesla and the FBI in identifying and thwarting the reported attack but in most cases, organisations can’t rely on external prior notification or assistance. Therefore, security teams need to be agile as time is their most precious resource in dealing with ransomware attacks and malicious insider behaviours. Early detection and response are key to gaining back control and stopping the attackers in their tracks before they can propagate across the organisation, stealing and denying access to data and services,” he added.