One should never underestimate the power of vengeance in providing motivation for an insider to conduct an act they would otherwise find abhorrent. Yet again and again we see individuals who are reprimanded or discharged wreaking havoc upon their employer or former employer. These individuals are why insider threat programs need to exist.
The Department of Justice (DoJ) filed a criminal complaint on April 15 and the court ordered an arrest warrant to be issued against Christopher Dobbins, former vice president of Stradis Healthcare. He stands accused of sabotaging the fulfillment and shipping of personal protection equipment during an extreme time of national need – the COVID-19 pandemic.
“This defendant allegedly disrupted the delivery of personal protective equipment in the middle of a global pandemic,” said U.S. Attorney Byung J. “BJay” Pak. “Scarce medical supplies should go to the healthcare workers and hospitals that need them during the pandemic. The Department of Justice is dedicated to moving quickly on cases like this to bring criminal opportunists to justice and protect the public during these challenging times.”
Let’s dig into the who Dobbins is, and where an insider threat program may have assisted Stradis in detecting the threat posed by Dobbins as he set the table for his act of revenge, which began in December 2019, months before he became “Dobbins the former employee.”
Who is Dobbins?
Christopher Dobbins was VP of finance within Stradis. His LinkedIn account indicates that he guided his company to the “2019 Supply Chain Pioneer of the Year Award” and that he had successfully brought to the company NetSuite. In addition, he indicates he “Incorporated full production planning (APS) and HMI control, WMS and handhelds, distribution planning, EDI, cloud-based CRM to support field sales reps, credit card processing, automated labeling, and document scanning.”
The Criminal complaint
The criminal complaint goes into great detail on how Dobbins put in place the various pieces necessary for his act of revenge. Dobbins was disciplined for unspecified reasons on August 9, 2019.
On August 13, 2019, just four days after being reprimanded, Dobbins “created a fictitious user account within the NetSuite application in the name of ‘Jagdish Kavitha’.” There is no evidence Stradis noticed the new user, and as VP in charge of the application, one would assume that he would be the one notified of an anomaly. His future pathway to access wasn’t detected by Stradis. Dobbins was now able to wreak havoc, should he so desire.
On December 16, 2019, Dobbins was once again disciplined (the reasons for the discipline actions by Stradis are not shared). Following the formal action, Stradis terminated Dobbins’ access to NetSuite.
Dobbins’ access to NetSuite was terminated at 9:18 AM. Less than an hour later Dobbins was back inside the NetSuite application via the Kavitha account he created in August 2019. The FBI asserts they know this because the IP address used by Dobbins from his home to legitimately access Stradis from May 2018 through February 2020 was identical to that used by Kavitha in December 2019.
Dobbins was terminated by Stradis on March 2, 2020. The Kavitha account logged into the Stradis network and NetSuite application on March 4 via the “TorGuard Virtual Network.” Dobbins no doubt was attempting to now obscure his IP address. The Kavitha account wasn’t going to be used to do the damage, it was, however used to create yet another account, “dbh marq.”
Stradis fulfillment process interrupted
Dobbins had the necessary access to Stradis confirmed and was biding his time, waiting for the last payroll disbursement from Stradis. It arrived on March 26. On March 29 he puts his plan to damage Stradis into action.
He creates that third account “dbh marq” and associated email address which pointed to a throw-away email on PokeMail. Once the account access was verified, Dobbins, using the same IP address that he used to log in as Kavitha, logged into Stradis as “dbh marq.”
Dobbins logged into Stradis via the “dbh marq” account and in just 45 minutes managed to “cause 115,581 record edits and 2,371 deletions within the NetSuite application.” His work completed, he deleted both the “dbh marq” and the “Kavitha” accounts from NetSuite and sat back to watch Stradis begin having shipping problems.
On April 7, Stradis notified the FBI of a computer intrusion. On April 16, Dobbins was arrested. The terms of his release prohibit contact with Stradis employees or their families with the exception of a Mr. Andrews who is associated with the American Product and Inventory Control Society (the association of supply chain professionals).
Insider threat program
Administrative access is often associated with the highest level of trust within a company or organization. The leadership of a company would naturally have greater access than the task worker, and such was the case for Christopher Dobbins as VP of finance.
While we know from the court records that Dobbins was disciplined in August 2019 and again in December 2019, what we don’t know is the level of network monitoring capability within Stradis. Here we have a trusted individual creating a fictitious account (Kavitha) with the same level of access to the NetSuite application as the VP who created the fake account. Then that account, daisy-chained a second fictitious account. None of these actions were apparently detected when the accounts were created.
Stradis is no doubt asking themselves why they didn’t detect the August 13 creation of the Kavitha account, which may have accelerated the termination of Dobbins. They may also be trying to determine why they didn’t notice two separate accounts accessing their network from the same IP address in real time. Their audit logs provided to the FBI showed such was the case.
Sadly, it was in the midst of the current COVID-19 pandemic that Dobbins inflicted his vengeful damage, and the investigation into the causation of the interruption – the deletion of a portion of the NetSuite application and account edits/deletions which seemed to have caused the audit logs to be reviewed.
The question for you – does your entity’s insider threat program include a technical audit of account activities following employee disciplinary action?
