On August 25, the Department of Justice announced the arrest of Egor Igorevich Kriuchkov, a citizen of Russia, for conspiring to breach the network of Tesla operations in Sparks, NV and introduce malware into the company’s network. Kriuchkov was arrested on August 22 as he tried to depart Los Angeles for Russia, and has been detained pending trial.
Unpacking the criminal complaint filed by the FBI Las Vegas Field office, it is clear this isn’t an ordinary attempt to infuse malware into a company’s network, but rather an effort led by a well-financed and logistically nimble organization.
The Tesla Insider Starts the Chain of Events that Led to Success
While the insider’s identity is not known, we do know that the insider is the hero of this tale.
We are able to deduce from the court documents that the insider is a Russian speaking, non-U.S. citizen working in Sparks, NV who has direct access to the organization’s computer network. When approached, the insider listened and then took appropriate action. He reported the approach to the company, and the company quickly contacted the FBI. The FBI stepped in and obtained the cooperation of the employee.
Based on the manner of the approach, it is clear that the Russians had conducted operational surveillance of the organization in question, the network, and had a means to identify employees. The fact that they targeted a non-U.S. citizen employee and one who spoke Russian, implies their research and surveillance has a nexus in Russia.
Kriuchkov Approaches the insider
On July 16, Kriuchkov contacted the insider via WhatsApp and asked to meet with him in Sparks, NV. What isn’t known from court documents is why the insider would agree to meet with an individual he doesn’t know; therefore, Kriuchkov was either previously known to the insider or was able to provide a form of bona fides which put the insider at ease.
From August 1-3, the employee (and colleagues) met with Kriuchkov in what can be described as a strictly social manner, to include a trip to Lake Tahoe. On August 3, Kriuchkov took the insider aside and tasked the insider to participate in a special project.
Kriuchkov makes an Offer
Kriuchkov asked the insider to insert into the organization’s computer network malware provided by Kriuchkov and his associates. Following insertion, a distributed denial of service attack would occur which was designed to occupy the information security team. Meanwhile the malware would be inserted into the network and corporate data would be extracted. The company would be asked to pay to get their data back. For his cooperation, the insider and Kriuchkov would both be well compensated.
The Mechanics of the Take Down
Cooperation and collaboration was expected of the insider, as the criminal team needed specifics in order to tweak their software to compromise the network.
The criminals used burner cellphones and various applications to include TOR, WhatsApp, and bitcoin wallets.
Meetings between Kriuchkov and his associates (via telephone) centered around the mechanics of the insider being paid and the amount. The negotiations started at $500,000 and ultimately the insider was offered $1 million to facilitate the compromise. The insider, operating with FBI guidance and cooperating by wearing a wire, toyed with Kriuchkov in order to extract the maximum amount of information about the infrastructure, processes, and procedures used by the Russians.
The FBI’s counterintelligence effort was successful, and the identities and functions of a number of individuals were obtained. Additionally, the names of other alleged victims of this group were elicited. Indeed, Kriuchkov noted how the group had recently extorted a large corporation and had negotiated the payment of a ransom from $6 million to $4-plus million. Open source information shows that the day before Kriuchkov’s arrival in the United States that CWT Travel negotiated and paid a $4.5 ransom on July 27.
An insider program win
Those who are managing insider threat programs would be well served to highlight this case and pull from the court documents those portions highlighting the mechanics of the approach to the insider by Kriuchkov. The Tesla employee did exactly what every company hopes their own employee will do if approached with a scheme to damage their employer’s network – report it. The fact is this individual turned down $1 million in protecting their organization.