I remember working in a movie theater in college and leaving for another job. I performed grounds maintenance (before they were in multi complexes), projector upkeep, and auditorium repair. I left for another job. However, being an absentminded kid, I hung my keys to the theater on a hook in my closet and forgot I had them. No one from the theater, or the company it belonged to, ever asked me for the keys back, and it was only when a friend of mine, who was still employed there, locked himself out, did I remember I had them. This was nine months after I quit. Luckily for them, I was neither disgruntled nor of a thieving personality, just scatter brained.
The Hidden Threat: Insider Sabotage
Insider threats can be associated with all types of motives: financial gain, espionage, and ideology. Intentional insider threats are so dangerous because most of the time they take little skill to execute and are often the result of failed or missing policies. However, one of the least talked about motives in cyber insider threats can also be one of the most devastating: sabotage based on revenge or anger. I’m not sure it is out of relief the angry employee didn’t resort to physical violence for his retribution or the monetary loss. It is not so easy to gauge, but there have been some really nasty attacks over the last two or three years that have barely registered a blip on the cybercrime radar.
Robert Brittain’s Devious Act
Robert Brittain of Lexington, North Carolina held a position of trust as a United States Bankruptcy Court clerk. He resigned for misconduct, but before he quit, he was devious enough to set up a VPN connection from his own computer. After his termination, he accessed a current employee’s user password and proceeded to remotely wipe a department Ipad. He pled guilty in May.
Casey Umetsu’s Revengeful Attack
Between 2017 and 2019, Casey Umetsu worked for a financial company in Hawaii as an information technology professional with extensive credentials. He then quit his position, but his credentials didn’t go away. He then in effect, performed a redirection Denial of Service attack, rendering the company’s website and email server inoperable. He pled guilty in 2022, noting his goal was to get his former company to hire him back at a higher salary.
Juliana Barile’s Data Destruction
In 2021 Juliana Barile was fired from her position as a part-time employee with a New York Credit Union. Two days later, Barile remotely accessed the Credit Union’s file server and deleted 21 gigabytes of data to include 20,000 files and almost 3,500 directories, much of which were mortgage loan application related. In addition, she wiped cybersecurity software from the system. She accessed the computer server without authorization and destroyed files. Barile then bragged about her feats to friends via text messages. She pled guilty and was subsequently given probation.
When a Logic Bomb Hit the Army Payroll
Not quite as recently, a DoD contractor unleashed a “logic bomb” on an Army payroll database when he found out his employer lost their contract with the government. Logic bombs are nasty sabotage tools, where malicious code is timed to execute whenever a program is opened or there is another triggering event. As a result, Army Reservists had to wait weeks for their pay, and it cost the organization over $2 million in audit and investigation time and labor. The contractor pled guilty and was sentenced to two years in prison and $1.5 million in restitution.
The takeaway here is that most of the above cases are avoidable, either through rigorously enforcing an employee exit program, putting potential disgruntled employees on a watch list, and flagging unusual activity from past and current accounts. The seriousness of the amount of power someone with enormous network permissions has cannot be overstated. It’s like having keys to the safe, the file cabinet and the factory all at the same time.