FBI thwarts $1m ransomware attack on Tesla factory

• Russian hacker tries to hack into Gigafactory Nevada with an insider at the company.
• Cybereason says insider did the right thing and worked with authorities.
• Vectra says security teams need to be agile as time is their most precious resource in dealing with ransomware attacks and malicious insider behaviours.

Dubai: Elon Musk has confirmed that the Russian person arrested earlier this week by the FBI – Egor Igorevich Kriuchkov – was indeed involved in an attempt to hack into Tesla through an insider at the company.

The 27-year-old Russian citizen travelled to the US in July on a tourist visa and made contact with a Russian-speaking employee at Tesla Gigafactory Nevada.

The FBI has launched a sting operation with the employee who shared text communications with Kriuchkov as they were negotiating the terms of the $1 million malware attack.

The employee and Kriuchkov had met several times throughout August to plan the attack and the payment of the employee’s fee.

Interestingly, through the cooperation with the Tesla employee, the FBI was able to obtain information about previous attacks from this group.

Sam Curry, Chief Security Officer at Cybereason, said that the allegations and arrest of a Russian in an alleged plot to hack Tesla reads like a real movie script.

Potential disaster averted

“Tesla is a hot tech company that is strategically important for the US  economy and it is tied to other important companies SpaceX, Hyperloop, Starlink and more. Enter a Russian spy, the use of an ostensibly secure messaging app, four years of patience and trying to turn an insider. What is remarkable is that the insider did the right thing and worked with authorities,” he said.

Relating to the reported extortion amounts, whether its $250,000, $500,000 or $1 million, Curry said that is a lot of money to put into a ‘hack’ which, but for the ‘malware exfiltrating’, could be the plot of a WW2 movie.

“How many other companies have been similarly targeted without having an employee to the right thing? Whether due to security awareness training or simply personal integrity, the result is the same — the bad guy was caught and a potential disaster was averted,” he said.

This is an important reminder, he said and added that there are groups outside seeking to take down companies and they can bring crazy resources to bear.

“In the old days, the government and military-industrial complex were targeted. Today, the private sector and high-tech industries are squarely in the crosshairs,” he said.

Matt Walmsley, Director at Vectra for Europe, Middle East and Africa, said that ransomware attackers seek internal access to privileged entities associated with accounts, hosts and services given the unrestricted access they can provide and the ease replication and propagation. 

In this case, he said the recruitment or coercion of a Tesla insider to aid the attempted deployment of malware tools to stage their attack shows the lengths ransomware groups will go to.

Bullying tactics

“Ransomware operators have evolved into using “name and shame” tactics whereby victim’s data is exfiltrated prior to encryption and used to leverage ransomware payments. These bullying tactics are making attacks even more expensive, and they are not going to stop any time soon, particularly within the current climate. These attackers will attempt to exploit, coerce, and capitalise on organisations’ valuable digital assets,” Walmsley said.

The big question, according to Curry is whether this is simply a hack-for-cash grab or are there strategic interests behind it?

Moreover, he said that there is some tradecraft here reminiscent of old school espionage and also, did the hackers really think that Elon Musk would cover it up or is the real intent not financial?

To answer the question, Curry said: “we would have to know the hackers. In the old days, we would see rebels and terrorists working together with rogue nation states. Is this a ransomware gang because it smells bigger than that? Is it one of several petty gangs funded and backed by a state agency like GRU? Or is it straight up espionage like in the old days?”

“Losses in similar hacks can be catastrophic. What could be lost? IP that could be used to bootstrap a rival tech company, like China allegedly did with Huawei. Or data that could be used to blackmail or harass or outright assault wealth customers. Perhaps it is to gain the most vital of resources — data,” Curry said.

Kudos to Tesla and the FBI, Walmsley said in identifying and thwarting the reported attack but in most cases, organisations can’t rely on external prior notification or assistance.

Therefore, he said security teams need to be agile as time is their most precious resource in dealing with ransomware attacks and malicious insider behaviours.

“Early detection and response are key to gaining back control and stopping the attackers in their tracks before they can propagate across the organisation, stealing and denying access to data and services,” he said.