author photo
By SecureWorld News Team
Mon | Mar 22, 2021 | 8:45 AM PDT

Security researchers have warned us about this for years now.

Cars are getting smarter, becoming more connected, and increasingly they are at risk of being hacked through the cloud.

But what about hacking a human who helps create these connected cars?

A Russian national in U.S. jail pleaded guilty to trying to hack Tesla's computer network through an employee. He attempted to get the employee to turn on his own company, something security experts call an insider threat.

The plot in this case is full of intrigue, social engineering, diversion, and a seven-figure bribe dangled in front of the employee. 

The U.S. Attorney's Office in Nevada explains the crux of the Russian man's scheme:

"According to court documents and admissions made in court, from July 15, 2020, to Aug. 22, 2020, Egor Igorevich Kriuchkov, 27, conspired with others to recruit an employee of a large U.S. company to transmit malware provided by the conspirators into the company's computer network. Once the malware was installed, Kriuchkov and his co-conspirators would use it to exfiltrate data from the company's computer network and then extort the company by threatening to disclose the data."

Court documents are taking us inside the FBI sting that tripped up the suspect.

The cybercriminals involved, including Kriuchkov, targeted Tesla through an employee who works at the company's Gigafactory in Sparks, Nevada.

Cyberattack scheme against Tesla: how it started?

According to the U.S. DOJ, this ransomware scheme bubbled to the surface on July 16, 2020.

Prosecutors say this is when Russian national Egor Igorevich Kriuchkov used WhatsApp to send a message to someone in the United States. The message was not just to a random person, of course, but rather a specific target: an employee at a company Kriuchkov wanted to attack. 

According to the DOJ, Kriuchkov and his "group" are ransomware operators. They launch ransomware attacks against companies, steal the data, and then threaten to publish the information unless a massive ransom is paid.

It's a 2020 twist on a type of cybercrime that used to simply encrypt, or lock up, data during an attack. Backups made it too easy not to pay, so now, sophisticated ransomware operators steal the data, as well. And surprise, surprise, more organizations are deciding to pay.

As it turns out, this ransomware operator likes bribing insiders to help launch an attack against their own employer.

Now, more details in the case. Prosecutors say Kriuchkov identified his next ransomware victim (an organization we now know was Tesla) and messaged one of its employees in Nevada, asking if the employee would host him during a visit to the U.S.

The two of them had a mutual acquaintance, so the connection was there. The employee said he was willing to have the Russian man visit, and Kriuchkov flew from Russia to the U.S. on July 28, 2020, using his Russian passport and a tourist visa to enter the U.S.

He then rented a Toyota Corolla in San Francisco, bought a cell phone, and drove to Reno, Nevada, to meet repeatedly with the employee—the employee he had messaged on WhatsApp, the employee who worked at the next corporation being targeted by ransomware, Tesla.

During early August 2020, Kriuchkov even drove the employee and his friends up to Lake Tahoe and paid for all their expenses. FBI Special Agent Michael Hughes, who investigated the case, says it appears Kriuchkov was grooming his mark:

"Through my training and experience I know individuals involved in intelligence collection and/or criminal activity often spend extravagantly on individuals they are attempting to recruit and/or co-opt for participation in criminal activity."

And that is what unfolded next.

Ransomware operator tries recruiting Tesla employee as insider threat

So now, the suspect in this case, Egor Kriuchkov, has established a rapport with an employee at a company that his group wants to launch a ransomware attack against.

The employee, the mark, doesn't know this yet. But according to court documents, he finds out on August 3rd. Kriuchkov asks the employee if he will help with a "special project" he and his group are trying to coordinate. The FBI explains what he means:

  • The co-conspirators would provide the employee with malware to surreptitiously transmit into Victim Company A's (the target) computer system.
  • The co-conspirators would engage in a Distributed Denial of Service (DDoS) attack to divert attention from the malware.
  • The malware would allow the conspirators to extract data from Victim Company A's network.
  • Once the data was extracted, the conspirators would extort Victim Company A for a substantial payment.
  • Both Kriuchkov and the employee would be compensated. 

And this is not a $1,000 job. Eventually, Kriuchkov and his cybercrime group agreed to pay the employee $1 million for inside help to carry out the ransomware attack.

What this ransomware gang did not know is that the employee in this case, the mark for the ransomware gang, reached out to his employer and the FBI. And that set the stage for an FBI sting operation.

FBI sting catches cybercriminals targeting Tesla

If you're in information security, governance and risk, or corporate leadership, you're already getting a picture of how far a cybercrime gang will go to get inside your network through an insider. It is a chilling thought.

But as we're about to see, the techniques of ransomware operators are about to be revealed as well, during the FBI cyber sting.

The sting took place at a gas station in Reno, as investigating agents watched, recorded, and photographed the meeting.

Just like you see in detective shows, the employee Kriuchkov's group was trying to bribe got Kriuchkov talking, in detail, about how the attack would go down. From the court documents:

"Kriuchkov described the malware attack as he did before, adding that the first part of the [DDoS] attack would be successful for the 'group' but the Victim Company's security officers would think the attack had failed."

Wow. If your organization has been attacked by ransomware, did you have a cyberattack leading up to it that you seemingly stopped? It could have been just a distraction to hide the real attack.

The FBI sting continues.

Agents are listening to the discussion between Kriuchkov and the employee he tried to turn into a cybercriminal. The employee is listed here as CHS1 (confidential human source 1):

"KRIUCHKOV again listed prior companies the 'group' had targeted. KRIUCHKOV stated each of these targeted companies had a person working at those companies who installed malware on behalf of the 'group.' To ease CHS1's concerns about getting caught, KRIUCHKOV claimed the oldest 'project' the 'group' had worked on took place three and a half years ago and the 'group's' co-optee still worked for the company. KRIUCHKOV also told CHS1 the 'group' had technical staff who would ensure the malware could not be traced back to CHS1."

If Kriuchkov is telling the truth, that means at least some of the recent surge in ransomware attacks may be linked to employees who are helping cybercriminals carry out ransomware attacks.

It brings to mind the AT&T Wireless insider threat case, which SecureWorld News covered, where employees took bribes. And it makes us think of an interview we did last year with Dr. Larry Ponemon, one of the world's leading IT and IT security researchers. Ponemon said:

"Insider threats are not viewed as seriously as external threats, like a cyber attack. But when companies had an insider threat, in general, they were much more costly than external incidents.  

The cost of the insider threat can be very high, because the insider that is smart often has the right skills to hide the crime, sometimes forever."

What if rogue employees are helping carry out ransomware attacks and still working at the organization they helped attack?

Now, let's go back to the FBI sting.

Kriuchkov tells his mark (CHS1) he can attack his company and get away with it and that he can also get revenge against someone else if he would like to:

"KRIUCHKOV also told CHS1 the 'group' had technical staff who would ensure the malware could not be traced back to CHS1. In fact, KRIUCHKOV claimed the group could attribute the attack to another person at Victim Company A, should there be someone in mind CHS1 wants to teach a lesson."

During the meeting, the FBI say Kriuchkov agreed again to the $1 million payout for the employee's help, which included an up-front down payment of $50,000.

FBI cyber sting part 2: how much money are cybercrime gangs making?

The informant in this case, the employee Kriuchkov was trying to bribe, had another meeting with Kriuchkov on August 17, 2020, at a Reno restaurant. The FBI was watching and listening to this meeting, as well.

And it appears to answer a question about ransomware attacks: how much are organizations willing to pay to either get their data returned or have it destroyed instead of published?

Much more, it turns out, than the million dollar bribe required for the crime. From the court documents:

"KRIUCHKOV said that victim companies usually negotiate with the group to pay less ransom money than the group initially requests, for example one company was ransomed at US $6 million and ultimately paid US $4 million. He said only one company paid the full initial ransom."

And the hacking group believed the data the employee would steal could fetch a $4 million ransom from the company. Despite this, the group was second guessing its promise of a down payment to the employee:

"KRIUCHKOV stated the group has never provided an advance payment to co-optees and was not comfortable giving money upfront to CHS1."

But there was a work around: a criminal escrow account.

"KRIUCHKOV said that the group had previously used a program called 'Exploit' for an online escrow arrangement."

What would the employee have to do for the ransomware operators to get his full payment? Court documents say it involved the following:

  • Download all the files requested by the cybercriminals.
  • Plan on an entire shift of downloads, taking 6 to 8 hours.
  • Share details of the company network so custom malware can be developed for the attack, which was costing the group six figures.

And during this conversation, more details of the cybercrime group emerged:

"CHS1 stated KRIUCHKOV also mentioned another member of the group (not by name) who is a hacker and a high level employee of a government bank in Russia. CHS1 said this group member specializes in encryption and works to ensure the malware cannot be traced back to CHS1 after CHS1 installs it in the network. KRIUCHKOV said the group would be expecting to get US $4 million dollars from Victim Company A.

CHS1 reported that KRIUCHKOV said the group had to pay US $250,000 for the malware, which would be written specifically for targeting Victim Company A's computer network. CHS1 reported KRIUCHKOV said after CHS1 and the group come to an agreement it would take ten to twelve days for the group to prepare the malware because it would be designed for Victim Company A's network."

Custom malware for a single attack? Teams that can manipulate attack attribution? Escrow accounts to ensure financial promises are kept?

This is starting to sound a lot like the enterprise business model of cybercrime, which you can hear more about in this SecureWorld Sessions podcast featuring a U.S. Secret Service cybercrime investigator:

In the case of the cybercrime effort targeting Tesla, Kriuchkov pleaded guilty to one count of conspiracy to intentionally cause damage to a protected computer.

He is is scheduled to be sentenced May 10, 2021, and will likely spend just a few years in prison, at most.

This case raises a number of important questions, including this one: have you talked to your employees about what they should do and who they should reach out to if an outsider tries to bribe or coerce them?

It is yet another angle to consider when securing your organization.