The fact that Tesla was the target of a ransomware attack late last month is not earth-shattering news. These types of cyberattacks have gained their own brand of infamy over the past several years because of their targets and their boldness. Back in the mid-2010s when healthcare facilities and financial institutions became the darling of ransomware criminals, The drill was simple. We infect your network with a virus, we gain control of your network and then hold your data hostage while your organization decides whether or not to pay the ransom – in Bitcoin.
Fast forward to the summer of 2020 as the COVID-19 pandemic rages across the globe, ransomware pirates have crawled from the Petrie dish. Notable cyber attacks have played out with the cruise company Carnival, while Garmin revealed that they suffered ransomware attacks as well. Financial services company Travelex recently paid $2.3 million to resolve a ransomware attack.
What makes this Tesla attack different and even more disturbing is that it was an insider breach. According to the Department of Justice complaint, a 27-year-old Russian named Egor Igorevich Kriuchkov traveled to the U.S. and contacted a Russian speaking, non-U.S. citizen who was working at the Tesla Gigafactory in Sparks, Nevada. The Russian allegedly attempted to bribe the Tesla employee with a $1 million to deliver malware to computer systems at the Gigafactory. Kriuchkov and his associates allegedly planned to extract data from the network and threaten to make it public if Tesla didn’t pay a ransom.
The employee immediately informed Tesla, and the company contacted the FBI, which launched a sting operation. Agents arrested Kriuchkov in Los Angeles as he was attempting to leave the country. CEO Elon Musk confirmed the incident in a tweet, saying “This was a serious attack.”
So how has the cybersecurity world reacted to this unprecedented attack? Many security professionals were surprised by the brazenness of the act and fear that attacks are entering a new and nastier phase.
“This indictment represents an interesting convergence of external threats and insider threats, which professionals traditionally have thought of separately. In particular, ransomware is generally perceived as an external threat – it’s often delivered through emails or websites. Before this indictment, many organizations likely did not have insider-enabled ransomware in their threat model, but they should now consider this possibility. With traditional ransomware, many defenders are able to stop ransomware before it encrypts data. If an insider has physical access, stopping this kind of attack becomes much more challenging, as defenders are not used to handling,” says Katie Nickels, who is the Director of Intelligence at Red Canary, a cybersecurity solutions firm out of Denver. “ We have seen recent ransomware attacks by Maze operators in which they have begun to extort victims by threatening to release data if they do not pay the ransom, which is a step up from the traditional ransomware that simply encrypts data. This indictment demonstrates another level of sophistication and challenges for defenders, specifically by raising the possibility that adversaries could leverage insider threats to gain access to and execute malicious software in a target environment. We know traditional ransomware is still effective and we can’t say for sure why some adversaries choose to change tactics, but it is possible that higher ransoms demand higher sophistication to have success.”
For Warren Poschman, a Senior Solutions Architect at comforte AG, an enterprise data security solutions provider also based in Denver, the Tesla attack ushers in a new threat vector.
“As the threat landscape continues to get nastier by the day, ransomware attacks like the one attempted against Tesla are still at the forefront and on the rise. What’s interesting about the Tesla attempt is that the attackers attempted to co-op Tesla employees with the promise of a big payout – something that they, fortunately, turned down. However, in many cases this story has the potential to end differently with systems compromised and data exposed,” warns Poschman. “Organizations need to ensure that the security measures they enact to protect data are still viable even when internal resources are compromised, or data is exposed. Data-centric security offers the most benefit by allowing data to be protected and remain secure even if it is shared, stolen, or misused – effectively nullifying both external and internal threats.”