Suppose you’re a IT professional who has an axe to grind against your employer, and knowledge of the company’s network and access necessary to really do some damage. You might consider launching said attack from a free, public Wi-fi hotspot, like the ones offered at chains like McDonald’s. That would be a smart idea – from your standpoint – and make it harder for you to get caught. You might _not_ want to use a personal credit card to buy a meal at said establishment, thereby putting you at the location at the exact time of the attack. That would be a _dumb_ idea.
Nobody knows that better than one Jason Cornish, a resident of Smyrna, Georgia, who was charged in June with using knowledge gained as a former IT worker at Shionogi Inc., the U.S. subsidiary of a Japanese pharmaceutical firm, to access the company’s network from a McDonald’s Wifi hotspot and delete the equivalent of 88 servers worth of data, including the company’s e-mail and Blackberry servers, its order tracking system and financial management software. The FBI ultimately traced the attack back to a Smyrna, Georgia McDonald’s Wi-fi and put Cornish at the location by way of a Visa credit card he used to make a purchase at the McDonald’s. (Hey, Jason, cash still works!)
The attacks were severe enought to freeze Shionogi’s operations for “a number of days, leaving company employees unable to ship product, to cut checks or even communicate via e-mail,” according to a complaint filed June 30 in U.S. District Court for the State of New Jersey.
Though the motive for the hack isn’t clear, Cornish had parted ways with Shionogi in July, 2010, but continued to work as a contractor for the firm through September, 2010. He may have been acting on behalf of a friend and former colleague, referred to only by the initials B.N in the complaint, who was fired from Shionogi in October for refusing to turn over administrative accounts and passwords requested by the firm.
The complaint reads like a textbook case of modern insider attacks, with Cornish using his knowledge of the company’s network and administrative accounts to access the network long after he ceased working for the company. An incident in January had Cornish allegedly installing the VSphere software – a virtualization management tool – without the company’s consent. That application was later used to delete around 15 virtual hosts containing key elements of Shionogi’s infrastructure.
Insider attacks are among the most damaging kind of cyber threats. (See Threatpost’s Infamous Insiders Slideshow for information on some of the most damaging insider attacks. They’re also, increasingly, making headlines. In April, a breach at the US Airline Pilots Association exposed sensitive financial data for some 3,000 US Airways pilots. A former Chief Pilot at US Airways is believed to have leaked the stolen information to Leonidas, a group that represents pilots from America West, a US Airways subsidiary. In July, a 10 year employee of CME Group was accused of stealing trade secrets and proprietary source code used to run trading systems for the Chicago Mercantile Exchange, according to a criminal complaint filed in that case. Despite the danger posed by malicious insiders, many businesses are not prepared to spot such attacks or take measures to protect critical data and intellectual property from theft. The U.S. government, acting through the Department of Defense’s Defense Advanced Research Projects Agency (DARPA) is funding research into a program, dubbed the Cyber Insider Threat Program (CINDER) that will increase the accuracy, rate and speed with which insider threats are detected.
McDonalds image via dave_mcmg’s Flickr photostream (Creative Commons)
