A Russian national has been arrested for his attempt to bribe a Tesla Inc. employee to introduce ransomware at the electric car maker’s Nevada Gigafactory as part of an extortion scheme.

The accused, Egor Igorevich Kriuchkov, was arrested Aug. 22 in Los Angles while attempting to flee the country and has been detained in custody following an initial court hearing. So far Kriuchkov has been charged with one count of conspiracy to cause damage intentionally to a protected computer.

Most ransomware stories involve hackers exploiting vulnerabilities in a given companies’ network to encrypt files and demand and ransom payment. This story, however, is far more colorful, arguably fitting for a company founded by Elon Musk.

Between July 15 and Aug. 22, Kriuchkov is alleged to have conspired with associates to recruit an employee of Tesla to introduce ransomware to Telsa’s network at the Nevada factory. The idea was that once the software was introduced, they would steal files from Telsa’s network, then threaten to publish the stolen data if a ransom was not paid.

What the conspirators did not know is that the employee they had approached went immediately to Tesla, which got the U.S. Federal Bureau of Investigation involved. A sting operation then took place in which the employee played along with Kriuchkov, who gave the employee a burner phone and offered a payment of $1 million once the ransomware had been deployed.

Though commonly being reported and even referred to by security researchers as an attempt to install ransomware, the Department of Justice describes the software only as malware. There is seemingly no evidence that the software would have encrypted files as traditional ransomware would, instead simply stealing confidential data and then demanding a ransom payment. Attempted extortion would be a better description but some argue that this could be considered a new form of ransomware given that the payment of a ransom was still the ultimate goal.

“This indictment represents an interesting convergence of external threats and insider threats, which professionals traditionally have thought of separately,” Katie Nickels, director of intelligence at managed threat detection company Red Canary Inc., told SiliconANGLE. “In particular, ransomware is generally perceived as an external threat — it’s often delivered through emails or websites.”

Before this indictment, she noted, many organizations likely did not have insider-enabled ransomware in their threat model, but she thinks they should now consider this possibility. “With traditional ransomware, many defenders are able to stop ransomware before it encrypts data,” Nickels said. “If an insider has physical access, stopping this kind of attack becomes much more challenging, as defenders are not used to handling.”

Nickels noted that the indictment contains many details about the tradecraft on which the Russian national coached the employee, such as using WhatsApp and airplane mode on their phone.

“We often would connect this type of tradecraft with fairly advanced adversaries, often those conducting espionage, yet there is no mention of espionage in this indictment,” she said. “This indictment demonstrates another level of sophistication and challenges for defenders, specifically by raising the possibility that adversaries could leverage insider threats to gain access to and execute malicious software in a target environment. We know traditional ransomware is still effective and we can’t say for sure why some adversaries choose to change tactics, but it is possible that higher ransoms demand higher sophistication.”

Matt Walmsley, EMEA Director at threat detection and response firm Vectra AI Inc., said ransomware attackers seek internal access to privileged entities associated with accounts, hosts and services given the unrestricted access they can provide and the ease replication and propagation. In this case, it involved the recruitment or coercion of a Tesla insider.

“Ransomware operators have evolved into using ‘name and shame’ tactics whereby victim’s data is exfiltrated prior to encryption and used to leverage ransomware payments,” he said. “These bullying tactics are making attacks even more expensive and they are not going to stop any time soon, particularly within the current climate.”

Photo: Smnt/Wikimedia Commons