FBI: $4 Million Scheme – Mixing Malware, DDoS and Extortion – Thwarted by Insider
Tesla CEO Elon Musk says a “serious” attempt to steal corporate data and hold his company to ransom has been thwarted.
Russian national Egor Igorevich Kriuchkov, 27, has been accused of attempting to recruit an insider by bribing him with $1 million to install malware on Tesla computer systems to exfiltrate data, which a crime gang allegedly planned to use to make Tesla pay a $4 million ransom. He was arrested on Saturday in Los Angeles as he was allegedly attempting to flee back to Russia, according to the Justice Department.
Kriuchkov’s alleged recruitment efforts were foiled after the Russian-speaking Tesla employee reported the attempt to management, and also agreed to serve as a “confidential human source” for the FBI – referred to as “CHS1” in court documents. The bureau recorded multiple conversations that Kriuchkov and the employee held in person, including in cars and restaurants.
A sealed FBI criminal complaint filed against Kriuchkov on Sunday and unsealed on Tuesday charges him with conspiracy to cause damage to a protected computer against “victim company A.” While the targeted company has not been named by the FBI, a Thursday story on news site Teslarati said the targeted company was Tesla.
Responding to the Teslarati report, Musk said it had been a “serious attack” attempt.
Much appreciated. This was a serious attack.
— Elon Musk (@elonmusk) August 27, 2020
Indeed, according to court documents, the crime gang behind the effort planned to hit Tesla with customized malware – for which they’d pay a supplier $250,000 – to exfiltrate data, hiding the theft using a distributed denial-of-service attack as cover. Their alleged extortion plans called for Tesla to give them $4 million – and they likely would have demanded more, hoping to reach that figure after negotiations – of which $2 million would go to the crime gang’s boss, $1 million to the Tesla insider, and the rest to the crime gang’s associates.
FBI Recorded Conversations
The FBI says that from around July 15 to Aug. 22, Kriuchkov conspired to recruit an employee – who has not been named – based in Tesla’s Gigafactory in Sparks, Nevada – near Reno – first via WhatsApp, then in person. The employee told the FBI that he’d met Kriuchkov in 2016, and that his contact details had been shared by a mutual acquaintance.
The employee, CHS1, “is cooperating with the FBI because of patriotism to the United States and a perceived obligation to victim company A,” and also “has not asked for and has not been offered any form of payment, including consideration regarding immigration or citizenship,” according to court documents – including an affidavit in support of the arrest warrant and criminal complaint – which were written by FBI Special Agent Michael J. Hughes, who works out of the FBI’s Reno field office and is currently assigned to conduct counterintelligence investigations.
The FBI says that “databases available to law enforcement revealed Kriuchkov entered the United States on July 28,” arriving in New York on a tourist visa, before flying to San Francisco on July 30, then renting a car the next day to drive to Sparks to meet the employee. “Records also show that Kriuchkov rented a room at a hotel just off of I-80 in Sparks.”
Kriuchkov allegedly purchased a cellular phone once he arrived in New York, which he used to communicate with the Tesla employee, who he wined and dined in Nevada, before asking him to work on a “special project” with him and his associates. Unbeknownst to Kriuchkov, however, the employee had tipped off senior managers, who alerted the FBI.
The employee met with Kriuchkov multiple times, according to court documents, with the FBI describing their interactions as constituting “a communications plan intended to be used to conceal communications between a handler (Kriuchkov) and a co-optee (CHS1) for advancing the criminal activity.”
In an Aug. 18 meeting, “Kriuchkov also stated that the employee would have to participate in the development of the malware, by providing information about victim company A’s network to the conspirators,” according to the criminal complaint.
“CHS1 stated Kriuchkov also mentioned another member of the group (not by name) who is a hacker and a high-level employee of a government bank in Russia,” according to court documents. “CHS1 said this group member specializes in encryption and works to ensure the malware cannot be traced back to CHS1 after CHS1 installs it in the network.”
Based on conversations recorded in Russian between the Tesla employee and Kriuchkov, the FBI says that the crime gang planned to provide the employee with the malware, which he would install on Tesla’s networks and leave running for at least six to eight hours. “The co-conspirators would engage in a distributed denial-of-service attack to divert attention from the malware,” according to court documents, during which time “the malware would allow the conspirators to extract data from victim company A’s network. Once the data was extracted, the conspirators would extort victim company A for a substantial payment.”
The attempted intrusion scheme was suddenly delayed last week, however, with Kriuchkov told the employee that “the group was in the final stage of another project which was supposed to provide a large payout,” which they needed to pay the employee, according to court documents. Kriuchkov allegedly told the employee that one of the gang’s prior shakedowns had resulted in a $4 million payout.
What happened next isn’t clear, although the bureau says that “after being contacted by the FBI,” Kriuchkov drove from Reno to Los Angeles, where he asked an associate to buy him a ticket back to Russia.
Following his arrest, Kriuchkov appeared earlier this week before U.S. Magistrate Judge Alexander F. MacKinnon in U.S. District Court in Los Angeles, who ordered that he be detained pending trial.