On Tuesday, the Department of Justice announced charges against a Russian national who was arrested in the United States while attempting to recruit an employee of an unspecified Nevada company. The Russian national, who has been identified as Egor Igorevich Kriuchkov, was identified by the FBI as a member of a “larger criminal gang” that planned to utilize malware to access the company’s network, steal information, and extort a ransom payment from the victim. The employee who was targeted for recruitment reported the attempt, and the FBI had agents surveilling Kriuchkov throughout his time in the United States. According to the FBI report, the employee involved in the scheme stated that they knew Kriuchkov from prior communications in 2016. During his trip to the US, Kriuchkov took the employee and several others on a trip to Lake Tahoe where Kriuchkov paid for everything. Kriuchkov privately told the employee that he was part of a group working on “special projects” and that they would pay the employee $500,000 USD to install malware from a USB drive on their employer’s network. The employee negotiated the price up to $1,000,000 with an advance payment of one Bitcoin. Kruichkov even reassured the employee that his team would distract the company’s security department by launching a DDoS attack to disguise the data theft and could make the attack appear to have come from a different employee. The employee recognized the immoral and illegal nature of the request and reported the recruitment attempt to the FBI. After this, the employee and Kruichkov had several more recorded discussions about the scheme, during which it was revealed that the malware they intended to use was specifically written for the employee’s company and that several other companies had been similarly targeted. The FBI eventually contacted Kruichkov by phone which led to him immediately attempting to leave the US, only to be arrested the following day in Los Angeles.
This instance resulted in a best-case result for what could have been a disastrous situation. The idea of masking an intrusion into an organization with a DDoS attack is nothing new, various attackers have used this tactic for several years. The idea of recruiting insiders with privileged access is also not a new concept and has been utilized by criminals and intelligence professionals for years. Many organizations have much better monitoring of traffic originating from outside the perimeter of their network than they do of programs run from USB drives on internal workstations. This makes utilizing an insider a very powerful tool for attackers. Having a company culture that honors employees with respect, along with a good security education program, can help ensure that employees make the right decision to report suspicious activity instead of taking a $1,000,000 payout. Endpoint detection and response systems that can watch specific devices for unusual activity can help protect against infections as well as the spread of malicious activity. Security professionals falling into the trap of having tunnel vision is what allows attackers to utilize DDoS attacks to mask other malicious activities. It is important to not become so focused on one issue to the point of missing other potentially malicious actions. More information on this topic can be found at: https://www.zdnet.com/article/russian-arrested-for-trying-to-recruit-an-insider-and-hack-a-nevada-company/