New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Fired IT Admin Cripples Former Employer’s Network

After being laid off, an IT system administrator disrupted the operations of his former employer, a high-profile financial company in Hawaii, hoping to get his job back. Casey K. Umetsu, aged 40, worked as a network admin for the company between 2017 and 2019, when his employer terminated his contract. The U.S. Department of Justice said in a press release that the defendant pled guilty yesterday to accessing his former employer’s website and making configuration changes to redirect web and email traffic to external computers. “After using his former employer’s credentials to access the company’s configuration settings on that website, Umetsu made numerous changes, including purposefully misdirecting web and email traffic to computers unaffiliated with the company, thereby incapacitating the company’s web presence and email” stated the U.S. Department of Justice. To prolong the business disruption for several more days, Umetsu performed additional actions that essentially locked out the firm’s IT team from the website administration panel. Umetsu admitted that his motive for causing this damage was to convince his former employer to hire him back at a higher salary. “Umetsu criminally abused the special access privileges given to him by his employer to disrupt its network operations for personal gain,” said U.S. Attorney Clare E. Connors. “Those who compromise the security of a computer network – whether government, business, or personal – will be investigated and prosecuted, including technology personnel whose access was granted by the victim,” Connors added. In the end, the victimized company learned who was responsible for the sabotage after reporting the cybersecurity incident to the FBI. While Umetsu’s actions are condemnable, the company’s security practices cannot be overlooked since Umetsu used credentials that should have been invalidated the moment he got fired.

Analyst Notes

It is highly recommended for all organizations to have an exit policy for employees. The exit policy should include revoking user credentials, auditing systems for employee files, and collecting and inventorying equipment issued to the employee. Disgruntled employees have a strong incentive to be vengeful. Apart from using access credentials themselves, they could also sell them on the dark web.