Source: www.tripwire.com – Author: Graham Cluley
Bad enough for your company to be held to ransom after a cyber attack.
Worse still to then have one of your own employees exploit the attack in an attempt to steal the ransom for themselves.
That’s the situation gene and cell therapy firm Oxford BioMedica found itself in.
On 27 February 2018, the Oxford-based firm discovered that it had suffered a cyber attack after it received a ransom demand from a malicious hacker explaining that they had broken into the company’s systems.
The company did the right thing – it informed the police, and it assigned its own IT security staff to investigate the attack, find out how it had occurred, and mitigate any damage which had been caused.
Amongst the internal staff it assigned to the investigation was IT security analyst Ashley Liles.
What Oxford BioMedica, the police, and other members of the IT team, did not know was that Liles was planning to exploit the cyber attack to his own advantage.
Liles accessed the email account of a company board member who had received the initial ransom demand, and audaciously changed the email’s contents to reference a Bitcoin wallet controlled by himself rather than the original attacker.
In short, if Oxford BioMedica did decide to pay £300,000-worth of Bitcoin then the ransom would end up in the pocket of Liles instead of the cybercriminal who had initiated the attack.
Furthermore, Liles created an email address that was almost identical to that used by the original attacker, and sent a series of emails to his employer posing as the attacker and pressuring them to pay the ransom.
Oxford BioMedica, however, had no intention of paying the ransom and its staff assisted the police with its investigation – unaware that one of their number was also attempting to defraud the company.
Specialist police officers from South East Regional Organised Crime Unit’s Cyber Crime Unit discovered that someone had been remotely accessing the board member’s email account, and traced it back to Liles’s home address.
A search of Liles’s home uncovered a computer, laptop, phone and a USB stick. But, perhaps anticipating that he might come under suspicion, Liles had wiped all data from the devices days before.
However, just as Liles had failed to adequately cover his tracks when remotely accessing the board member’s email account, he had also failed to securely wipe his devices – meaning that digital forensic experts were able to recover incriminating data linking Liles to the secondary attack.
For years Liles denied any involvement in the unauthorised access to the emails and the attempt to trick his employer into paying him a substantial amount of money, but this week at Reading Crown Court he did finally decide to plead guilty, five years after the initial incident.
Detective Inspector Rob Bryant from the SEROCU Cyber Crime Unit said:
“I would like to thank the company and their employees for their support and cooperation during this investigation. I hope this sends a clear message to anyone considering committing this type of crime. We have a team of cyber experts who will always carry out a thorough investigation to catch those responsible and ensure they are brought to justice.”
Liles is scheduled to be sentenced at Reading Crown Court on 11 July for the unauthorized computer access with criminal intent, and blackmail of his employer.
Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.
Original Post URL: https://www.tripwire.com/state-of-security/rogue-it-security-worker-failed-cover-his-tracks
Category & Tags: Guest blog,Law & order,Malware,Ransomware,insider threat,ransomware – Guest blog,Law & order,Malware,Ransomware,insider threat,ransomware