The US authorities arrested and charged a Russian national in US who was recruiting and convincing a Tesla’s employee to install a malware at Tesla factory in Nevada. The Telsa CEO Elon Musk also confimed the plot by tweet.The cybersecurity experts reacted on this new plot.
Ransomware attackers seek internal access to privileged entities associated with accounts, hosts, and services given the unrestricted access they can provide and the ease of replication and propagation. In this case, the recruitment or coercion of a Tesla insider to aid the attempted deployment of malware tools to stage their attack shows the lengths ransomware groups will go to. Ransomware operators have evolved into using “name and shame” tactics whereby the victim’s data is exfiltrated prior to encryption and used to leverage ransomware payments. These bullying tactics are making attacks even more expensive, and they are not going to stop any time soon, particularly within the current climate. These attackers will attempt to exploit, coerce, and capitalise on organizations’ valuable digital assets.
Attackers will maneuver themselves through a network and make that step from a regular user account, to a privileged account, which can allow them to deploy their tools and identify the data they need in order to finalise their ransomware attack and bribe their victims. Kudos to Tesla and the FBI in identifying and thwarting the reported attack but in most cases, organisations can’t rely on external prior notification or assistance. Therefore, security teams need to be agile as time is their most precious resource in dealing with ransomware attacks and malicious insider behaviors. Early detection and response are key to gaining back control and stopping the attackers in their tracks before they can propagate across the organisation, stealing and denying access to data and services.
As the threat landscape continues to get nastier by the day, ransomware attacks like the one attempted against Tesla are still at the forefront and on the rise. What’s interesting about the Tesla attempt is that the attackers attempted to co-op Tesla employees with the promise of a big payout – something that they fortunately turned down. However, in many cases this story has the potential to end differently with systems compromised and data exposed. Organizations need to ensure that the security measures they enact to protect data are still viable even when internal resources are compromised or data is exposed. Data-centric security offers the most benefit by allowing data to be protected and remain secure even if it is shared, stolen, or misused – effectively nullifying both external and internal threats.
Ransomware attackers are demanding higher ransoms, aimed at larger and more critical organizations, echoing a trend we identified in a recent study of common threats. The proliferation and complexity of ransomware attacks signifies the growing need for organizations to take the necessary steps to secure their systems. It is never advisable to pay the ransom, and organizations that give in to the hackers’ demands are only fueling the profitability of the ransomware industry for attackers. As a result, when it comes to ransomware prevention will always be better than a cure. We applaud Tesla for acting so quickly in this case.
What more can be done? Organizations should deploy artificial intelligence and machine learning tools that can help identify cyber threats in real-time and resolve issues before harm is done. A robust cyber defense strategy is the first line of defense against a ransomware attack.
This indictment represents an interesting convergence of external threats and insider threats, which professionals traditionally have thought of separately. In particular, ransomware is generally perceived as an external threat – it’s often delivered through emails or websites. Before this indictment, many organizations likely did not have insider-enabled ransomware in their threat model, but they should now consider this possibility. With traditional ransomware, many defenders are able to stop ransomware before it encrypts data. If an insider has physical access, stopping this kind of attack becomes much more challenging, as defenders are not used to handling.
The indictment contains many details about the tradecraft the Russian national coached the employee on, such as using WhatsApp and airplane mode on their phone. We often would connect this type of tradecraft with fairly advanced adversaries, often those conducting espionage – yet there is no mention of espionage in this indictment.
We have seen recent ransomware attacks by Maze operators in which they have begun to extort victims by threatening to release data if they do not pay the ransom, which is a step up from the traditional ransomware that simply encrypts data. This indictment demonstrates another level of sophistication and challenges for defenders, specifically by raising the possibility that adversaries could leverage insider threats to gain access to and execute malicious software in a target environment. We know traditional ransomware is still effective and we can’t say for sure why some adversaries choose to change tactics, but it is possible that higher ransoms demand higher sophistication to have success.
Another interesting aspect of this indictment is that the adversaries planned to conduct a Distributed Denial of Service (DDoS) attack to distract from the ransomware. DDoS providing cover for espionage or criminal attacks is something analysts have hypothesized about, but there hasn’t been much public evidence of it actually occurring.
Ransomware attackers are demanding higher ransoms, aimed at larger and more critical organizations, echoing a trend we identified in a recent study of common threats. The proliferation and complexity of ransomware attacks signifies the growing need for organizations to take the necessary steps to secure their systems.
It is never advisable to pay the ransom, and organizations that give in to the hackers’ demands are only fueling the profitability of the ransomware industry for attackers. As a result, when it comes to ransomware prevention will always be better than a cure. We applaud Tesla for acting so quickly in this case.
What more can be done? Organizations should deploy artificial intelligence and machine learning tools that can help identify cyber threats in real-time and resolve issues before harm is done. A robust cyber defense strategy is the first line of defense against a ransomware attack.