How a disgruntled employee ruthlessly tried to harm his former company
At SOCWISE's Summit, our CEO Robert Ehlert and Head of Cyber Forensics & Operation Morgan Alexander spoke about the big factor that humans are in cyberattacks and data theft. And in doing so, opened the eyes of many people on the ground in Munich and Digital and also showed the other side of the coin. Namely, the side where the attacks started offline, i.e. in real (professional) life, and shifted to the digital space. Today, we would like to go a step further and, based on a customer we have been serving since the end of 2021 and how, thanks to digital forensics, we managed to prevent millions of dollars worth of damage and clearly identify inside perpetrators.
The revenge of an employee
At the end of 2021, QUANTUM cyber lab AG received a call for help from a company employing more than 2,500 people and operating throughout Europe in the automation industry. What had happened? A long-time employee had left the company. And why did this circumstance become a problem? The employee who left the company had applied internally for a higher position within the company. As usual, several rounds of applications followed with the result that the company decided against the internal candidate and in favor of the external candidate. After this decision was made against the internal candidate, he submitted his resignation and promptly signed with the competition. So far, the behavior and the loss of the employee are annoying, but his decision is probably understandable for some. And so far, everything was within the legal framework. But that changed on the employee's last day of work. On that day, more than a dozen employees also handed in their resignations, including heads of important departments or projects. The fact that all employees followed the former colleague to the same counterpart made the situation more precarious. As a result, the law firm that represented the company and still does, called in QUANTUM and asked them to digitally forensically examine the devices, service smartphones, laptops, of the departing employees. It quickly became clear that they had agreed to join the competitor and the date of termination was also clearly communicated. However, the forensic investigation revealed something else that was more worrying. Namely, unauthorized USB sticks were inserted into many devices, logging into the systems, specifically searching for files there and finally dragging them onto USB sticks. All this happened, mind you, after the company had asked employees to turn off their devices and return them to the company soon.
Why didn't the system sound the alarm?
The question that now arises, why did the security program not respond and alert the system administrator? If it had been an attack from the outside, meaning someone external to the company, the systems would have run comprehensive protocols and would have known how to deal with it, however, the system and the management did not reckon with the criminal energy of the former employees, who thus became internal perpetrators, and what zeal they tried to harm their long-standing employment. However, the destructive force knew no end and, on a smartphone, reset by the employee, further abysses opened: he had gained access to documents for which he had no clearance. He photographed the documents and sent them in no uncertain terms to the competitor, who recorded the leaving employee.
Among the numerous files stolen were comprehensive construction and model plans of objects already in use and of planned ones, employment contracts, contract details of suppliers, customer data, an overview of which employee has which clearance. With the help of digital forensics, the perpetrators can be assigned, each of these people can be assigned the data they stole and held accountable for it. The summary and listing were given to the prosecutor and police. The value of the data is estimated to be in the mid to high millions, had it fallen into the hands of the other company, it would have likely resulted in the company falling into an existential crisis and possibly having to cease production and business. Do you have questions about digital fornesics, general questions about cyber security or questions about this article or the products and services of QUANTUM cyber lab AG? Then please do not hesitate and contact us, our team will be happy to take the time to answer your questions and advise you in detail.
Contact us now