Insider Sentenced for Sabotaging PPE ShipmentsProsecutors: Actions Disrupted Deliveries of Critical Supplies During Pandemic
A former vice president of a personal protective equipment packaging firm has been sentenced to prison and ordered to pay restitution for sabotaging the company’s electronic shipping records during the COVID-19 pandemic - causing delays in deliveries - after he was terminated from his job.
See Also: Automating Security Operations
The U.S. Department of Justice says Christopher Dobbins was sentenced to one year in prison and must pay $221,000 in restitution after pleading guilty in July to a charge of reckless damage to a protected computer. Prosecutors say Dobbins deleted and modified his former employer’s electronic shipping and other business records.
Dobbins’ actions “caused delays in the delivery of desperately needed equipment in the midst of a worldwide pandemic,” says U.S. Attorney Byung J. ‘BJay’ Pak.
“During the height of a worldwide pandemic, this defendant disrupted the distribution of critical medical supplies to health care workers on the front lines of the battle,” says Chris Hacker, special agent in charge of FBI Atlanta, in the statement. “This swift and efficient result sends a message that anyone who puts the lives of American citizens at risk will be pursued and punished for their egregious behavior.”
Former Stradis Healthcare VP
Although the Justice Department does not name Dobbin’s former employer, Atlanta-based Stradis Healthcare in April issued a statement about the Dobbins case after he was arrested and charged (see: Prosecutors: Insider 'Sabotaged' Medical Equipment Shipments).
Dobbins’ LinkedIn profile – which has since been deleted - indicated he was vice president of finance at Stradis Healthcare from July 2016 to March 2020.
The company did not immediately respond to an Information Security Media Group request for comment on the sentencing.
In its April statement about the case, Stradis said its former employee’s action “had impaired the computer-assisting process of shipping out medical items but the company had quickly begun to circumvent the problem as they discovered it.”
Court papers in the case indicated that the hacking incident disrupted PPE shipments for 24 to 72 hours, causing more than $200,000 in damages.
Used a Fake Account
While employed at the company, Dobbins had administrative access to the computer systems containing the firm’s shipping information, prosecutors say.
When his employment was terminated, Dobbins lost his access to the company’s computer systems, according to the Justice Department. But on March 29 - three days after Dobbins received his final paycheck - prosecutors say he used a fake user account that he had created while still employed at the company to log into the firm’s computer systems.
“He then conducted a computer intrusion that disrupted and delayed the medical device packaging company’s shipments of PPEs,” the Justice Department says.
“While logged in through the fake user account, Dobbins created a second fake user account and then used that second account to edit approximately 115,581 records and delete approximately 2,371 records,” prosecutors say.
“After taking these actions, Dobbins deactivated both fake user accounts and logged out of the system. The edits and deletions to the company’s records disrupted the company’s shipping processes, causing delays in the delivery of much-needed PPEs to healthcare providers.”
Another Insider Case
Federal prosecutors also recently announced a guilty plea in another insider threat case involving a former employee of Cisco charged with intentionally accessing a protected computer without authorization and recklessly causing damage (see: Ex-Cisco Engineer Pleads Guilty in Insider Threat Case).
Sudhish Kasaba Ramesh, a former Cisco engineer, pleaded guilty to causing damages to his former employer by deleting hundreds of virtual machines, which disrupted nearly 16,000 WebEx customer accounts for weeks in 2018.
While no customer data was damaged or compromised during the incident, prosecutors estimate that Ramesh caused about $1.4 million worth of damage to Cisco's internal systems and other expenses, including the time employees needed to restore the WebEx accounts and virtual machines. In addition, the networking giant was forced to refund $1 million to customers whose accounts had been affected.
Organizations must take critical steps to help prevent a former employee from accessing company computers using fake user accounts created before the individual’s job termination, as in the Stradis Healthcare case, says retired FBI agent Jason G. Weiss, an attorney at the law firm Faegre Drinker Biddle & Reath LLP.
Companies must audit and log user account access, especially for those with privileged access, he stresses.
“They need to audit all user accounts from time to time to make sure that every account is properly accounted for and each account relates to a current and active employee,” he says. “All accounts that cannot be accounted for must be immediately disabled and taken offline.”
Too many companies focus their IT defensive resources on preventing outsiders from breaching their network “and fail to see that an overwhelming number of cyberattacks either happen directly from an insider or with the help of an insider at a company,” Weiss adds.
Other Insider Threats
Organizations must also be aware of other types of insider threats, Weiss warns. For example, rogue employees can introduce malware or other types of backdoors into a company network for later use.
“During my time in the FBI, we had a case where an employee who thought he might be fired installed a ‘logic bomb’ into the company’s payroll system so if his Social Security number did not come up during the payroll process, he would release a potent form of malware to wipe out the company’s payroll system,” Weiss says. “So long as his Social Security number was read by the payroll system, the logic bomb was dormant."
Weiss advises organizations to “have a system in place that prevents most employees from accessing parts of the network they don’t need, greatly limit administrative access to a select few, conduct random audits and - the most important rule of all - ‘trust but verify.’”