Fraud Management & Cybercrime , Governance & Risk Management , Insider Threat
IT Worker Admits Piggybacking on Hacker's Extortion AttemptAnalyst Altered Ransom Note, Substituting His Own Cryptocurrency Wallet Address
An IT security analyst has confessed to trying to blackmail his employer by piggybacking onto a hacker's attempted extortion.
See Also: 2022 Unit 42 Incident Response Report
Ashley Liles, 28, pleaded guilty in England's Reading Crown Court to unauthorized access to a computer as well as blackmail in early 2018, while employed at publicly traded Oxford Biomedica, a gene and cell therapy company.
Liles admitted that he had attempted to extort his Oxford-based employer by altering ransom notes to substitute a cryptocurrency wallet address that he controlled for the one listed by the attacker. The ransom note demanded a payment in bitcoin worth $370,000, the Oxford Mail reported.
Authorities said Oxford Biomedica was hit by a hack attack on Feb. 27, 2018, after which the attacker demanded the ransom. Liles was part of the incident response team, which police assisted, when he launched "a separate and secondary attack against the company," said England's Southeast Regional Organized Crime Unit, aka SEROCU, in a statement.
"He accessed a board member's private emails over 300 times as well as altering the original blackmail email and changing the payment address provided by the original attacker," SEROCU said. "This was in the hope that if payment was made, it would be made to him rather than the original attacker. Liles also created an almost identical email address to the original attacker and began emailing his employer to pressurize them to pay the money."
"This story is a classic example of Latin phrase 'Quis custodiet ipsos custodes?' which translated literally means 'Who will guard the guards themselves?' or 'Who watches the watchers?'" said Brian Honan, CEO of Dublin-based cybersecurity consultancy BH Consulting. He said credit is due to Oxford Biomedica for detecting the unauthorized activity to the board member's emails.
Police traced that access to an IP address registered to Liles' home. They raided his house and seized multiple digital devices, which digital forensic investigators found had been wiped. Nevertheless, police said, they recovered data from the devices that "provided direct evidence of his crimes."
Authorities said that for five years, Liles denied committing any crime. Based on employment tribunal records, Oxford Biomedica appeared to fire him in 2018 after the offenses were uncovered. Liles filed an age discrimination complaint, which he later withdrew.
Liles was due to stand trial on May 17, but shortly before his court date pleaded guilty to the two charges. He's due to be sentenced on July 11.
"I hope this sends a clear message to anyone considering committing this type of crime: We have a team of cyber experts who will always carry out a thorough investigation to catch those responsible and ensure they are brought to justice," said Detective Inspector Rob Bryant of SEROCU's Cyber Crime Unit.
Who Watches the Watchers?
To better protect themselves against this type of malicious activity, organizations that respond to a cybersecurity incident should stick to a prepared and well-practiced incident response playbook, maintain rigorous monitoring and logging, and stay alert for signs of further attacks or unexpected activity, Honan advised.
"In the heat of a response to a cyberattack, it can be tempting for an organization to abandon security processes and controls for the sake of expediency," he told Information Security Media Group.
As in this case, attacks might not always be what they seem. Incident response expert Joe Carson, chief security scientist and advisory CISO at consultancy Delinea, detailed one such case involving an apparent ransomware attack against a Ukrainian firm. Upon further review, investigators discovered evidence that the ransomware had been deployed by one or more insiders to try and erase evidence of financial fraud inside the company.
Nor is this case the first time an insider has abused a position of trust in pursuit of personal enrichment.
In the mid-2010s, a U.S. Secret Service agent and a Drug Enforcement Administration agent both pleaded guilty to stealing more than $800,000 in bitcoin while helping to run the U.S. government's investigation into the notorious Silk Road underground narcotics marketplace.