The U.S. Federal Bureau of Investigation (FBI) arrested a Russian national last week on charges of conspiring to plant malware in a Nevada company for a ransomware attack. The accused allegedly tried to pay a $1 million bribe to one of the employees for access. While the name of the company was withheld in the court documents, SpaceX founder Elon Musk revealed that it was his other company Tesla that was targeted.
The Russian, Egor Igorevich Kriuchkov, told the unnamed information security (infosec) employee that he worked for a "group" that specialized in such attacks. He added that his group had extorted over $5 million in ransom in previous attacks. Kriuchkov was also working with another hacker who had ties with a "high-level government bank in Russia."
However, the plot was foiled as the Tesla employee informed his company and the FBI, which arrested Kriuchkov while he was trying to escape the country. Musk, on Thursday, tweeted, "Much appreciated. This was a serious attack."
The Plot
Kriuchkov first contacted Tesla's Gigafactory employee on WhatsApp on July 16 through a mutual acquaintance. He then traveled to the U.S. on a tourist visa to meet the employee on a trip to Lake Tahoe. However, during the trip — the employee revealed — Kriuchkov did not want to be photographed, saying he would rather "remember the beauty of the sunset and did not need a photograph." After that, he asked the employee to meet him for some "business."
During the second meeting, the two had a few drinks and then he revealed his plan. Kriuchkov told him that there would be two attacks. In the first, once he installed the malware, his "group" will launch a distributed-denial-of-service (DDoS) attack. While Tesla's information security team would be caught up in that, the malware would also allow them to encrypt data and hold it for ransom.
As per the court documents, Kriuchkov tried to entice him with a $500,000 offer and when the employee refused, the proposal was doubled to around $1 million which would have been paid in cash or Bitcoin. During that chat, the 27-year-old Russian also revealed that his "group" had extorted $4.5 million from CWT Travel earlier in August 2020.
He also agreed to pay him $50,000 upfront. While discussing the plot with Kriuchkov, the employee mentioned as the confidential human source No. 1 (or CHS1), was recording the entire conversation. He also gave CHS1 a burner phone (prepaid cellphone) and asked him to keep it on airplane mode until the money was transferred.
FBI Gets Involved
Following the meeting, the employee informed Tesla's infosec team which got in touch with the FBI. The employee met Kriuchkov again on August 19 but this time, he was coordinating with the FBI wearing a wire. The Russian agreed to pay $11,000 in advance. But on August 21, he informed the Tesla Giga employee that the project was being delayed and the money could only be transferred at a later date.
Meanwhile, the FBI was able to contact Kriuchkov, who then drove from Reno, Nevada to Los Angeles with an intention to fly out of the country. But the FBI apprehended him on August 22. He was presented before a federal court in Los Angeles on Monday, August 25 charging him with one count of "conspiracy to intentionally cause damage to a protected computer." Kriuchkov was sent to detention pending trial.
"The purpose of the conspiracy was to recruit an employee of a company to surreptitiously transmit malware provided by the co-conspirators into the company's computer system, exfiltrate data from the company's network, and threaten to disclose the data online unless the company paid the coconspirators' ransom demand," the prosecutors said in the complaint.
