Caleb Boma | March 19th, 2021

A Russian-speaking Tesla employee turned down a $1 million offer from a threat actor to install malware on Tesla’s machines at their Nevada factory. The Russian citizen who offered the $1M, Egor Igorevich Kriuchkov, contacted the employee through WhatsApp after doing research on what employee would be able to help him carry out the attack.

Kriuchkov, the employee, and other colleagues went on a trip to Lake Tahoe from August 1-3. An important piece in this story is how Kriuchkov did not want to be seen in any photographs. Kriuchkov then asked the employee if they could speak about some business privately.

The “business” was the million-dollar offer to install malware provided by Kriuchkov on Tesla’s network. The plan was for the employee to install the malware and a simultaneous distributed denial of service (DDoS) would distract the security team. Kriuchkov planned to steal corporate and network data to hold for ransom to pressure Tesla to pay the threat actors.

Luckily, the Tesla employee notified Tesla of the plan, and contacted the FBI. The FBI put a wire on the Tesla employee and listened in to another conversation which provided them with great evidence against Kriuchkov. In the conversation, Kriuchkov bragged about his organization receiving a $4 million payment from a successful ransomware attack on CWT Travel. In the CWT Travel attack, Ragnar Locker was the ransomware deployed.

In further conversation, Kriuchkov agreed to pay an advance of $11,000 dollars to the employee but revoked his offer as he stated the project was being put on hold. He then explained he was leaving the area the next day in attempt to flee the country. The FBI obviously caught wind of his escape from Reno to Los Angeles that night, and he was arrested on August 22, 2020 before he could leave the US.

Tesla remains very fortunate to have trusted employees because others may not have made the same decisions in the face of a million-dollar offer. Insider threats can be damaging, and thanks to this employee, Tesla avoided a potentially catastrophic attack.

Kriuchkov provides an example of the lengths threat groups are willing to go to in order to dismantle organizations. If this attack had been carried out and the Tesla employee agreed to implement the malware, having a trusted security firm monitoring the network would have provided tremendous value. With an endpoint detection and response tool like ShadowSpear® relaying threats to a Security Operations Center like ours, the malware would have been blocked from executing on Tesla’s machines. Our engineers would also respond to the threats and remove the malware and conduct a complete forensic investigation.

SpearTip’s cyber experts continuously monitor environments 24/7 in our US based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have a direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you think your organization has been breached, call our Security Operations Center at 833.997.7327.