Blog: DFIR

The Disgruntled Employee?

Andrew Bassi 15 Nov 2019

When we talk about cyber threat actors one of the terms we use is “Disgruntled Employee”. Everyone knows what that means; someone who is fed up at work, has an axe to grind, feels aggrieved etc.

There are sometimes other factors though, ones that aren’t as obvious…

The symptoms and effects

I was called on to help deal with a series of unexplained network and service outages, where the client felt that a forensic skills set would be of use. They weren’t wrong.

Our prime suspect was someone with a history of conflict at work. They believed they had been passed over for promotion, and they had no respect for their IT Manager. By creating chaos we assumed that their motive was to discredit the manager and maybe gain some glory by appearing to be able to intermittently “fix” the issue.

The situation was that on the Monday morning a shutdown or rebooting of critical services would cause huge downstream problems and force a failover to another Data Centre.

During that time business critical services would halt and fail.

Our suspect, who worked from home, would then arrive at the office and fix the problem.

On the Friday the same thing happened again. No-one in the organisation had a clue as to what is causing the outages. They were diligent and analysed both incidents but just couldn’t pinpoint why.

In their heightened sense of suspicion they started to look at wider factors. Who is in the office? Who is remote? Who is helping? Who is not?

Who is not helping?

Support calls are essential at times like these. Teams need to communicate, be methodical, and also apply creative thought. Our suspect wasn’t on these calls. I needed them to be part of the process, as they were an important part of the team.

It turned out that since the outages started they very rarely got involved with support calls. Once I was told this the penny began to drop. I needed to have them available to me, to try and open them up and maybe exclude them from suspicion.

Before I’d had time to speak with the IT manager about this they were facing another outage, and this time the backup site was starting to fail as well.

Interestingly our suspect finally picked up the phone to me, and guess what? The mysterious problem had just been fixed.

Based on the simple patterns of our suspects availability and the magical fixes I felt I had enough cause to demand that they come to the office for a chat. Of course we made sure that they brought all their work devices with them.

…and there it was, all the evidence we needed. We imaged the kit, matched events with logs and correlated everything to a tee.

Our suspect had been logging in remotely with a generic account and rebooting those critical services, causing the outages, and then arriving to fix things and claim the glory.

But why?

It transpired that our suspect had accrued a lot of personal debt, and by a “a lot” I mean eye-watering amounts.

Now that on its own isn’t something we’d normally tie to an investigation like this. After all, their behaviour had all the hallmarks of a typical disgruntled employee trying to discredit the boss they didn’t like.

Further conversations revealed a far more interesting truth. Their plan was to create so many outages that the business would be unable to process data effectively. Once this became public knowledge they thought it would cause its stock price to drop. They then planned to pay off their debts by spread betting against the stock.

We knew they had the means, my investigation showed that they had the opportunity, but as for the motive, wow!