How an internet search history caught a former employee in the midst of a cyber-attack

We often talk about the cyber security risk that both current and former employees pose if procedures and policies are not properly followed. An example of this has been shared with us via our colleagues in the Regional Organised Crime Unit at West Midland Police.


So, what happened?

The company involved is a large international company based here in the West Midlands, and with the company being international, the IT setup involved multiple servers in several locations both in the UK and abroad.


The first incident occurred in January 2020 when software detected that data had been deleted from some servers, as a result the company began an investigation and found that the amount of data lost was relatively small, whilst this was an inconvenience, no real damage was caused.


However, only 8 weeks later, the second and most devastating incident occurred when the companies IT director received a message on his mobile stating that his companies’ data has been stolen and that the attackers had control of the company’s network and of all their phones.


Upon receiving this message, he called his employees in the office to find out that this was indeed the case. In fact, several systems had ceased to function, and mobile phones also were not operating properly.


As the day went on, they found the full extent of the attack, with 60 to 80% of the companies UK operations unable to operate any longer. It was at this point that the company raised the alarm and contacted the Police where the Regional Cybercrime Unit (ROCU) were called in to assist.


But they had back up’s, right?

As you can imagine the company wished to rebuild their network as it was before the attack had occurred. At first this seemed an easy task as they could rebuild it from a former back up, or so they thought.


Unfortunately for the company, they had no working back up and this was due to the back-ups being connected to the main network at the time of the attack, and the attacker had also deleted those.


The next step was taken by the company who began to contact members from their IT team to see if anybody on the off chance had retained a backup. However, they were struggling because company policy mandated that people should not keep such data on personal devices.

As time went on the ROCU investigation team identified the attacker had gotten into the network through a piece of software that allows access into a network, where they can act as if they were sitting at a terminal within an office location.


Once the team had established the system being used, they were able to record the IP address of who was dialling in, and this came back to a town somewhere in the north of the country.


You can have your data back if you pay

Whilst the investigation was gaining pace, the company also got in touch with former employees to see if they had kept a backup. As the calls were taking place, one of the former employees told the company they did indeed have a copy that they would provide, but only if they gave some money to them.


Recognising that this was strange, the company informed the police of this information and on further investigation, it was revealed that this member of staff also happened to live in the same area as the attacker that had dialled into the network.


Due to this, the police were granted a search warrant for the suspects home address. This was carried out a short time later and whilst many items of evidence were recovered, the most interesting was a laptop that was wrapped in a towel and hidden in the suspects airing cupboard. Not the place most people would keep their laptops!


This laptop proved to be crucial to the case, and when officers looked into the suspects search history the following search terms were discovered:

  • ‘How to damage a computer without evidence’

  • ‘Disgruntled employee revenge’

  • 'How to delete search history on google’


Once the suspect had been arrested, he was interviewed by officers, during interview the suspect denied having any involvement in the attack. However, after being shown the overwhelming evidence, they later confessed.


After pleading guilty at court, the defendant received a 15-month suspended sentence and a £20,000 fine.


So, how can my business learn from this?

There were many learning points for this company following the incident, however a positive learning was that employees had followed procedures to not store their own copies of corporate data.


Whilst the company did have back up’s, unfortunately these were wiped out due to the back up being connected to the main network. The correct process would have been to store this back up separately to the main network so it wouldn’t be affected by an attack on the network.


This example also serves as a good reminder to ensure that you do have exit policies for when employees leave your company. This policy will allow you to remove any access the employee may have had to systems and shut down any points of entry they had into your company’s software, systems, and technologies.


The final thing we would encourage businesses to do is to become a FREE member of the WMCRC. With this membership, you will receive regular tips and guidance on how to firm up your business’s cyber security. We have already produced checklists for you to follow to help you develop best practices, short and easy to follow videos that highlight how to spot the signs of a phishing attack and many other resources.


Receive your digestible welcome pack when signing up today and start protecting your business today.

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the West Midlands is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the West Midlands provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

 

The Cyber Resilience Centre for the West Midlands does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the West Midlands is not responsible for the content of external internet sites that link to this site or which are linked from it.