Why you should always be wary of insider threats: A disgruntled employee at a US industrial firm deleted backups and locked IT admins out of workstations in a failed data extortion attempt
Daniel Rhyne tried to extort his former employee for $750,000 before being tracked down by law enforcement
A disgruntled IT worker at a national industrial company in the US has been arrested after he launched an extortion campaign targeting his former employer in 2023.
Daniel Rhyne was a core infrastructure engineer at an unnamed US-based industrial firm, and attempted to extort his company for $750,000 worth of Bitcoin.
According to a press release issued by the US Attorney’s Office for the District of New Jersey, Rhyne gained unauthorized access to the firm’s computer systems by remotely accessing an administrator account.
After gaining access to the corporate environment, Rhyne scheduled a series of tasks aimed at disrupting business operations, including changing administrator passwords and shutting down servers.
Employees at the company received an extortionate email on 25 November 2023, warning the workers that the company’s IT administrators had been locked out or deleted from the corporate network.
The email warned that backups of the organization’s servers had been wiped, threatening that additional servers would be shuttered for each day Rhyne’s ransom demands weren’t met.
Authorities were able to trace the extortion messages back to an email address controlled by Rhyne, and he was subsequently arrested in Missouri on 27 August 2024.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Rhyne has been charged with one count of extortion, one count of intentional damage to a protected computer, and one count of wire fraud.
Almost half of firms experienced more than five insider threat incidents last year
Rhyne’s case is a good example of the potential damage a disgruntled employee can cause using their existing knowledge of their former employer’s IT environment.
Speaking to ITPro, Damian Garcia, head of GRC consultancy at IT Governance, said the incident should serve as an example of why businesses implement robust leaver processes to prevent malicious insider attacks.
“What this company has experienced is typical of those that do not have robust leaver processes in place – revoking access to systems when employees leave the organization, especially those that are technically capable, such as system administrators, and who also leave for disciplinary reasons.”
Garcia said that insider threats are a serious danger to organizations, noting they are frequently overlooked in favor of defending against external threats which often receive more publicity.
“The insider threat is a very serious risk to organizations. Historically, companies have tended to overlook this, preferring to focus their efforts on external threat actors (cue the picture of the cyber-criminal wearing a hoodie and with their face obscured). However, companies are now realizing that the insider threat is more of a problem and is something that they need to take seriously,” he explained.
“By the very nature of their employment, we want staff to have access to the systems and the information that they require, to be able to perform the roles that they have been employed to do. It is access to these systems, and the fact that we must implicitly trust employees, that gives rise to the risk that organizations face, especially when those employees go rogue.”
In its report studying insider threats targeting the financial sector, Trustwave found 40% of businesses reported frequent insider threat attacks compared to previous years, with 45% admitting they have had more than five instances occur in the last year.
Trustwave calculated the average cost of an insider threat incident was $5 million, underscoring the fiscal repercussions these attacks can have.
Not all insider threats are malicious, however, with negligent employees also posing a risk to their organizations.
Research from attack surface management specialist Armis showed 67% of UK employees are endangering their businesses by downloading software without consent from their IT department or security teams.
To minimize the exposure businesses have to insider threats, be they malicious or unintentional, Garcia advised businesses conduct staff awareness training to improve their overall security culture.
This includes fostering a supportive office environment in which employees feel they can report any mistakes they may have made, Garcia added.
“The most effective way to tackle internal threats is through staff awareness training – without it, data breaches are inevitable. Creating a security-conscious culture where everyone, not just IT, understands their role in security is crucial. Staff should feel safe reporting honest mistakes, like clicking a phishing link, to ensure quick responses.”
There are also a number of technical measures organizations can implement to mitigate insider threats, according to Garcia, including email filters and monitoring tools.
“Alongside this, technical controls like access management, email filters, and monitoring tools are essential. A layered defense strategy is best, as you can never predict where the next threat will come from, making multiple protections key to keeping your organization safe.”
Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.