Inside the Million Dollar Plot to Hack Tesla

3 Lessons Learned

According to FBI reports, Russian actors spent the summer of 2020 planning a cyber-attack against Tesla's systems.

Below is a play-by-play of how the plan unfolded, along with 3 lessons we can all learn from Tesla's close brush.

Cybersecurity is not just for the IT department.

When Egor Igorevich Kriuchkov, a 27-year-old Russian national, attempted to penetrate Tesla's systems, he didn't spend years combing through millions of lines of Tesla code or designing a state-of-the-art decryption algorithm. He did something far simpler, much quicker, and vastly more damaging. In fact, Kriuchkov's method didn't require any technical training at all, and could have been executed by just about anyone.

Kriuchkov offered a Tesla engineer $1,000,000 to insert a malware-loaded thumb drive into a computer at the Nevada Gigafactory. That's it. In one fell swoop, the hackers would have had internal access to Tesla's systems, allowing them to exfiltrate corporate and network data. And, if Tesla is like the majority of ransomware victims, this would have led to 10s of millions of dollars in ransom payments and millions (billions?) more in reputational damage.

Insider Threats are among the highest risks facing organizations.

The only reason that the plot was foiled is because the employee that Kriuchkov approached went to the FBI instead of claiming his million-dollar bounty. In other words, the greatest cybersecurity threat facing Tesla was not a technical or infrastructural vulnerability, but rather a purely social variable: could the company trust its own people?

Data shows that Tesla is far from unique in this way. Silent Breach estimates that insider threats are not only more likely than external variants, but also prove far more damaging when successful. Possible solutions? Invest in employee training sessions so that staff are on guard to detect any suspicious internal activity, run periodic Insider Threat penetration tests to assess organizational resilience and gaps, and focus on developing a culture over tools.

Fortunately, the employee in question cooperated with the FBI to obtain more info from Kriuchkov regarding who he was working with and what he was planning. At one point, the informant even wore a wire, helping authorities gather all the evidence they needed to arrest the would-be hacker as he attempted to flee the country.

Most Penetration Tests are unrealistic.

Far too often, we find that our clients limit the scope of penetration testing to the issues that they think they can successfully pass. While there may be a reason for this decision (e.g. there's no point in taking a test you already know that you'll fail), this approach can also breed a sense of complacency and false security. Instead, at Silent Breach, we encourage our clients to build their scope around the most realistic attack vector, rather than the most simplistic.

The Tesla case serves as a perfect example. Having an airtight network wouldn't have amounted to much had the company not created an environment in which employees felt comfortable and willing to come forward with potentially damaging information. Time and again, Silent Breach data suggests that the weakest link of nearly every organization is its people. Using simple, yet effective techniques, Silent Breach ethical hackers have found that a layered attack -- combining phishing, vishing, and even physical USB drive drops -- can critically breach 90% of businesses within one week, all without writing a single line of code. The reality is that it's far easier (and cheaper) to fool people than it is to fool a machine. By leaving this out of our own scope, we ensure that hackers will include it in theirs.

With that in mind, we encourage every organization to think like their attackers, consider their weakest links, and turn that output into the scope of their next security tests, resource allocations, and training sessions. And remember: "That's out of scope," said no attacker ever.

About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.