Tesla Breach: Malicious Insider Revenge or Whistleblowing?
23.6.18 securityweek Virus
Just before midnight last Sunday evening (June 17, 18), Elon Musk sent an email to all staff. He was dismayed, he said, to learn about a Tesla employee "making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties."
This was a mainstream malicious insider attack -- but there may be more to it than meets the eye. The motive, according to Musk, was revenge: "he wanted a promotion that he did not receive." But this incident goes way beyond simple revenge sabotage, and includes the theft of sensitive data and the export of that data to unknown outside parties.
The incident could have been triggered by revenge and aggravated by bribery; but until and unless those outside parties can be identified for certain, the true cause of the attack will remain speculative.
Musk himself is willing to speculate with insinuation. "As you know," he told employees, "there are a long list of organizations that want Tesla to die. These include Wall Street short-sellers, who have already lost billions of dollars and stand to lose a lot more." He then added oil and gas companies, who "rumor has it... are sometimes not super nice;" and the "big gas/diesel car company competitors [who already cheat on pollution levels, and] maybe they're willing to cheat in other ways?" The only potential risks he excluded were nation-states wishing to give their own nascent industries a technology boost, cyber criminals wishing to ransom Tesla or sell to competitors, and -- dare we say it -- whistleblowing.
Such is the nature of attribution for cybercrimes, it may never be known who -- if anyone outside of the malicious insider himself -- is really behind the incident. Sometimes it is only national intelligence agencies who know who did what on the internet through their much wider access to signals intelligence -- but those same agencies can equally feel that it is not in the national interest to get involved. If it was a foreign nation dabbling in IP theft, the intelligence agencies might go public. If it was a competitor or major national industry, the agencies might take the view that their role is not law enforcement.
In reality, the destination of the stolen data may already be known.
The attack itself seems to be typical insider work, using false usernames. We don't know whether those false usernames were existing accounts, or new accounts created by the attacker. In either case, however, it seems certain that the attacker enjoyed higher system privileges than was necessary.
“This," comments Joseph Carson, chief security scientist at Thycotic, "is a major reminder why privileged access management (PAM) is a must-have for organizations that deal with sensitive information or personal information -- and why least-privilege is a practice being adopted by many organizations."
It's a problem made more difficult, he suggests, because companies try to protect the privileged accounts they know about, which in most cases isn't effective. "Organizations continue to fail at the most important aspect of restricting privileged access, which is proactively discovering privileged accounts in the environment. It appears that Tesla have failed to do that most important step in least-privilege, which is discovering and detecting unapproved privileged access."
Since Musk's original disclosure of the breach by internal email on Sunday, matters have moved forward rapidly. On Wednesday, Tesla filed a complaint against the employee -- named as Martin Tripp -- in the Nevada District Court. This complaint admits that "Tesla has only begun to understand the full scope of Tripp’s illegal activity, but he has thus far admitted to writing software that hacked Tesla’s manufacturing operating system (“MOS”) and to transferring several gigabytes of Tesla data to outside entities."
Within a few months of Tripp joining Tesla, says the complaint, "his managers identified Tripp as having problems with job performance and at times being disruptive and combative with his colleagues. As a result of these and other issues, on or about May 17, 18, Tripp was assigned to a new role. Tripp expressed anger that he was reassigned. Thereafter, Tripp retaliated against Tesla by stealing confidential and trade secret information and disclosing it to third parties, and by making false statements intended to harm the company."
But according to a report published today by the BBC, Tripp "says he’s a whistleblower being smeared for speaking out about standards and safety at the company, and deserves protection." The implication is that Tripp provided the documents used by Business Insider in its June 4 report; 'Internal documents reveal Tesla is blowing through an insane amount of raw material and cash to make Model 3s, and production is still a nightmare'.
The BBC also publishes extracts from a rapid-fire email exchange between Musk and Tripp that took place on Wednesday. At one point, Musk writes, "You should ashamed of yourself for framing other people. You're a horrible human being." This is likely a reference to Tripp's hacking software being found on three other employees' computers. The legal complaint alleges, "His hacking software was operating on three separate computer systems of other individuals at Tesla so that the data would be exported even after he left the company and so that those individuals would be falsely implicated as guilty parties."
Tripp responded, "I NEVER 'framed' anyone else or even insinuated anyone else as being involved in my production of documents of your MILLIONS OF DOLLARS OF WASTE, Safety concerns, lying to investors/the WORLD. Putting cars on the road with safety issues is being a horrible human being!"
Whistleblowing is one optional reason for the data theft not mentioned by Musk in his June 17 email to staff, even though the Business Insider allegation mentions 'internal documents' and was published two weeks earlier. The full truth of what happened in this incident is likely to be exposed in court rather than via computer forensics.
However, in information security terms, an insider stole sensitive documents from Tesla. The motive is not as important as the act. It seems that Tesla does not operate adequate least-privilege measures, and does not have an internal traffic monitoring system capable of detecting and blocking the unsanctioned exfiltration of gigabytes of data. This failure has left Tesla with a PR nightmare that it must now manage.