Angry US IT Worker Wreaked Havoc At Drugs Firm

A disgruntled US IT administrator deleted multiple virtual hosts at Japanese pharmaceutical firm Shionogi

A former IT professional at the United States subsidiary of Japanese pharmaceutical firm Shionogi has pleaded guilty on to charges of computer intrusion. The former employee, Jason Cornish, faces a maximum of 10 years in prison when he is sentenced in November.

Cornish left the firm in July 2010 after a dispute with a senior manager, but at the suggestion of a colleague, referred to as BN in court documents, continued working for Shionogi as a contractor because of his familiarity with the company’s network.

This is just the latest case that illustrates how enterprises fail to guard the security of corporate networks and data stores after key IT professionals leave the company, especially employees who are unhappy about layoffs.

Virtual Servers Destroyed

During a round of layoffs at Shionogi, “BN” refused to hand over network passwords to company executives and was summarily suspended and ultimately fired in September 2010. BN’s departure meant Cornish’s contract was also terminated, and he was no longer authorised to access Shionogi’s network.

Even so, Cornish allegedly attempted to access Shionogi’s computer systems on over 20 occasions and in January, managed to install VMWare’s VSphere virtualisation management console software without the company’s consent or knowledge.

On February 13, Cornish logged into the network and used the VSphere software to delete the contents of 15 virtual hosts, roughly equivalent to 88 different computer servers, according to the complaint.

The attacks were severe enough to freeze Shionogi’s operations for “a number of days, leaving employees unable to ship products, to cut checks or even communicate via email”, according to court documents. The breach affected Shionogi’s corporate email, BlackBerry servers, order-tracking system and financial management software. The company estimated the damage cost $800,000 (£485,000).

The breach “is a great example of how vulnerable virtualisation infrastructure and the cloud can be”, Eric Chiu, founder and president of HyTrust, a vendor of virtualisation and security products for VMware environments, told eWEEK. Critical systems were virtualised without the proper automated controls in place that could have detected what was happening in time for the company to stop him, Chou said.

Cornish launched his devastating attack off the free public WiFi hotspot at a local McDonald’s in Smyrna, Ga. Authorities were able to trace the attacking IP address back to the McDonald’s and located Cornish, thanks to the $4.96 charge on his Visa credit card just five minutes earlier.

Insider threats are on the rise, whether they come from malicious employees, data leaks such as WikiLeaks or operational mistakes, Chou said. In fact, in a recent NetIQ survey of 200 security executives, 72 percent claimed to have experienced insider data theft at least once in the past two years. Insider attacks could also take more than 45 days to contain, according to HP’s cost of cyber-crime report released earlier this month.

One Bad Apple

People leave jobs all the time and most of them would “never dream” of logging back into their former employers’ network, Graham Cluley, a senior technology consultant at Sophos, wrote on the Naked Security blog. Even so, organisations should make sure defences are in place, passwords changed and former employee access revoked. “It only takes one bad apple to wreak havoc,” Cluley said.

IT staff should also be regularly reviewing the user database to ensure all the users are legitimate and current, Cluley said.

Insider threats are some of the most damaging kinds of cyber-attacks, since organisations tend to focus on outsiders trying to break in, not on monitoring what employees are doing inside the network. Advocates of the zero-trust security model point out that assuming whoever is inside the network is trustworthy is a fallacy.

Earlier this month, Citigroup admitted personal information of about 92,400 customers was illegally obtained and sold to a third party from its credit card unit in Japan. It turned out the unit outsourced a part of its business to another company and an employee of that company had stolen the data.

In July, a 10-year employee of CME Group was accused of stealing trade secrets and proprietary source code used to run trading systems for the Chicago Mercantile Exchange, according to a criminal complaint filed in that case.

In April, a former network engineer at Gucci America was indicted on charges of illegally accessing the company’s servers and deleting documents after he was fired. Gucci estimated $200,000 (£120,000) in lost sales, diminished productivity, and restoration and remediation expenses. The former employee took the USB-token device used to access the corporate VPN network with him when he was fired and used it to continue accessing the network.