Earlier this month, according to a recently unsealed criminal complaint, a 27-year-old Russian man named Egor Igorevich Kriuchkov met an old associate who now worked at Tesla at a bar in Reno. They drank till last call. At some point in the evening, the FBI says, Kriuchkov took the person's phone, put it on top of his own, and placed both devices at arm's length—the universal sign that he was about to say something for their ears only. He then invited the Tesla employee to collaborate with a "group" that carries out "special projects." More specifically, he offered the staffer $500,000 to install malware on his employer's network that would be used to ransom its data for millions of dollars.
Just a few weeks after that Reno meeting, FBI agents arrested Kriuchkov in Los Angeles as, the Department of Justice says, he was trying to flee the country. His recruitment scheme failed, the complaint says, when the employee instead reported Kriuchkov's offer to the company, which in turn alerted the FBI, leading the bureau to surveil Kriuchkov and arrest him not long after.
Given that Tesla's "Gigafactory" manufacturing facility is located just outside of Reno, in Sparks, Nevada, speculation immediately focused on Tesla as the likely target of the attack. On Thursday night, Tesla founder Elon Musk confirmed it, in typical offhand style, on Twitter. "Much appreciated," Musk wrote in response to a report on Tesla news site Teslarati that named Tesla as the attempted ransomware strike's target. "This was a serious attack." Tesla itself did not respond to a request for comment.
Despite the happy ending—all thanks to a Tesla employee willing to turn down a significant alleged bribe—the attempted "insider threat" ransomware attack against such a prominent target shows just how brazen ransomware crews have become, says Brett Callow, a threat analyst with cybersecurity firm Emsisoft. "This is what happens when you hand billions to ransomware groups. If they can’t access a network via their usual methods, they can afford to simply buy their way in. Or try to. Tesla got lucky," Callow says. "The outcome could have been very different."
According to the FBI, Kriuchkov had first met the Tesla staffer in 2016, and got back in touch with him via WhatsApp in July. Over the first two days of August, he drove the staffer to Emerald Pools in Nevada and Lake Tahoe, picking up the tabs and declining to appear in photos, court documents say, possibly attempting to avoid leaving a trail of his travels. The next day, Kriuchkov took his Tesla contact to a Reno bar and made the offer: Half a million dollars in cash or bitcoin to install malware on Tesla's network, using either a USB drive or by opening an email's malicious attachment. Kriuchkov allegedly explained to the Tesla staffer that the group he worked with would then steal data from Tesla and hold it ransom, threatening to dump it publicly if the ransom wasn't paid.
Sometime after that first meeting, the Tesla staffer alerted his employer, and the FBI began surveilling and recording the subsequent meetings with Kriuchkov. Throughout August, Kriuchkov allegedly attempted to persuade the Tesla staffer by upping the bribe to $1 million, and by arguing that the malware would be encrypted such that it couldn't be traced to the staffer who installed it. Moreover, to distract Tesla's security staff during the ransomware installation, the gang would carry out a distributed denial of service attack, bombarding Tesla's servers with junk traffic.
In fact, Kriuchkov allegedly claimed that another insider they had used at a different company still hadn't been caught after three and a half years. Prosecutors say Kriuchkov even went so far as to suggest they could frame another employee of the Tesla staffer's choice for the hack—someone he or she wanted to "teach a lesson."
In those conversations, the FBI says Kriuchkov also noted that he and the group he worked with would negotiate the ransom with their victims. For example, they'd demanded $6 million from one firm, Kriuchkov allegedly said, but eventually settled for $4 million; the criminal complaint doesn't reveal who that victim company might have been.
A couple of weeks after that initial contact, Kriuchkov allegedly told the Tesla staffer that the operation targeting Tesla had been put on hold due to the failure of another attempted score in progress. That insider had failed to successfully install the malware, Kriuchkov said, asking the Tesla insider to await further communications before he went ahead with his own malware installation. Kriuchkov then left for Los Angeles—where the FBI arrested him.
The recruitment of insiders that Kriuchkov and his collaborators attempted is a well-known tactic in the intelligence world and sometimes in the cybercriminal world. A Dutch mole in Iran's nuclear enrichment facility at Natanz helped plant the NSA's and Israeli's Stuxnet malware, for instance. SIM swap schemes designed to take control of victims' phone numbers have also sometimes used rogue employees inside of phone carrier firms.
But that kind of inside-man trick is rarer among ransomware gangs, says Katie Nickels, the director of intelligence at security firm Red Canary. "This indictment is the first time I've heard about an insider-enabled ransomware attack," she says. But she says that as the scourge of ransomware grows—along with its payoffs—the groups are adopting more ambitious tactics. "It’s part of a larger theme of ransomware adversaries really upping their game."
Nickels adds that despite Tesla's success in thwarting the ransomware crew's insider recruitment, the case should nonetheless serve as a cautionary tale. It may suggest that network defenders need to consider the possibility that not just attackers outside the firewall, but malicious employees within it, could be the origin of an attack. "It really changes the game for the defenders. Before today I would not have suggested companies include an insider attacker installing ransomware in their threat model," she says. "Now everyone has to shift their thinking. If we know about this one case that’s been documented, there might be more."
- 📩 Want the latest on tech, science, and more? Sign up for our newsletters!
- The furious hunt for the MAGA bomber
- How to ditch those phone apps you never use—or wanted
- She helped wreck the news business. Here’s her plan to fix it
- This cobalt-free battery is good for the planet—and it actually works
- Is your chart a detective story? Or a police report?
- ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers
