Bad enough for your company to be held ransom after a cyber attack.
Worse yet, one of your employees will take advantage of the attack to try and steal the ransom for themselves.
This is the situation in which the gene therapy and cell therapy company Oxford Biomedica found itself.
On February 27, 2018, the Oxford-based company discovered that it had suffered a cyber attack after receiving a ransom demand from a malicious hacker who explained that they had broken into the company’s systems.
The company did the right thing – it notified the police, and it assigned its IT security team to investigate the attack, find out how it happened, and mitigate any damage caused.
Among the internal staff she assigned to the investigation was IT security analyst Ashley Liles.
What Oxford Biomedics, the police and other members of the IT team didn’t know was that Liles was planning to use the cyberattack to his advantage.
Liles accessed the email account of a board member of the company that received the initial ransom demand, and boldly changed the content of the email to refer to a Bitcoin wallet under his control rather than the original attacker’s.
In short, if Oxford Biomedics does decide to pay £300,000 worth of Bitcoin then the ransom will end up in Liles’ pocket instead of the cybercriminal who initiated the attack.
Furthermore, Liles created an email address that was almost identical to the one used by the original attacker, and sent a series of emails to his employer impersonating the attacker and pressuring them to pay the ransom.
However, Oxford Biomedica was not going to pay the ransom and its staff assisted the police in their investigation – not knowing that one of their number was also trying to defraud the company.
Specialist officers from the South East Regional Organized Crime Unit discovered that someone had remotely accessed the board member’s email account and traced it to Liles’ home address.
A search of Liles’ home revealed a computer, laptop, phone and USB stick. But, perhaps anticipating that he might become suspicious, Liles had deleted all data from the devices days earlier.
However, just as Liles failed to adequately cover his tracks when he remotely accessed the executive’s email account, he also failed to securely wipe his devices—meaning digital forensics experts were able to recover incriminating data that linked Liles to the secondary attack.
For years Liles denied any involvement in the unauthorized access to the emails and the attempt to trick his employer into paying him a substantial sum of money, but this week at Reading Crown Court he finally did. decide to plead guiltyFive years after the initial event.
Detective Inspector Rob Bryant of SEROCU’s Cyber Crime Unit said:
“I want to thank the company and their employees for their support and cooperation during the investigation. I hope this sends a clear message to anyone who is considering committing this type of crime. We have a team of cyber experts who will always conduct a thorough investigation to catch those responsible and ensure that they are brought to justice.”
Liles is due to be sentenced at Reading Crown Court on July 11 for unauthorized access to a computer with criminal intent, and blackmailing his employer.
Note: The views expressed in this author’s article are solely those of the contributor, and do not necessarily reflect those of Tripwire.
