Security Experts:

Ex-IT Administrator Pleads Guilty to Destroying Virtual Servers from a McDonald's

Credit Card Purchase at McDonald's Helped FBI Connect Culprit to Cyber Attack Origin

A disgruntled ex-IT administrator pleaded guilty this week to taking down most of his former employer’s computer infrastructure earlier this year.

Thinking he would conceal his attack by logging from a wireless network at a local McDonald’s, Jason Cornish, a former employee of Shionogi, Inc., a U.S. subsidiary of a Japanese pharmaceutical company with operations in New Jersey and Georgia, made a not-so-bright move, and purchased something at the McDonald’s using his personal credit card just minutes before he conducted the attack. The FBI was able to trace his moves and connect the attack to his fast food purchase.

Cyber Attacker Pleads GuiltyCornish, 37, of Smyrna, Georgia, pleaded guilty, admitting he executed the attack that took down 88 virtual servers and housed most of Shionogi’s American computer infrastructure, including the company’s e-mail and Blackberry servers, its order tracking system, and its financial management software.

To conduct the attack, Cornish accessed the Internet via Wi-Fi at a local McDonalds and logged into a vSphere management console that he had secretly set-up before leaving the company. He then deleted 88 company servers one by one, effectively freezing Shionogi’s operations for days, leaving the company unable to ship products, cut checks, or access e-mail. The company reportedly sustained roughly $800,000 in losses in connection to the attack, conducting damage assessments, and restoring the company’s IT operations.

Cornish also gained unauthorized access to Shionogi’s network from his home Internet connection using administrative passwords to which he had access as an employee.

"Insider threats are on the rise, whether from malicious or disgruntled employees, data leaks (including wikileaks, etc.) or mistakes and other unintentional issues," said Eric Chiu, founder and president of HyTrust. "The breach at Shionogi is a great example of how vulnerable virtualization infrastructure and the cloud can be. Critical systems like e-mail, order tracking, financial and other services were impacted, having been virtualized without the proper controls in place. This because a disgruntled admin was able to delete the corporate servers with a simple click of a button. Further, he was able to do this remotely while sitting at a booth in McDonalds. The $800K in damages and multiple days of downtime at Shionogi could have been easily and very cost-effectively prevented with the right automated controls in place.”

Why was Cornish so disgruntled as to conduct an attack like this? According to documents filed in the case and statements made in court, Cornish was an employee at Shionogi, and in late September 2010, shortly after Cornish had resigned from Shionogi, the company announced layoffs that would affect Cornish’s close friend and former supervisor.

“HyTrust has seen first-hand and has been discussing these sorts of risks all along. Most significant is that a compromise at the virtualization infrastructure layer is a potential compromise of everything else above it in the stack,” Chiu added. Chiu also notes that organizations like NIST and PCI now recognize this and as a result have placed more emphasis on associated security measures.

Scheduled to be sentenced on November 10, 2011, Cornish faces a maximum potential penalty of 10 years in prison and a $250,000 fine.