Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Ex-IT Administrator Pleads Guilty to Destroying Virtual Servers from a McDonald’s

Credit Card Purchase at McDonald’s Helped FBI Connect Culprit to Cyber Attack Origin

A disgruntled ex-IT administrator pleaded guilty this week to taking down most of his former employer’s computer infrastructure earlier this year.

Credit Card Purchase at McDonald’s Helped FBI Connect Culprit to Cyber Attack Origin

A disgruntled ex-IT administrator pleaded guilty this week to taking down most of his former employer’s computer infrastructure earlier this year.

Thinking he would conceal his attack by logging from a wireless network at a local McDonald’s, Jason Cornish, a former employee of Shionogi, Inc., a U.S. subsidiary of a Japanese pharmaceutical company with operations in New Jersey and Georgia, made a not-so-bright move, and purchased something at the McDonald’s using his personal credit card just minutes before he conducted the attack. The FBI was able to trace his moves and connect the attack to his fast food purchase.

Cyber Attacker Pleads GuiltyCornish, 37, of Smyrna, Georgia, pleaded guilty, admitting he executed the attack that took down 88 virtual servers and housed most of Shionogi’s American computer infrastructure, including the company’s e-mail and Blackberry servers, its order tracking system, and its financial management software.

To conduct the attack, Cornish accessed the Internet via Wi-Fi at a local McDonalds and logged into a vSphere management console that he had secretly set-up before leaving the company. He then deleted 88 company servers one by one, effectively freezing Shionogi’s operations for days, leaving the company unable to ship products, cut checks, or access e-mail. The company reportedly sustained roughly $800,000 in losses in connection to the attack, conducting damage assessments, and restoring the company’s IT operations.

Cornish also gained unauthorized access to Shionogi’s network from his home Internet connection using administrative passwords to which he had access as an employee.

“Insider threats are on the rise, whether from malicious or disgruntled employees, data leaks (including wikileaks, etc.) or mistakes and other unintentional issues,” said Eric Chiu, founder and president of HyTrust. “The breach at Shionogi is a great example of how vulnerable virtualization infrastructure and the cloud can be. Critical systems like e-mail, order tracking, financial and other services were impacted, having been virtualized without the proper controls in place. This because a disgruntled admin was able to delete the corporate servers with a simple click of a button. Further, he was able to do this remotely while sitting at a booth in McDonalds. The $800K in damages and multiple days of downtime at Shionogi could have been easily and very cost-effectively prevented with the right automated controls in place.”

Why was Cornish so disgruntled as to conduct an attack like this? According to documents filed in the case and statements made in court, Cornish was an employee at Shionogi, and in late September 2010, shortly after Cornish had resigned from Shionogi, the company announced layoffs that would affect Cornish’s close friend and former supervisor.

“HyTrust has seen first-hand and has been discussing these sorts of risks all along. Most significant is that a compromise at the virtualization infrastructure layer is a potential compromise of everything else above it in the stack,” Chiu added. Chiu also notes that organizations like NIST and PCI now recognize this and as a result have placed more emphasis on associated security measures.

Advertisement. Scroll to continue reading.

Scheduled to be sentenced on November 10, 2011, Cornish faces a maximum potential penalty of 10 years in prison and a $250,000 fine.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybercrime

Daniel Kelley was just 18 years old when he was arrested and charged on thirty counts – most infamously for the 2015 hack of...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.