It's every company's nightmare: a mysterious stranger approached an employee of Tesla's Gigafactory in Nevada, and offered him 1 million dollars to do a very simple job - insert a malware-laden USB flash drive into a computer in the company, and keep it running for 8 hours.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

The Tesla Hack

Picture the largest building you’ve ever seen. Not a narrow skyscraper with a confined base, but a massive factory that stretches over many-many acres of land. Then picture an even larger building. In fact, the largest one possible with our current technology. When it’ll be fully built, this will be the biggest building in the world..

It’s Tesla’s Gigafactory in Nevada: The beating heart of the motor company’s ever-growing empire. Millions of lithium-ion batteries are to be produced there annually, once the building becomes fully operational. It’s already one of the largest and busiest factories in the world. A monument of grandeur.

But our protagonist knows nothing of grandeur. He is a Russian-speaking immigrant that came to the United States looking for work. Not yet a citizen, he found modest employment at Tesla’s Gigafactory. This man is not a superstar engineer or a charismatic manager: just a small-time worker whose English is heavily burdened by accent.

We’ll call him Greg, since his name is highly classified by court orders. Millions of dollars, a sprawling FBI investigation and a dangerous criminal gang – all got entangled in the fate of this mediocre man. Greg’s ordinary life proved to be anything but ordinary.

It all started with a mysterious stranger, called Egor Kriuchkov. Greg met Egor socially a couple of years prior – but they truly connected only after meeting again in the U.S in July 2020. Their Russian origins and shared language helped the relationship flourish, but Greg found something else in this stranger: the 27-year-old Kriuchkov lived out everybody’s dream.

He was always relaxed and charming and never seemed to be troubled by work stuff. In fact, for all that Greg knew, Kriuchkov didn’t even seem to have a job. While Greg toiled at the Gigafactory, Kriuchkov spent his days dining in fine restaurants and gambling away his money. This might have been the spark that drew Greg’s attention.

Together with other Russian-speaking friends, Greg and Kriuchkov took a trip to Lake Tahoe – a large lake in the Sierra Nevada mountain range – in the summer of 2020. Kriuchkov drove the group, and they toured the area, had dinner at a fine restaurant – and all agreed they had a great time together.

But Greg couldn’t help but notice several oddities about Mr. Kriuchkov. The man drove a rented Toyota Corolla, still bearing the distinctive scent of the Hertz rent-a-car company. According to Kriuchkov, he lived in a rented room at a Western Village luxury hotel.

Kriuchkov also insisted on paying for each and every one of the group’s expenses. Nobody likes to turn down a free meal, but still – Greg had to ask how could Kriuchkov afford all these expenses. Kriuchkov claimed that he won a large amount of money gambling.

The most unusual thing happened at sunset. The group walked the lake shore and watched the majestic sun slowly setting down into the water. As the sun’s brushstroke sent a thousand different crimson shades across the lake, the group decided to take a picture together.

But Kriuchkov vehemently insisted he couldn’t be photographed. The group members tried to persuade him. “Why are you making such a big deal out of it?”, they asked. “It’s just a picture”.

He responded with a cryptic answer. “I don’t need a photograph”, said Kriuchkov. “I would rather just remember the beauty of the sunset”.

As the group took the picture without him, Greg knew without a doubt that there were too many odd things about his new friend.

A Million Dollar Deal

Less than a month after this trip to lake Tahoe, Kriuchkov invited Greg on a night out. Just the two of them. They both dressed elegantly, went out to a fine restaurant in Reno, Nevada – and then proceeded to a nearby bar.

There are many stereotypes about Russians – but the fabled Russian drinking habit is no myth… Greg and Kriuchkov were far away from their motherland – but they didn’t forget how to drink. The two drank heavily – perhaps even drawing some judgmental looks from the bar’s patrons and staff. Needless to say, Kriuchkov paid for everything.

Leaning across the table, Kriuchkov stopped gulping Vodka for a moment. He asked for Greg’s phone – and placed it at arm’s length away from the two. Kriuchkov finally revealed the truth: the only reason he travelled to the United States was to meet Greg.

Kriuchkov told Greg that he worked for a group of people that specializes in “special projects”. This group, claimed Kriuchkov, pays employees of large companies in exchange for them introducing malware to the companies’ computers.

Greg was shocked – but there was more. Kriuchkov looked deep into the Tesla employee’s eyes – and asked him to help the group infiltrate the Gigafactory’s computer system. His reward, Kriuchkov promised, would be 500,000 dollars. Cash, bitcoin – you name it. All Greg had to do was insert a USB flash drive into a specific computer at the factory.

It was a difficult dilemma for a guy like Greg. 500,000 dollars is a lot of money for a man like him. Greg thought about it for a moment – and then gave his laconic answer: “I’m going to need more money”.

They discussed the issue over a couple of meetings, and that’s how they settled on the price tag: one million dollars, in exchange for Greg betraying his employer and helping Kriuchkov’s gang infiltrate Tesla’s computer systems.

Turncoats and Pawns

The Gregs of this world keep many companies and defence agencies awake at night. They are what cyber security experts call “insider threats”. Rather than hacking their targets remotely, many cyber gangs prefer to use such fifth columns: employees or other insiders that are willing to betray their employers.

Many do it for money – similar to the offer Kriuchkov made to Greg. Others hold a grudge against their employers – and sometimes even launch these vengeance missions without being instigated.

This Turncoat figure – the person who will knowingly act against their organization – can wreak havoc upon an entire corporation. One simple malware, one greedy or grudging employee – and even a business empire could be handed in chains to its adversaries. According to statistics gathered by Verizon, 34 percent of all data breaches in 2019 were the result of insider threats. 

The power of these threats derives from the fact that most monitoring software is bad at stopping insider threats, and corporations have very limited tools when it comes to surveilling their employees – as they should, of course. In many cases, employees are used without their knowledge to carry out ransomware attacks. This different type – the Pawn – is also a danger that must be acknowledged.

Between Turncloacks and Pawns, many organizations fall victim to paranoia, constant suspicion and finger pointing. It’s hard to operate in a fearful atmosphere such as this one, but as the curious case of Greg and Kriuchkov proves: just because you’re being paranoid doesn’t mean they aren’t after you.

A Brilliant Plan

Let’s take one step back and examine the details of Kriuchkov’s plot – as they were laid out to Greg during several fateful meetings. This “special project” – as Kriuchkov phrased it – would begin with Greg connecting an ostensibly simple USB stick to a specific computer at Tesla’s Gigafactory.

Then, Greg would have to keep this computer running for six to eight hours – in order to buy time for the malware to kick in. At the same time, Kriuchkov’s gang would kick off a DDoS attack against the Gigafactory: a concentrated effort to flood the factory’s computers and disrupt their activity.

This DDoS attack would only serve as a means of deception. This is actually a cloaked attack, where the DDoS ruse keeps Tesla’s security busy – while also hiding the true nature of the attack. Any damage to Tesla’s computers would be attributed to the DDoS attack – so no suspicion would fall on Greg and the USB stick. They were going to get in and out without anyone knowing. 

You’re probably wondering what was Kriuchkov’s game. Was he working for a different auto manufacturer, trying to steal Tesla’s intellectual property? Was he a Russian agent? 

None of the above. According to what he told Greg, Kriuchkov and his gang were only common thieves. Their elaborate plot was a form of ransomware: they wanted to steal Tesla’s secrets, extensive corporate and network data. Then they’d blackmail the company and demand money. If Tesla didn’t pay up – Kriuchkov’s people were to publish all the company’s secrets online. Tesla’s choice would be between a hush payment and a mixed cocktail of data leak and PR calamity. To paraphrase Hans Gruber – Alan Rickman’s “Die Hard” villain: “they were not common thieves. They were EXCEPTIONAL thieves”.

One must admit that we’re looking at a brilliant plan: all this deception and planning should work perfectly – and according to Kriuchkov, DID work perfectly in past instances. But the true power of this plot does not lie in its elaborate planning – but in the defencelessness of the modern cyber industry against the innocent-looking USB flash drive.

More Dangerous Than They Seem

USB sticks are more dangerous than they seem. Back in 2016, a team of Google developers and University of Illinois researchers planted some 300 USB flash drives in various points across the university’s campus. 45 percent of these flash drives were actually picked up by the campus goers – who opened them on their personal computers. We’re talking about students and professors at a respected academic institution – who bought the simplest bait possible.

Connecting a flash drive to a USB port practically bypasses all of the network defences – from monitoring software to carefully planned air-gaps – and gets the malware right into the targeted computers. Moreover, Windows has an AutoRun feature that can allow malware to run automatically, without explicit user authorization. This feature can be readily abused, especially on outdated Windows versions. 

And we’re not only talking about flash drives: a USB keyboard or mouse carry these malwares. In fact, there’s a nifty little gizmo anyone can buy online for 49$ called USB Rubber Ducky. It looks like a perfectly innocent flash drive – but once connected to a USB port, it identifies itself to the operating system as a USB keyboard, and immediately starts injecting  pre-determined keyboard strokes, allowing it to get a reverse shell in roughly 3 seconds – steal files, phone home to a remote server and what not. If that’s possible with a simple, off the shelf product – imagine the possibilities of a malicious USB stick developed by top-tier hacker gangs or state actors.

Many companies, especially ones in the industrial and military sectors, employ decontamination stations. These are special computers that are not connected to the company’s network. Any USB stick or hardware product must be first taken to a decontamination station, where the IT team inspects it to find hidden malwares. Only after this decontamination process, an employee can connect a USB stick, keyboard or mouse to the company network.

In fact, some organizations don’t even trust their own employees – and get rid of all USB ports on all computers. This can be done by stuffing in small plastic jigs – or by burning the USB ports using special equipment.

The sheer power that one, little USB can have–that’s why Kriuchkov worked so hard to buy Greg’s favour. All these restaurants and flattery – and of course the hefty bribe – from Kriuchkov’s perspective, they’re worth it, as long as Greg inserts that little USB stick into the Gigafactory computers

But would it really work? That one person, one act alone, could take down a company as big as Tesla? Clearly Kriuchkov believed so, and he had good reason: this wasn’t the first time he’d tried it. He boasted to Greg that he and his team recently received a ransome of more than 4 million dollars from a high-profile company. Some news reports claimed that this company was CWT, a travel management company based in Minneapolis which provides services to about a third of all Fortune 500 companies. CWT reportedly paid the hackers 4.5 million dollars. 

Vikings and Virtual Machines

Several details that were published online about the CWT hack can help us better understand the technical aspects of this gang’s modus operandi – and the means they were going to use to attack Tesla’s Gigafactory.

For the CWT hack, Kriuchkov’s team used the Ragnar Locker ransomware. It’s a ransomware named after an infamous Viking warrior that was first observed in late 2019. 

Ragnar Locker is a sophisticated weapon: it targets computers running Microsoft Windows – and uses an interesting trick to avoid detection: a virtual machine. It launches an outdated version of Oracle’s VirtualBox hypervisor running Windows XP – and then runs the malware inside it. 

Why a virtual machine? Well, a virtual machine has many different files and devices – but from the host computer’s perspective, all these different files are just one large file containing the guest operating system and all the data stored in it.  This means that antivirus software running on the host computer has no visibility into the virtual machine and the malware running in it. You could say that the virtual machine is a smoke screen that keeps the ransomware invisible. One security analyst at Sophos likened a virtual machine to a ghost that is able to interact with the physical world. That way, the ransomware is beyond the reach of all cyber defence mechanisms.

The Hunt Begins

Back to the fateful meeting between Greg and Kriuchkov. In the summer of 2020, the two conspired to execute their plan. In one of their meetings, Kriuchkov provided Greg with a burner phone. He told Greg to leave the phone on airplane mode until he’ll get a text from a WhatsApp contact named “Kisa”. This mysterious Kisa person was to instruct Greg about his end of the plot.

When Greg wanted to know more about the technical aspects of the attack – Kriuchkov didn’t have all the details, which made Greg realize that Kriuchkov was probably just a pawn, like himself. However, Greg only ever talked with Kriuchkov: he never met any other member of the gang. 

But Kriuchkov wasn’t the only one who was not what he seemed to be.  Unbeknownst to Kriuchkov, his ‘friend’ and co-conspirator was in liege with the Feds. Greg only agreed to Kriuchkov’s offer after reporting it to his superiors in Tesla, who in turn called in the FBI. He knowingly lured Kriuchkov into revealing more information about the plot – and probably incriminating other conspirators.

August 19, 2020. Kriuchkov and Greg met once again, and were about to talk about the payment for the yet-to-transpire-hack – until Kriuchkov mentioned the FBI. He told Greg that the bureau approached him and summoned him for questioning. 

Greg was wearing a wire. The agents on the other end of the wire probably feared for his life for a couple of moments – but Kriuchkov didn’t know a thing. Even if he did, he was far from a criminal mastermind. He probably didn’t have the viciousness required to hurt Greg.

Two days later, Kriuchkov called Greg and told him that the gang was halting the “special project” and freezing all payments. Kriuchkov also told Greg that he will leave the following day. This was his way of saying goodbye.

Why did he bother to call? Perhaps he wanted to preserve his ties to Greg, in case the Feds ever got off his tail and the plot could be resumed. Maybe he wanted Greg to keep a low profile – to prevent the Gigafactory employee from incriminating him. And maybe, just maybe, Kriuchkov wanted to bid his friend farewell. Maybe he started to like the man he was sent to corrupt.

The Russian criminal then attempted a daring escape from the United States, driving overnight from Nevada to LA. Unfortunately for him, Greg informed the FBI of Kriuchkov’s escape – and they monitored his movements all along.  Kriuchkov was promptly apprehended. 

A week later, on August 27, the details of this attempted hack were publicized – and Tesla’s founder and CEO, Elon Musk, confirmed on twitter that Tesla was the company targeted. “Much appreciated”, he said – referring to Greg’s involvement – and added: “This was a serious attack”.

The U.S. Department of Justice then reported the arrest of Egor Igorevich Kriuchkov. He was sentenced to a 10-month imprisonment – which amounted to time already served – as part of a plea deal with the prosecution. In court, Kriuchkov apologized. “I’m sorry for my decision. I regret it”, he said. “I understand it was a bad decision”.

Kriuchkov was also sentenced to deportation from the United States back to Russia. Other members of his gang were identified by the authorities – but presumably were not on U.S. soil and couldn’t be charged. Their names were never published. FBI files that were made public show that some conspirators were considered to be unknown even by U.S. authorities.

Oddly enough, Kriuchkov also said in court that he knew the Russian government was aware of his case. The FBI never claimed this was the Kremlin’s work, but we cannot dismiss the possibility that this gang had more to gain. Russia is known to be constantly engaging in cyberwarfare and intellectual property theft – and Tesla’s technologies are definitely of interest to the Kremlin.

Fighting Ghosts

So how can we prevent these insider attacks – before they manifest? First of all, it’s important to monitor unusual activity. Whether it is higher-than-normal volumes of traffic, activity at weird hours or attempts to access data unrelated to an employee’s job. These are all cautionary signs that must be investigated quickly.

Another way of targeting these insider threats is establishing a red team to test employees and their awareness. Some companies reportedly send employees anonymous bribe offers in exchange for aiding similar ransomware attempts, to test their loyalty. 

4.5 million dollars were squeezed out of CWT’s pockets by Kriuchkov’s mysterious bosses. Since Tesla’s revenue is about 20 times bigger than CWT’s – it’s fair to assume that the failed plot against the auto manufacturer could have yielded a much higher ransom. After all, how can you put a price tag on Tesla’s most important secrets?

But this plot failed. The Gigafactory in Nevada keeps running undisturbed, yanking out batteries and fueling the electric vehicle revolution. All thanks to one anonymous person – whom we call Greg.

This Tesla employee thwarted a million-dollar ransomware attempt and should be lauded as an example of a law-abiding citizen that passed a highly difficult test of loyalty. However, we must ask ourselves: how many people would have refused the offer he was given? It’s easy to turn down a hypothetical offer – but in real life, it’s the stuff dilemmas are made of: one million dollars for your conscience.

What would you choose?…