Earlier this month, according to a recently unsealed criminal complaint, a 27-year-old Russian man named Egor Igorevich Kriuchkov met an old associate who now worked at Tesla at a bar in Reno. They drank till last call. At some point in the evening, the FBI says, Kriuchkov took the person’s phone, put it on top of his own, and placed both devices at arm’s length—the universal sign that he was about to say something for their ears only. He then invited the Tesla employee to collaborate with a “group” that carries out “special projects.” More specifically, he offered the staffer $500,000 to install malware on his employer’s network that would be used to ransom its data for millions of dollars.
Just a few weeks after that Reno meeting, FBI agents arrested Kriuchkov in Los Angeles as, the Department of Justice says, he was trying to flee the country. His recruitment scheme failed, the complaint says, when the employee instead reported Kriuchkov’s offer to the company, which in turn alerted the FBI, leading the bureau to surveil Kriuchkov and arrest him not long after.
Given that Tesla’s “Gigafactory” manufacturing facility is located just outside of Reno, in Sparks, Nevada, speculation immediately focused on Tesla as the likely target of the attack. On Thursday night, Tesla founder Elon Musk confirmed it, in typical offhand style, on Twitter. “Much appreciated,” Musk wrote in response to a report on Tesla news site Teslarati that named Tesla as the attempted ransomware strike’s target. “This was a serious attack.” Tesla itself did not respond to a request for comment.
Despite the happy ending—all thanks to a Tesla employee willing to turn down a significant alleged bribe—the attempted “insider threat” ransomware attack against such a prominent target shows just how brazen ransomware crews have become, says Brett Callow, a threat analyst with cybersecurity firm Emsisoft. “This is what happens when you hand billions to ransomware groups. If they can’t access a network via their usual methods, they can afford to simply buy their way in. Or try to. Tesla got lucky,” Callow says. “The outcome could have been very different.”
According to the FBI, Kriuchkov had first met the Tesla staffer in 2016, and got back in touch with him via WhatsApp in July. Over the first two days of August, he drove the staffer to Emerald Pools in Nevada and Lake Tahoe, picking up the tabs and declining to appear in photos, court documents say, possibly attempting to avoid leaving a trail of his travels. The next day, Kriuchkov took his Tesla contact to a Reno bar and made the offer: Half a million dollars in cash or bitcoin to install malware on Tesla’s network, using either a USB drive or by opening an email’s malicious attachment. Kriuchkov allegedly explained to the Tesla staffer that the group he worked with would then steal data from Tesla and hold it ransom, threatening to dump it publicly if the ransom wasn’t paid.
Sometime after that first meeting, the Tesla staffer alerted his employer, and the FBI began surveilling and recording the subsequent meetings with Kriuchkov. Throughout August, Kriuchkov allegedly attempted to persuade the Tesla staffer by upping the bribe to $1 million, and by arguing that the malware would be encrypted such that it couldn’t be traced to the staffer who installed it. Moreover, to distract Tesla’s security staff during the ransomware installation, the gang would carry out a distributed denial of service attack, bombarding Tesla’s servers with junk traffic.
In fact, Kriuchkov allegedly claimed that another insider they had used at a different company still hadn’t been caught after three and a half years. Prosecutors say Kriuchkov even went so far as to suggest they could frame another employee of the Tesla staffer’s choice for the hack—someone he or she wanted to “teach a lesson.”