Threat Management, Threat Management

Tesla hit by insider saboteur who changed code, exfiltrated data

Tesla has routed out a saboteur who changed code on internal products and exfiltrated data to outsiders, damaging company operations and possibly causing a fire, CEO Elon Musk told employees in an email.

“I was dismayed to learn this weekend about a Tesla employee who had conducted quite extensive and damaging sabotage to our operations,” Musk wrote in an email obtained by CNBC. “This included making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties.”

While Musk said Tesla doesn't know the full extent of the employee's actions, “what he has admitted to so far is pretty bad,” noting that the saboteur claims to have wreaked his mayhem because “he wanted a promotion” that he was denied.

“Trusted users always pose the highest risk as they have the means and only lack the motivation. In this instance, the motivation sounds personal, and that is quite often the case in corporate sabotage,” said Chris Morales, head of security analytics at Vectra. “It is not clear how this event was detected, but it sounds like it was discovered after the damage already occurred and there is still work to uncover the extent of that damage.”

Earlier on Sunday, Musk had alerted employees to a factory fire – one of four the company has experienced – and alluded to possible sabotage. It's not the first time that Musk mused that a sabotage was afoot – the issue was broached in 2016 when a SpaceX rocket exploded prior to a test.

“We looked at who would want to blow up a SpaceX rocket,” Musk said at the time, according to Space News. “That turned out to be a long list. I think it is unlikely this time, but it is something we need to recognize as a real possibility in the future.”

Employees are typically part of a trusted group, who, while on a corporate network, “typically don't need to perform the same extra authentication steps necessary to connect to services and applications that they do when they are connected from home,” said Morales. “As a result, they can move around fairly freely.”

Whether addressing a rogue insider or an outsider who has gained access to employee credentials, he said, “enterprises benefit from internal monitoring that can detect suspicious behavior in order to prevent damage,” perhaps getting an assist for AI.

“Even the best of companies must ensure that they've deployed security-in-depth, where if one level of control fails, another is ready as a backstop, ensuring the organization's cyber posture,” said David Ginsburg, vice president of marketing at Cavirin. “Here, there should have put in place processes for immediate notification of the changes made or of any attempt to exfiltrate data.” 

Ginsburg cautioned that the impact of a future attack could be much worse. “The disturbing thing is that the same techniques used to impact the manufacturing systems could be used to inject malicious code into the auto's firmware, with unknown consequences,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.