In a case of insider sabotage, a former quality assurance employee at National Computer Systems (NCS) was recently sentenced for less than 3 years in prison for maliciously deleting 180 virtual servers after being fired from the company.
The incident, which caused an estimated US$678,000 in damages, serves as a stark reminder of the importance of promptly revoking access privileges for terminated employees and the potentially catastrophic consequences of failing to do so.
The 39-year-old Nagaraju Kandula, had worked as a member of the quality assurance (QA) team at NCS, a prominent IT firm based in Singapore and a subsidiary of the Singtel Group. His responsibilities involved testing new software and programs before their launch by the company. However, on November 16, 2022, Kandula's employment was terminated due to poor performance. According to court documents, Kandula felt "confused and upset" when he was terminated from his position at NCS, as he believed he had performed well and made significant contributions to the company
NCS overlooked the crucial step of invalidating Kandula's credentials, leaving him with continued access to their systems even after his dismissal. Harboring resentment towards the company, Kandula exploited this oversight to carry out a malicious attack between January and March 2023.
During this period, court documents reviewed by news outlet CNA reveal that Kandula accessed NCS systems on thirteen separate occasions. He used this time to test custom scripts designed to wipe virtual servers managed by the quality assurance team he had previously been a part of.
The culmination of Kandula's vengeful plot occurred on March 18-19, when he executed the wiper script, resulting in the deletion of 180 virtual servers. The impact was severe, with NCS estimating the damages to be a staggering US$678,000.
Upon discovering the damaging attack and realizing that the deleted servers could not be restored, NCS promptly reported the incident to the authorities. Through their investigation, law enforcement traced the malicious actions back to an IP address associated with Kandula on April 11, 2023.
Further evidence was uncovered when investigators confiscated Kandula's laptop and found the very script used in the attack to wipe the virtual servers. Notably, the investigators mentioned that Kandula had developed the wiper script through Google searches on how to delete virtual servers, leaving a trail of incriminating internet history.
Nagaraju Kandula faced specific charges related to unauthorized access to computer material. He was sentenced to two years and eight months in prison for one count of unauthorized access to computer material. Another charge was taken into consideration for sentencing, although the details of this additional charge are not specified in the sources
While NCS has stated that no sensitive information was exposed due to the incident, as the impacted environment was a software testing platform, the case highlights a critical lapse in cybersecurity practices. Organizations must prioritize promptly blocking all former-employee access to critical systems upon dismissal and resetting passwords for all administrative accounts that those individuals might have known or used.
Failing to take these basic protective measures can lead to catastrophic attacks that cost companies significant amounts of money, cause business disruption, and even induce physical risks. Earlier this year, a former Cisco engineer pleaded guilty to deploying code that led to the shutdown of more than 16,000 WebEx Teams accounts and the deletion of 456 virtual machines, further underscoring the severity of such insider threats.
The Kandula case serves as a sobering reminder that disgruntled former employees with retained access privileges can pose a significant risk to an organization's digital infrastructure and operations. It emphasizes the need for robust access control measures, prompt revocation of privileges upon termination, and vigilant monitoring for potential insider threats.
As cybersecurity challenges continue to evolve, companies must remain proactive in safeguarding their systems and data, recognizing that the greatest vulnerabilities may sometimes lie within their own ranks. By learning from incidents like this and implementing rigorous security protocols, organizations can better protect themselves from the potentially devastating consequences of insider sabotage.
Sources:
- https://www.bleepingcomputer.com/news/security/former-it-employee-gets-25-years-for-wiping-180-virtual-servers/
- https://thedailyguardian.com/revenge-of-the-fired-indian-ex-employee-hacks-singapore-firm-wipes-critical-data/
- https://www.channelnewsasia.com/singapore/former-employee-hack-ncs-delete-virtual-servers-quality-testing-4402141
- https://gigazine.net/gsc_news/en/20240614-fired-employee-deleted-servers/
- https://www.business-standard.com/world-news/indian-gets-2-yr-jail-term-for-hacking-ex-employer-s-system-in-singapore-124061200089_1.html
- https://www.digit.in/news/general/fired-employee-hacks-into-companys-system-heres-what-happened-next.html
- https://www.hindustantimes.com/trending/upset-indian-man-hacks-into-singapore-company-s-server-after-getting-fired-deletes-data-101718431307611.html
- https://theindependent.sg/angry-ex-employee-cyber-attacks-his-former-company-causing-it-to-suffer-financial-loss-close-to-s1m/
- https://gutzy.asia/2024/06/15/nus-graduate-claims-struggle-to-find-employment-while-ex-ncs-indian-employee-lands-job-in-4-months/
- https://www.techspot.com/news/103386-disgruntled-ex-employee-deletes-180-test-servers-costing.html
- https://www.uniladtech.com/news/tech-news/fired-employee-hacks-company-system-costing-losses-815859-20240613
- https://www.reddit.com/r/SingaporeRaw/comments/1ddv6y5/kandula_nagaraju_39_a_fired_employee_hacked_into/
- https://it.slashdot.org/story/24/06/13/2011245/fired-employee-accessed-ncs-computer-test-system-and-deleted-servers
- https://www.tomshardware.com/tech-industry/disgruntled-ex-employee-costs-company-over-dollar600000-after-he-deletes-all-180-of-its-test-servers-found-server-deletion-scripts-on-google
- https://www.bleepingcomputer.com/news/security/former-it-staff-gets-25-years-for-wiping-180-virtual-servers/
- https://cyber.vumetric.com/security-news/2024/06/14/former-it-employee-gets-2-5-years-for-wiping-180-virtual-servers/
- https://www.itpro.com/security/a-disgruntled-ex-employee-at-a-singaporean-it-firm-caused-carnage-after-deleting-over-180-servers
- https://www.timesnownews.com/viral/indian-employee-fired-then-hacks-singapore-firms-servers-upset-article-111015891
- https://www.reddit.com/r/developersIndia/comments/1dfhvrq/disgruntled_exemployee_costs_company_over_600000/
- https://infosec.exchange/%40BleepingComputer/112615773035032413