It is every commercial and government organization's worst IT nightmare: the disgruntled inside hacker. Some steal information, others decide to go on a destructive rampage. The US subsidiary of the Japanese pharmaceutical company Shionogi got a reminder of its nightmare of the latter kind this week.
According to stories in various news media as well as the press release at the US Attorney's office for the District of New Jersey, Jason Cornish pleaded guilty yesterday to US federal charges of knowingly transmitting computer code with the intent to damage computers in interstate commerce. Mr. Cornish is currently scheduled for sentencing on November 10, 2011; he faces a maximum potential penalty of 10 years in prison and a $250,000 fine.
Mr. Cornish was an IT employee at Shionogi, which has operations in Florham Park, N.J., and in Atlanta, Ga., where he worked. According to a story at ComputerWorld, he quit the company in July 2010 after a dispute with management. He was rehired as a consultant at the suggestion of his friend and former supervisor for two more months because of his knowledge of the computer systems there.
In September, Mr. Cornish resigned from Shionogi. Shortly thereafter, Shionogi announced layoffs that would affect his former supervisor. According to court documents (PDF), on or before October 1, 2010, the supervisor "refused to return certain network passwords to Shionogi officials, which led the company to suspend and later fire him."
Shionogi apparently did not do a very good job of changing all the passwords to its computer systems or seeing if they were being abused in the light of the episode with Mr. Cornish's former supervisor; beginning on or about the 1st of October, the court documents state, that Mr. Cornish began hacking into Shionogi's computer system aided by his knowledge of its operations. On the 13th of January of this year, he secretly installed some software—a vSphere VMware management console—on Shionogi's computer system.
Next, on the 3rd of February, Mr. Cornish used a public network at a McDonald's located in Smyrna, Ga., to access the console, where Mr. Cornish proceeded, says the US Attorney's office:
"... to delete the contents of each of 15 'virtual hosts' on Shionogi’s computer network. These 15 virtual hosts housed the equivalent of 88 different computer servers.... The deleted servers housed most of Shionogi’s American computer infrastructure, including the company’s e-mail and BlackBerry servers, its order tracking system, and its financial management software.
"The attack effectively froze Shionogi’s operations for a number of days, leaving company employees unable to ship product, cut checks, or communicate by email. Shionogi sustained approximately $800,000 in losses responding to the attack, conducting damage assessments, and restoring the company’s network to its prior condition."
After the Mr. Cornish's attack, the FBI’s Cyber Crimes Task Force was called in and through its forensic analysis was able to identify him as the likely attacker. Mr. Cornish was arrested in July. Mr. Cornish's former supervisor and friend has been not charged.
There is a nice list of 11 inside-hacking attacks following a story on Mr. Cornish's guilty plea at The Register.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.