What began as an attempt to improve security by reviewing VPN connection logs yielded quite unexpected results last year for a U.S.-based firm. Verizon’s Business Security Blog tells the story of an unnamed “critical infrastructure company” surprised to find a live VPN connection into its network originating from Shenyang, China.
Like many businesses, this company was slowly increasing its employees’ ability to work from home. The company installed a VPN concentrator to make this possible, securing the logins with two-factor authentication using a rotating token RSA keyfob as the second factor. The fact that an unauthorized connection was successfully established from a foreign country was alarming enough. Even more so when the connection requires physical possession of the security keyfob issued to an employee — an employee supposed to be working from the PC on his office desk.
The employee in question worked for the company for a fairly long time as a software developer fluent in most of the popular programming languages (C++, Perl, Python, Ruby, Java, etc.). As a middle-aged family man, he was described as quiet and not one to stand our or make a scene. The IT staff who spotted the odd VPN intrusion was certain some type of malware had infected his PC. Perhaps this malware was intercepting his network traffic, rerouting it via an external proxy server to a host in China which in turn routed traffic back to the VPN concentrator? Nope. In fact, the truth turns out to be much simpler and devious than that.
Investigators examined an image of the employee’s hard drive. No malware was found, but they did find hundreds of PDF invoices from a Chinese developer. This employee had successfully outsourced his own job to the Chinese. After mailing his RSA token to the developers, this one-man outsourcer paid them to connect to the corporate network throughout his eight-hour workday, doing his software coding for him. While receiving a six-figure salary for his work, this creative and conniving individual only paid a fraction of his paychecks back to the developer. Apparently, this employee even managed to get hired on at several other firms in the area, running the same scam with them too.
A closer look at his web browsing history revealed that beyond emailing his boss a daily work progress update in the morning and again in the late afternoon, he spent the rest of his time reading Reddit, shopping on eBay, and using Facebook. Which, admittedly, is pretty much what the majority of other Americans do too, but they also have to do their jobs too.
According to performance reviews, this outsourcer’s code was always submitted on time and it was clean and efficient. For several years in a row, this employee was noted as the best developer in the building. It sounds like he was a top-notch project manager, even if only a fraudulent developer.