Mr. Simpson’s team was being merged with another team and he was unhappy with the new hierarchy. After being informed by a friend in HR about the changes, Mr. Simpson began using his administrative access to take over other accounts. He ultimately attempted to disrupt operations and downloaded confidential files.
This investigation turned up multiple suspicious log entries showing Mr. Simpson logging into the application server only minutes before the problems started. The logs showed failed super user account access from Mr. Simpson, followed by password resets of service accounts. Mr. Simpson admitted to accessing multiple email boxes using the service accounts to insert scheduled jobs designed to disrupt his new team’s workflows.
Beyond the stolen files was a second listing of scheduled jobs inserted by Mr. Simpson. The jobs were exclusively mass delete commands scheduled to occur at critical times over the next year: During tax season, prior to holiday bonuses, and a few seemingly random dates.
Also, while plugging in a USB keyboard to issue commands, the investigator noticed an extension on the plug itself. When pried, it popped off, revealing an off-the-shelf, clandestine keylogger. Thhe keylogger was designed to capture any input a user provided via the keyboard and was sending the capture to a rented Romanian server.