Insider Threat Locks Thousands of Windows Devices in Extortion Attempt at New Jersey Industrial Firm
What Happened – A former core‑infrastructure engineer accessed his employer’s network with a privileged account, deleted domain admin accounts, reset passwords on 301 user accounts and 13 domain admins, and locked 3,284 workstations and 254 servers. He then emailed coworkers demanding 20 BTC (~$750 k) and threatened to shut down 40 random servers daily.
Why It Matters for TPRM –
- Highlights the damage potential when privileged insiders bypass controls.
- Demonstrates how credential abuse can cripple critical production environments.
- Underscores the need for continuous monitoring of privileged‑access activity across third‑party vendors.
Who Is Affected – Manufacturing and industrial enterprises that rely on Windows‑based domain controllers and large fleets of workstations.
Recommended Actions – Review privileged‑access policies for all vendors, enforce MFA and least‑privilege for admin accounts, deploy real‑time PAM/UEBA solutions, and conduct regular audits of admin activity and remote task scheduling.
Technical Notes – The attacker used a legitimate administrator account to schedule PowerShell tasks on the domain controller, reset passwords, and delete accounts. No known CVE was exploited; the attack leveraged insider knowledge of Windows account management commands. Source: BleepingComputer