Fannie Mae Logic Bomb Attack 'Tip Of The Iceberg'
"To me, this is the tip of the iceberg," said Mandeep Khera, chief marketing officer of security company Cenzic. "If a small percentage of these IT workers are going to the dark side, they could potentially cause a lot of damage."
Federal investigators indicted Rajendrashinh Makwana, 35, a contracted Unix engineer for mortgage finance company Fannie Mae, for allegedly embedding malicious code known as a logic bomb in the mortgage lender's computer network, which was set to detonate on Jan. 31, 2009.
Had the attack been successful, the malware could have destroyed the entirety of the data on all 4,000 of the mortgage finance company's servers and shut down the company for a week, experts say.
The malware in Fannie Mae's servers was thwarted when another engineer detected the malicious code, embedded with legitimate script.
However, experts say that in many other cases, malicious code planted from the inside might not be so easily detected, especially in smaller and midsize companies with limited IT personnel and resources.
"I bet there's a lot more malicious code and a lot more hidden back doors that are being exploited," Khera said. "We'll hear about some of the big ones. We won't hear about a bunch of them that will never get caught."
Makwana planted the malicious code in Fannie Mae's servers after he was terminated on Oct. 24 for a scripting error in mid-October, which federal officials say was not "maliciously created." Makwana, a native of India in the U.S. on a work visa, had been an engineer for IT consulting firm OmniTech for three years, but worked full time at Fannie Mae's Urbana, Md. facility.
"After being terminated from his employment at Fannie Mae, Makwana intentionally and without authorization caused and attempted to cause damage to Fannie Mae's computer network by entering malicious code that was intended to execute on Jan. 31, 2009, and that would have resulted in destroying and altering all of the data on all Fannie Mae servers," the indictment said.
Makwana was told of his termination on Oct. 24 at about 2 p.m., after which he surrendered his badge and left the Urbana facility at about 4:45 p.m. that same day, according to an FBI affidavit. However, Makwana's server access was not terminated until 10 p.m. later that evening. Makwana used his extended access to reset the company's servers that would eliminate his "footprint" and impede security alerts that would ordinarily warn Fannie Mae engineers of an intruder's continued access to the servers. Makwana then launched code that would enable him to access the servers remotely, and created the logic bomb the following day, Oct. 25.
Khera said that 2009 will likely be a "big year" for insider threats and data breaches due to the weak economy that resulted in massive layoffs within the IT sector and other industries. Consequently, it would not be difficult for disgruntled or laid-off IT employees to infiltrate corporate networks and plant malicious code, which could be used to shut down systems or steal information, he said.
"After they leave, they can sell this information to hackers. There're a lot of things they can do," Khera said. "(The attacks) will continue, and I think we'll see a huge trend this year."