A system administrator for an unnamed company was caught defacing his own firm's website to hide the theft of company data, which he planned to sell and then retire to a seaside town abroad.

The system administrator, who, due to non-disclosure agreements signed in such security incidents, cannot be named at this point in time, had worked for his company for 15 years and had earned the trust of his colleagues.

The employee had always wanted to buy a house in a seaside town abroad when it was time to retire. Unfortunately, he wasn't able to gather all the money to follow through on his dreams.

Crooks approached the sysadmin to sell corporate data

As he was getting near retirement, the system administrator received an offer to sell corporate data, which would have allowed him to purchase the house of his dreams and retire as he always wanted.

To mask the theft of his company's data, the system administrator engineered a plan to carry out a fake cyber-attack.

He excused himself one day from work and told fellow employees he was attending a security conference. In reality, the system administrator crossed the border into a neighboring country (a one-hour drive from his workplace), where he used a commercial vulnerability scanner to probe his company's network, just like it would happen in a real attack.

System administrator defaced his own website

When he came back to work the next day, he used his admin panel credentials to deface one of the company's websites with a message from a hacktivist group accusing the firm of globalization. He saved a copy of the defacement on the Zone-H mirroring site and erased all data from the web root folder, along with all the logs.

He then reported the hack to his bosses claiming the company was attacked by known hackers and recommended that he wipe the server and reinstall everything to avoid a prolonged downtime.

After he received approval and carried out a server clean-up, the sysadmin also contacted the company's web security provider, a Swiss-based company named High-Tech Bridge.

When High-Tech's security team arrived to inspect the hacked server, they discovered a newly installed machine instead, with no clues about the attackers or the attack's origin.

Clues leave a trace back to the sysadmin

Unfortunately for the server admin, he didn't cover all his tracks. High-Tech Bridge investigators were quick to point out a series of discrepancies.

For example, anyone who has ever met a hacktivist knows that they're all about media coverage and publicity stunts. There was no trace on social media about this hack.

Investigators also pointed out that the target of the defacement was a well-protected subdomain on a less used server, which makes no sense since the company was managing several highly trafficked websites that ran older software, which were much easier to hack from an attacker's perspective.

Unknown to all at that time was the fact that the system administrator chose to deface that website because the data he was told to steal was stored on that less trafficked server.

Hacktivists can't afford enterprise-grade vulnerability scanners

Additionally, the attack was carried out from an IP belonging to a public Wi-Fi network, something that also doesn't fit the hacktivist attack model because these groups use TOR in almost 99.99% of all cases to hide their location.

Furthermore, the security scanner the system administrator used to search for vulnerabilities was a very expensive tool, which very few hacktivists could afford, and one for which the company held a few licenses.

"[T]he defacement was definitely done via existing functionality of the admin panel, without altering file content directly via a system command," Ilia Kolochenko, High-Tech Bridge CSO, explains.

Since access to the admin panel was only limited to a select IP range, assigned to computers inside the company, this meant the login took place from behind the company's firewall, in other words, this was the work of an insider.

Add to this the fact that the system administrator insisted for a server reinstallation, against all security breach procedures, meant the sysadmin had something to gain by erasing that server. All of these clues placed the sysadmin at the top of the main suspects list.

Confronted with all the details gathered by the High-Tech Bridge team, the system administrator admitted to his wrongdoing.