Tesla Insider Threat Case Study
According to the official Filing, Tesla is suing a former employee and software engineer named Alex Khatilov alleging trade secret theft and breach of contract.
What actually happened?
Khatilov was hired by Tesla in to work on their quality assurance team.
According to Tesla, after only 3 days, Khatilov began transferring files and python scripts to his personal Dropbox account. Tesla claim the code that was stolen had “200 man-years of work” to develop.
Tesla claim that their infosec team “detected the downloading of up to approximately 26,000 files on January 6 through its monitoring software. The team immediately reviewed the activity and concluded that it was not an authorized transfer. Tesla also discovered that the files contained a complete set of all automation scripts produced by the Quality Assurance Engineering team for WARP Drive over the last twelve years.”
On the 6th of January, Tesla actually challenged Khatilov about the action while he was working remotely. During this interview Khatilov claimed that he “had only transferred a couple of personal administrative documents”. In fact, he had transferred thousands and thousands of documents.
Tesla personnel asked Khatilov to share his laptop screen to confirm that his Dropbox account did not contain any confidential Tesla files, as he had now twice claimed. Khatilov delayed accepting the screen share request for “over a minute”. During this time, he could apparently be seen on video chat hurriedly deleting information from his computer. This is never a good look!
Tesla claim that they witnessed Khatilov “hurriedly deleting the dropbox client” from his computer in an attempt to cover up the theft when investigators were attempting to connect to his computer. To add further complication to Khatilov’s attempts to conceal his actions he actually failed to delete the files from the Dropbox cloud storage, so when they did manage to check the size of the theft was ultimately revealed.
Security staff at Tesla were able to instruct Khatilov to delete the downloaded files.
While Tesla’s team did identify the transfer to Dropbox, it did not give them any visibility on whether Khatilov actually transferred them out of Dropbox and onto other cloud storage or removeable media. It would therefore be possible for a copy to still exist.
After this incident unfolded Khatilov responded to Tesla’s allegations by asserting, “Nobody told me using Dropbox is prohibited,” he added “I don’t know why they claim it’s sensitive information, I didn’t have access to any sensitive information.”
It is safe to say that Khatilov denies the charges put forward by Tesla.
Tesla did a good job at quickly identifying the theft but it does pose some interesting questions about how we protect sensitive data when staff are working from home. This was an attack that could and would work in many organisations, especially ones that allow staff to use their own laptops. Highly innovative businesses, especially ones generating a wealth of IP or investing heavily in R&D are usually at a heightened risk of insider theft.
Tesla Insider Threat -Questions to ask.
Was he a “disgruntled” insider?
While many insider threats are classified as disgruntled, in fact this description is most often associated with insiders who commit sabotage and have a grudge against the organisation. Having only worked for Tesla for a few days it is unlikely that he would had such feelings of disgruntlement. It is far more likely that his actions were driven in pursuit of personal financial gain.
Was Khatilov a typical insider?
Most insider thefts occur within 2 months of an employee handing in their notice, not within a week of joining a company. So in that respect this case was atypical. That said the type of data that was stolen was not surprising this type of data has a huge value to some competitors around the world.
Was he working alone?
There are aspects of Khatilov’s modus Operandi, and in particular a level of incompetence in his operational security that makes it likely he was acting alone. If he had been put in place by a competitor and coached through the hiring interview process in order to get the job, which does happen, it would be unlikely that they would have triggered the theft so soon into his job as he would have likely been on a form of probationary period. It also seems unlikely that they would have known so little about Tesla’s internal processes to risk such a rapid and trackable theft by dropping thousands of files into Dropbox. While industrial espionage can be simple it is often very difficult to detect and the anatomy of this attack seems more consistent with a lone wolf perhaps thinking he could sell the data later on.
How does this insider attack differ from other Tesla insider threat attacks?
In 2018 Tesla alleged that an employee, “wrote code to periodically export gigabytes of Tesla’s data, including dozens of confidential photographs and a video of Tesla’s manufacturing systems”. Tesla also alleged that the employee had “funnelled data on Tesla’s financials, the process for manufacturing batteries for its Model 3 luxury vehicle, and the amount of scrap and raw materials used at the battery factory” outside of the organisation.
So they have suffered intentional insider attacks before. Perhaps this is why they were so quick to detect this more recent attack.
What could Tesla have done differently?
Tesla has done a good job at limiting access to sensitive data and limiting the number of employees who can grant access to the data. They also have demonstrated that they have the ability to rapidly identify the theft and approach the suspect within 24 hours of the incident being reported. We don’t know about Tesla’s insider threat defences or if they use any behavioural baselining for data access which might have triggered this alert.
However was it necessary for a new employee to be able to copy and move these files in the first place? Prevention is always better than cure.
Conclusion
Tesla were fairly open and honest about the case. This may be because their response was so rapid. While Khatilov was clearly able to get past initial employee screening (remember this was a role with a lot of access) he went “full exfil” after only a few days on the job.
Khatilov comes across as somewhat unprepared and opportunistic. Perhaps this was a stroke of luck for Tesla. Often serious insider theft cases go totally undetected until it is too late.
Link to the court filing: https://www.scribd.com/document/491775490/Tesla-Inc-v-Alex-Khalitov-Case-4-21-cv-00528-YGR#from_embed
