Japanese pharmaceutical crippled by insider cyberattack

Published 22 August 2011

Last week a disgruntled former contract employee pleaded guilty for severely disrupting the networks of Shionogi, a Japanese pharmaceutical firm; the attacks were so severe that they crippled Shionogi’s operations for “a number of days, leaving employees unable to ship products, to cut checks or even communicate via email,” according to court documents

Last week a disgruntled former contract employee pleaded guilty for severely disrupting the networks of Shionogi, a Japanese pharmaceutical firm.

On 16 August, Jason Cornish, who once worked at the U.S. subsidiary of Shionogi, pleaded to charges of computer intrusion and could be sentenced to as much as ten years in prison.

Using passwords he had obtained while working at the company, Cornish entered Shionogi’s networks and deleted the contents of fifteen virtual hosts, the rough equivalent of eighty-eight different computer servers. The attacks were so severe that they crippled Shionogi’s operations for “a number of days, leaving employees unable to ship products, to cut checks or even communicate via email,” according to court documents.

The company’s email, BlackBerry servers, order-tracking system, and financial management software were affected and the company estimates Cornish caused $800,000 in damages.

Authorities were able to find culprit by tracing the source of the attacks to a McDonald’s in Smyrna, Georgia. The attack emanated from the McDonald’s free public WiFi hotspot, where Cornish had made a charge on his Visa card five minutes before the attacks occurred.

Cornish had left Shionogi in July 2010 after a dispute with a senior manager, but continued to work at the company as an IT contractor at the suggestion of a colleague, referred to as B.N. in court documents. In a round of layoffs, B.N. refused to hand over network passwords and was fired in September 2010 resulting in the termination of Cornish’s contract.

Following B.N.’s departure, Cornish allegedly attempted to access Shionogi’s computer systems more than twenty times, and in January he successfully installed VMWare’s VSphere virtualization management console software without the company’s consent or knowledge. Using the software he was then able to remotely log in and delete the company’s data.

In a blog entry, Graham Cluley, a senior technology consultant with Sophos, warned that organizations must protect themselves against insider threats. On the Naked Security blog, Cluley wrote that while most people who leave their jobs “never dream” of doing harm, organizations should make sure that defenses are in place, passwords changed, and former employee access revoked because “it only takes one bad apple to wreak havoc.”