Computer engineer Daniel Rhyne is said to have launched a massive cyberattack against his own employer. Rhyne, who worked as a virtual machine (VM) expert at the company, used his position to secretly create a virtual machine on the company’s network.
On November 25, 2023, employees of a US industrial company noticed strange notifications coming from an administrator account requesting password resets. This account had wide-ranging permissions to make changes affecting all computers in the company. The name of the company is not mentioned in the court documents.
Shortly afterwards, colleagues, managers and other company employees received an email from an external address. The message claimed that the company network had been compromised and that all IT administrators had either been locked out or their accounts deleted. In addition, all of the company’s backups had been deleted. The author of the email threatened to shut down an additional 40 of the company’s servers within the next ten days if the demanded ransom of €700,000 in Bitcoin was not paid.
The law enforcement authorities’ investigation quickly led to Rhyne as the prime suspect. He is accused of sending the ransomware and deliberately disrupting his employer’s network. During a search of the company’s network, investigators discovered a hidden VM that was allegedly created by Rhyne and used to gain unauthorized access to the company’s administrator account.
Internal investigations revealed that this VM was being used from Rhyne’s company computer and user account. In addition, web searches performed from Rhyne’s user account and computer could be linked to activity on the hidden VM. Among other things, he searched for commands to change passwords, both locally and remotely.
The indictment accuses Rhyne of infiltrating his employer’s network without authorization, causing massive damage to the company and attempting to obtain substantial financial gain through extortion.