Insider attack thwarted at Fannie Mae

The US Department of Justice has released a bulletin describing a Former Fannie Mae Contractor Employee Indicted For Computer Intrusion:

According to the one count indictment and affidavit in support of a criminal complaint previously filed on January 6, 2009, Makwana was a contractor employee, working at Fannie Mae’s Urbana, Maryland facility from 2006 to October 24, 2008. He was a computer programer proficient in a computer language designed to operate Fannie Mae’s 4,000 computer servers, and was part of a group that created computer scripts for Fannie Mae. As such, Makwana had access to Fannie Mae’s servers throughout the United States.

It is the ultimate insider attack. The accused was operating with system level privileges on all servers in the company. He was terminated two weeks after he pushed a script to Unix servers without prior approval. Fannie Mae apparently allowed him to keep writing scripts, but he was no longer allowed to push them.

The indictment and affidavit allege that Makwana was terminated on October 24, 2008, and advised to turn in all of his Fannie Mae equipment, including his laptop. According to the affidavit, on October 29, 2008, a Fannie Mae senior engineer discovered a malicious script embedded in a routine program. The legitimate and malicious script were removed that day. The engineer and his supervisors ordered a standard lock down of all access to the servers. The indictment alleges that Makwana entered the malicious code on October 24, 2008, and that it was set to execute on January 31, 2009. The malicious code was designed to propagate throughout the Fannie Mae network of computers and destroy all data.

Had the script executed a day or so after termination, Fannie Mae would have been devastated. Instead, the timer was set for a month, which gave other engineers enough time to find the bomb and disable it.

Makwana’s script was set to wipe out all passwords, replace all data with zeros, disable high-availability software including remote power controls, and then shut everything down. Anyone that attempted to login would see the message “Server Graveyard”. In other words, his aim was to reduce 4,000 servers to blank hardware and require on-site visits to rebuild them. Fannie Mae suggested that recovery from this level of incident would have taken at least a week.

The United States District Court of Maryland has the criminal complaint, which cites Title 18, United States Code, Section 1030(a)(5). I found it at inman.com.

Despite MAKWANA’s termination, MAKWANA’s computer access was not immediately terminated. Access to ABC’s computers for contractor’s employees was controlled by the ABC procurement department, which department did not terminate his MAKWANA’s computer access until late in the evening on October 24,2008.

[…]

The malicious script was at the bottom of the legitimate script, separated by approximately one page of blank lines, apparently in an effort to hide the malicious script within a legitimate script. It was only by chance that SK scrolled down to the bottom of the legitimate script to discover the malicious script. The legitimate and malicious script were removed and placed into an archive file on October 29,2008.

[…]

SK immediately looked at the logs from October 24, 2008, the date of the creation of the malicious script, and noticed MAKWANA’s username and files accessing the dsysadmOl server, on which the malicious script was created.

The compliant continues with a description of how Makwana used SSH from his laptop at his desk to login at 2:53pm on his day of termination, just two hours before he turned it in, to access a development server. Premeditation to the attack is suggested in the complaint as a few days before he was terminated he emailed his relatives in India and told them not to travel to the US.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.