Sudhish Kasaba Ramesh Caused $1.4 Million in Damages to Former Employer
A one-time Cisco engineer has pleaded guilty to causing $1.4 million in damages to his former employer by deleting hundreds of virtual machines, which disrupted nearly 16,000 WebEx customer accounts for weeks, according to the U.S. Justice Department.
Sudhish Kasaba Ramesh, 30, pleaded guilty this week to one charge of intentionally accessing a protected computer without authorization and recklessly causing damage this week, according to the U.S. Attorney’s Office for the Northern District of California, which is overseeing the case.
Under Justice Department guidelines, Ramesh could face up to five years in federal prison and a $250,000 fine, although his sentence is likely to be lower after pleading guilty. He remains free on $50,000 bond, according to the Justice Department.
Ramesh’s sentencing is now scheduled for Dec. 9 in federal court in San Jose, California, according to court documents. His attorney could not be immediately reached for comment.
While no customer data was damaged or compromised during the incident, the Justice Department estimates that Ramesh caused about $1.4 million worth of damage to Cisco’s internal systems, including the time employees needed to restore the WebEx accounts and virtual machines. In addition, the networking giant was forced to refund $1 million to customers whose accounts had been affected.
While the criminal charge against Ramesh was only brought in July, the incident that led to the damage of the virtual machines and the WebEx accounts took place in September 2018.
In April 2018, Ramesh resigned from his position at Cisco for unstated reasons, according to the Justice Department. Sometime after he left, federal prosecutors allege that Ramesh accessed Cisco’s internal cloud infrastructure which was hosted on Amazon Web Services.
During this time, Ramesh deployed malicious code from his own Google Cloud Platform account, which then deleted 456 virtual machines used to support Cisco’s WebEx applications, which provides video conference and collaboration tools to customers, according to the Justice Department.
The wiping of these virtual machines affected about 16,000 WebEx accounts over the course of two weeks, which forced Cisco to restore part of its cloud infrastructure and then refund customers, according to federal prosecutors.
“[Ramesh] further admitted that he acted recklessly in deploying the code, and consciously disregarded the substantial risk that his conduct could harm to Cisco,” the Justice Department notes.
After assessing the damage, Cisco contacted the FBI and a criminal investigation started, a company spokesperson says.
“Cisco addressed the issue in September 2018 as quickly as possible, ensured no customer information was compromised, and implemented additional safeguards,” a Cisco spokesperson tells Information Security Media Group. “We brought this issue directly to law enforcement and appreciate their partnership in bringing this person to justice. We are confident processes are in place to prevent a recurrence.”
The court documents in the case do not mention how Ramesh maintained his access to Cisco’s cloud infrastructure after he left, or what led to the FBI to press criminal charges against him. The actual guilty plea between Ramesh and the Justice Department remains under seal.
Ramesh is currently employed with another company as a engineer, according to court documents.
Cause for Concern
In the 2020 Verizon Data Breach Investigations Report released in May, analysts found that insider threats now account for about 30% of the breaches and security incidents that they track (see: Verizon: Breaches Targeting Cloud-Based Data Doubled in 2019).
“Admittedly, there is a distinct rise in internal actors in the data set these past few years, but that is more likely to be an artifact of increased reporting of internal errors rather than evidence of actual malice from internal actors,” according to the Verizon report.
Rick Holland, CISO at security firm Digital Shadows, notes that in the world pre-COVID-19, spotting the type of malicious insider behavior that CISO encountered might have been easier, but now with nearly every employee remote, finding these types of threats is more difficult.
“Organizations need to conduct an insider threat risk assessment on their critical business functions that could be leveraged by an insider to conduct fraud,” Holland told ISMG. “In the pre-pandemic world, identifying shadow IT was easier. Outbound web traffic would often be used to identify services procured outside of the IT department. Now that traffic is being routed through ISPs, organizations should work with accounting departments to identify shadow IT expenses. Once identified, these services and applications should be incorporated into single sign-on solutions with multi-factor authentication enabled.”