The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Collaboration, Activity Monitoring Key to Identifying Hacker

by Chris Brook on Friday August 7, 2020

Contact Us
Free Demo
Chat

The FBI recently reflected on the the arrest of a hacker who stole intellectual property from a tech company, including how collaboration and activity monitoring played a role in tracking him down.

When Christian William Kight – a.k.a. Drillo – hacked into an Atlanta-based computer analytics company in 2017, he thought he was covering his tracks. He used virtual private networks (VPNs), deleted log data, and took other steps to conceal his identity and obfuscate his location.

After gaining a foothold into the unnamed company’s systems – something he was able to do after learning how to download scripts from hacker forums – he downloaded the company’s data to his machine and deleted it from the company’s systems.

Kight, who plead guilty to extortion, computer fraud, and wire fraud and was sentenced to more than seven years in prison this past spring, exfiltrated data files and deleted data and log files after he was done but still left some traces of his activity behind however.

According to the FBI, when the company contacted the agency, it shared critical information from its network's access logs and other records that were instrumental in tracking Drillo down. Ultimately the information let them surmise Kight's IP address - a search warrant of his San Clemente, California residence yielded even more evidence.

Despite occurring more than two years ago, the FBI recently elaborated on the case on its website, something it does from time to time after the dust has settled and a sentence has been handed down.

“In the cyber world, it’s very hard to secure a network to the point that it’s never breachable, but you can make it as difficult as possible to break in,” Tyson Fowler, a special agent with the FBI, said last month, reflecting on the case.

After he had deleted the data, Kight attempted to extort money from the company in exchange for its intellectual property. When the company said it was going to contact law enforcement, he doubled down his efforts and threatened to send "reputation-harming letters to the company’s clients and disseminate the data he had stolen."

According to the FBI, Kight defended his actions, claiming he wasn't trying to extort the company but instead trying to “work out a deal.”

“And no, I’m really NOT an extortionist,” Kight wrote in an email to the CEO, per the FBI, “I would like to see how much you think it’s worth, and if it’s fair, we'll leave it at that.”

The U.S. Attorney overseeing the case said in March that Kight actually gained access to multiple companies and organizations – it was just the analytics company that he attempted to extort.

“Kight’s scheme against this company is unfortunately all too common and highlights the ever-growing need to remain vigilant in cybersecurity efforts,” Chris Hacker, the head of the FBI’s Atlanta office, added, after Kight’s sentencing was announced.

On top of stealing the company’s data and attempting to extort it, he also offered the company’s CEO a 40-page report of the company’s “security shortcomings,” screenshots to show he’d obtained the data, and a video file documenting his hacking.

The company was able to recover the data within a few days thanks to what the FBI deemed a "robust backup system" but that doesn’t alter the fact that its sensitive data was stolen.

Strong activity monitoring helped authorities track the hacker but having stronger defenses in place, around securing sensitive data like IP may have prevented it from being taken, moved, or deleted in the first place.

Tags: Data Theft

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.