Full Report
PowerShell script locked thousands of workers out of their accounts An Ohio IT contractor has pleaded guilty to breaking into his former employer's systems and causing nearly $1 million worth of damage after being fired.…
Analysis Summary
# Incident Report: Retaliatory Credential Misuse and System Sabotage
## Executive Summary
A former IT contractor gained unauthorized access to his previous employer's network using impersonated credentials following his termination. The attacker executed a malicious PowerShell script to reset approximately 2,500 user passwords, effectively locking out thousands of employees and contractors. This act of sabotage resulted in over \$862,000 in damages due to operational downtime and remediation costs. The attacker has since pleaded guilty to the intrusion.
## Incident Details
- Discovery Date: Not explicitly stated, but the attack occurred on May 14, 2021.
- Incident Date: May 14, 2021
- Affected Organization: Unspecified, speculated by local media to be Houston-based Waste Management.
- Sector: IT/Contracting Services (Impacted organization likely Waste Management/Garbage collection services).
- Geography: Ohio (Where the contractor was based) and US-wide (Impacted employees/contractors).
## Timeline of Events
### Initial Access
- Date/Time: May 14, 2021
- Vector: Compromised/Impersonated Credentials.
- Details: The former contractor, Maxwell Schultz, impersonated another contractor to regain access to the company network after his own credentials were revoked.
### Lateral Movement
- Details: Not fully detailed, but the attacker accessed network functions necessary to deploy the destructive script and cover his tracks.
### Data Exfiltration/Impact
- Details: The primary impact was operational lockout. The attacker ran a PowerShell script which resulted in the resetting of approximately 2,500 user passwords, preventing thousands of employees/contractors from accessing the company network. The attacker also searched for and deleted system logs to cover his actions, succeeding in clearing PowerShell window events in some cases.
### Detection & Response
- Details: The attack was detected when employees were locked out of their accounts. The response involved significant remediation to restore system access and service functionality. The judicial process followed, culminating in a guilty plea from the attacker.
## Attack Methodology
- Initial Access: Impersonation/Use of compromised/stolen contractor credentials after termination.
- Persistence: Not explicitly detailed, implied access was achieved to execute the script.
- Privilege Escalation: Not explicitly detailed.
- Defense Evasion: Attempted to delete system logs and clear PowerShell window events to cover operational activities.
- Credential Access: Used impersonated credentials (Details of how the impersonation was achieved are not specified).
- Discovery: Not explicitly detailed, assumed prerequisite reconnaissance occurred.
- Lateral Movement: Implied movement necessary to deploy the destructive script across relevant systems.
- Collection: Focused on system cleanup/log deletion rather than traditional data exfiltration.
- Exfiltration: Not the primary vector.
- Impact: Sabotage via mass password reset accomplished via malicious PowerShell script execution.
## Impact Assessment
- Financial: Over \$862,000 in damages related to employee downtime, disruption of customer service functions, and remediation costs.
- Data Breach: No large-scale data exfiltration confirmed; impact focused on systemic availability and integrity compromise.
- Operational: Thousands of employees and contractors across the US were locked out of the company network, severely disrupting business functions (including customer service).
- Reputational: Not publicly detailed, but likely negative publicity related to the security failure.
## Indicators of Compromise
- Behavioral Indicators: Execution of mass password reset commands across the directory service; manipulation or deletion of security event logs (System, Security, PowerShell logs).
- File Indicators: Malicious PowerShell scripts execution.
- Network Indicators: N/A (Focus was on internal execution).
## Response Actions
- Containment: Immediate action likely involved halting the effects of the script, potentially involving disabling the compromised account or isolating network segments where script execution was active.
- Eradication Steps: Clearing access granted through the compromised credentials; validating system integrity after attempted log clearing.
- Recovery Actions: Massive effort to restore access for approximately 2,500 users by manually verifying and resetting passwords/identities, and restoring system functionality/services.
## Lessons Learned
- Insider threat preparedness is critical, especially following adverse separation (such as termination).
- Access revocation processes, particularly for external contractors or third parties, must be immediate and comprehensive across all network layers.
- Log integrity protection is crucial, as attackers specifically targeted log deletion to evade detection/investigation.
## Recommendations
- Implement immediate and automated de-provisioning workflows for all termination scenarios, including automated revocation of VPN, SSH, and remote access tokens.
- Enforce robust logging redundancy and integrity controls (e.g., write-once storage or centralized, tamper-proof logging servers) to prevent insider adversaries from covering their tracks.
- Review and potentially restrict PowerShell execution rights for contractors or non-standard users to prevent the deployment of mass utility scripts.