Full Report
TRENTON, N.J. – A Missouri man has pleaded guilty to crimes related to his hacking of computer networks and extortion of employees, U.S. Attorney Robert Frazer announced. Daniel Rhyne, 59, of Kansas City, Missouri, pleaded guilty on April 1, 2026 before U.S. District Judge Michael A. Shipp in Trenton federal court to an information charging... Source
Analysis Summary
# Incident Report: Insider Threat and Extortion at National Industrial Company
## Executive Summary
Daniel Rhyne, a core infrastructure engineer for a U.S.-based industrial company, leveraged his privileged access to sabotage the organization's network and extort his employer. The incident involved the deletion of administrator accounts, server shutdowns, and a demand for $750,000 in Bitcoin. Rhyne eventually pleaded guilty to federal extortion and computer damage charges in April 2026.
## Incident Details
- **Discovery Date:** November 25, 2023
- **Incident Date:** November 2023
- **Affected Organization:** National Industrial Company (unnamed "Victim-1")
- **Sector:** Industrial / Infrastructure
- **Geography:** Headquarters in New Jersey; Attacker based in Missouri
## Timeline of Events
### Initial Access
- **Date/Time:** Early November 2023
- **Vector:** Valid Internal Credentials (Privileged Insider)
- **Details:** As a core infrastructure engineer, Rhyne used his existing authorized access to log into the network and begin preparing malicious scripts.
### Lateral Movement
- **Details:** Rhyne initiated unauthorized Remote Desktop Protocol (RDP) sessions within the network to access various servers and management consoles.
### Data Exfiltration/Impact
- **Date/Time:** November 25, 2023
- **Details:** Automated tasks executed to delete network administrator accounts and change passwords for critical service accounts. Multiple company servers were forcibly shut down to disrupt operations.
### Detection & Response
- **Detection:** The attack was discovered when the perpetrator sent an extortion email to company employees demanding 20 Bitcoin (approx. $750,000).
- **Response Actions:** Investigation by the FBI’s Newark and Kansas City field offices led to the identification and prosecution of Rhyne.
## Attack Methodology
- **Initial Access:** Authorized employee access (Insider Threat).
- **Persistence:** Created scheduled tasks to trigger malicious actions even if he was not actively logged in.
- **Privilege Escalation:** Utilized existing "Core Infrastructure Engineer" administrative privileges.
- **Defense Evasion:** Manipulated administrative accounts and passwords to lock out legitimate IT staff.
- **Credential Access:** Changed passwords to existing Victim-1 accounts to consolidate control.
- **Discovery:** Internal reconnaissance of server infrastructure and admin account lists.
- **Lateral Movement:** Unauthorized RDP sessions.
- **Collection:** N/A (Focus was on disruption rather than data theft).
- **Exfiltration:** N/A.
- **Impact:** Intentional system shutdown and account deletion (T1485 - Data Destruction; T1529 - System Shutdown/Reboot).
## Impact Assessment
- **Financial:** Extortion demand of 20 Bitcoin ($750,000); unspecified costs related to incident response and recovery.
- **Data Breach:** No reported data theft, but significant "Loss of Availability" regarding administrative access.
- **Operational:** Critical disruption due to server shutdowns and the disabling of IT administrator accounts.
- **Reputational:** Public disclosure of the incident following federal prosecution.
## Indicators of Compromise
- **Network:** N/A (Internal RDP traffic from Rhyne’s workstation).
- **File:** Scheduled tasks designed to execute account deletion and system shutdown scripts.
- **Behavioral:** Unauthorized RDP sessions during non-working hours; mass deletion of administrator-level accounts.
## Response Actions
- **Containment:** Efforts to regain control of overwritten or deleted administrator accounts.
- **Eradication:** Removal of malicious scheduled tasks and restoration of server functionality.
- **Recovery:** Restoration of primary infrastructure services and engagement with federal Law Enforcement (FBI).
## Lessons Learned
- **Key Takeaways:** High-level administrative access poses a significant risk if not monitored, even for "trusted" long-term employees.
- **Gaps:** The ability of a single engineer to delete all other administrator accounts suggests a lack of "quorum-based" or "four-eyes" authentication for critical infrastructure changes.
## Recommendations
- **Implement Privileged Access Management (PAM):** Require justification and multi-party approval for high-impact changes like deleting admin accounts.
- **Behavioral Analytics:** Deploy User and Entity Behavior Analytics (UEBA) to flag unusual activity, such as an engineer setting mass-deletion tasks or accessing the network at irregular hours.
- **Immutable Backups:** Ensure that account directories and server configurations are backed up in a way that cannot be deleted by a single compromised or malicious administrator.
- **Segregation of Duties:** Ensure that no single individual has total control over the entire core infrastructure without oversight.