- BBC -journalist was targeted by hackers offering ransom
- The gang introduced itself with links to darknet addresses and forums
- MFA bombing transformed online negotiations into an invasive and disturbing confrontation
The concept of an insider threat in cyber security is often discussed in abstract terms, a theoretical vulnerability that organizations know, but rarely confronts directly.
But this abstract risk became a tangible reality for the BBC Cyber ​​correspondent Joe Tidy when he was unexpectedly suggested by a person who called himself vision who claimed to represent the Medusa Ransomware group.
The unsolicited contact initiated on the encrypted Messaging app signal presented a straightforward, yet criminal proposal -to rudely to give access to BBC’s internal systems in exchange for a percentage of a future ransom payment.
The proposal and lure of lucrative gains
After consultation with senior editorial numbers, engaged are cleared with the individual to understand the mechanics of the proposal.
Vision outlined a process in which the journalist would hand out his login credentials so that the gang can infiltrate BBC’s network, implement malware and press the company.
The economic pitch was aggressively escalated, with a view suggesting that the correspondent could receive 25% of a ransom calculated as a percentage of the BBC’s total revenue.
To establish credibility, vision provided a link to Medusa’s Darknet address and pointed to previously alleged successes.
It appointed a British health company and an American relief provider as examples of where insider offers allegedly had facilitated attacks.
After several days of conversation, Tidy’s attempt to stop for the time being to consult with internal security experts was given a drastic shift in tactics from the criminals.
The previous conversation vision became impatient, required immediate action and tried to push tidy with tensions about a future life on a beach.
This verbal pressure quickly transformed into a direct technological attack when Tidy’s phone was suddenly flooded with a barrier of two-factor approval up-ups.
This technique is known as MFA bombing, where attackers spam logo requests in the hope that the victim will accidentally approve one and transform the situation from a distant negotiation into a disturbing, direct confrontation.
The BBC had to disconnect the connection tidy from all BBC systems as a precautionary measure.
The criminals subsequent communication were strangely apologetic, but they maintained that the original agreement was available.
“The team apologizes. We tested your BBC login page and are extremely upset if this caused you trouble,” they said.
The incident ended with the hackers eventually deleting their account after not receiving additional answers.
While Tidy lacked high -level access that the criminals mistakenly assumed he had, the episode served as a cooling of case study as cyber criminals now use a mixture of financial incentives and aggressive technical coercion to pursue their goals.
Organizations should therefore treat such meetings with skepticism and ensure that staff can quickly report unusual approaches.
