A US programmer working on critical infrastructure secretly outsourced most of his highly-paid and security-sensitive job to Chinese programmers while he surfed eBay, updated his Facebook profile and watched videos of cats, Verizon has reported.
The story sounds as incredible as it must have been serious – but read on because there is a final twist.
Called in by a concerned company worried about anomalies in its logs, Verizon originally suspected that the company’s network had been compromised by Chinese hackers after discovering access from a Shenyang-based company through an unauthorised VPN.
Incredibly, after studying six-months’ worth of server logs, it turned out that the access appeared to happen daily and sometimes for an entire workday at a time.
The victim firm believed it had become the victim of a dastardly new malware attack able somehow to re-route traffic between countries via their network but the explanation turned out to be a mild-mannered family man and employee called - to spare his anonymity - “Bob”.
Highly proficient in C, C++, perl, java, Ruby, php, and python, what Bob had been up to became apparent as soon as investigators took a closer look at the hard drive of his workstation.
What they found were hundreds of PDF invoices from a Chinese developer for the programming work he was supposed to have been carrying out himself.
To allow the incredible outsourcing scam to work, Bob had even FedExed his RSA authentication token to the Chinese developers so they could log in through the VPN.
Then investigators looked at Bob's web browsing history to see what he’d been up to during his worktime;
“A typical ‘work day’ for Bob looked like this:
9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos
11:30 a.m. – Take lunch
1:00 p.m. – eBay time.
2:00 – ish p.m Facebook updates – LinkedIn
4:30 p.m. – End of day update e-mail to management.
5:00 p.m. – Go home.”
The Chinese firm had been paid $50,000 for their work, a small part of his annual salary.
The punchline? Bob was considered an excellent worker, praised for handing in his clean code on time. “Quarter after quarter, his performance review noted him as the best developer in the building," said Verizon.
Less amusing is that the company Bob was coding for worked on critical infrastructure (Verizon leaves the firm unnamed for obvious reasons).
"We have yet to see what impact this incident will have, but providing programming code used to run critical national infrastructure providers' systems to off-shore firms seems dangerous at best," commented Nick Cavalancia of Internet monitoring firm, SpectorSoft.
"What many organisations fail to understand is that with effective, proactive monitoring that can alert IT security teams when unacceptable online behaviors occur, this type activity can be thwarted before it becomes an incident," he said.
The full Verizon case study can be found at Verizon's website (note: has been innaccessible for periods).