Ex IT admin implanted keylogger in the computers before leaving company & monitored 70 employees for 5 years

Cybersecurity threats don’t always come from outside, as they are often caused by employees or people with some access to a company’s networks. This is the case of Richard Liriano, a former IT employee at a hospital in New York, US, who has pleaded guilty of a cybercrime that has affected his former co-workers.

Liriano reportedly installed a keylogger program on multiple computers operated by his former collaborators to steal passwords and user names from work platforms, emails and social media profiles.

Once the accused extracted the access credentials of those affected, he repeatedly accessed protected online accounts, which held down confidential details such as contact lists, personal photographs and videos, work files and others private documents. The report, revealed by the US Department of Justice (DOJ) cybersecurity area, mentions that the former employee used “a software variant with the specific purpose of recording the keystrokes of each target employee”.

After an internal investigation, Liriano was discovered, prosecuted and convicted of abusing his access to compromise the documents and personal information of other employees between 2013 and 2018.

During his active period, the defendant managed to steal about 70 credentials to access employees’ email and social media accounts, which accounted for losses of over $350k USD to the hospital administration. Liriano was arrested last November and pleaded guilty of a cybersecurity intrusion with the intention of harming users, an offence for which he could reach a sentence of up to 10 years in prison; the defendant will know his final sentence next April.

A cybersecurity report published last December by Trend Micro states that internal threats can cause much greater damage than an external cyberattack, as the internal threat actor, usually known as “insider“, can access networks without generating indicators of anomalous activity, which can be highly risky for the affected company.

This same company suffered an insider attack months ago, in which the attacker managed to steal the information of almost 70k Trend Micro customers with the aim of selling it on illegal hacking forums. Compromised details include full names, email addresses, phone numbers, and more. The company claims that the financial details of its clients were not affected during this incident.

According to the International Institute of Cyber Security (IICS), the company was able to implement some measures to prevent further losses, such as the shutdown of unauthorized access, the disabling of potentially compromised accounts, in addition to the detection and dismissal of the insider responsible for the attack. The incident was subsequently notified to authorities, who began an external investigation and launched a lawsuit against the attacker, although it has so far been unknown how many threat actors were able to access the information exposed during this incident.