News broke on January 22 that Tesla has filed a federal lawsuit accusing Alex Khatilov of stealing upwards of 26,000 highly sensitive company files. Multiple news reports indicate that Khatilov began working for Tesla on December 28, 2020, and almost immediately began uploading files and Python scripts to his Dropbox account. Tesla first confronted Khatilov about his alleged theft on January 6th.
According to the New York Post, “the electric-car maker cast Alex Khatilov as a “willful and malicious” thief who moved some 26,000 highly sensitive company files to his personal Dropbox account “with the deliberate intent to injure Tesla’s business.”1 To the contrary however, Khatilov in an interview with the Post, said “he was told to download the files from Tesla’s system because his job would involve working with some of them. He was trying to make a backup copy of a folder containing the files on his computer, but he “unintentionally” moved the folder into Dropbox.”2
While there has been no information released about how Tesla detected the movement of files to Khatilov’s Dropbox account, it is fair to assume standard security solutions such as web proxies detected Dropbox usage and Endpoint Detection and Response solutions alerted to Python scripts running in anomalous locations. Clearly however, these solutions and others that were deployed did not spot Khatilov’s alleged ‘malicious’ activities prior to file exfiltration.
This unfortunate event reiterates the importance of visibility, context and intent of user actions before exfiltration-related actions and behaviors. Every inside threat follows the same Insider Threat Kill Chain – whether a malicious actor, a compromised trusted user, or a negligent employee — beginning with Reconnaissance (locating the data), Circumvention (testing and avoiding detection), Aggregation (collecting the data), Obfuscation (hiding malicious activity) and finally, Exfiltration. Each of these actions before exfiltration is considered by most C-InT practitioners and analysts as ‘Left of Boom.’
We saw this exact type of ‘left of boom’ activity at AMP, a wealth management company based in Australia and New Zealand in 2018, when DTEX InTERCEPT alerted on these early-attack activities and stopped Yi Zheng, a Chinese contractor from stealing customer data and fleeing the country.
It seems, in the case of the alleged theft attempt by Khatilov at Tesla that these ‘left of boom’ activities may have begun with a Python script. Scripts can contain protected and sensitive information such as IP addresses, User and Passwords, and even Server names. For this reason, the DTEX Counter-Insider Threat Team strongly recommends questioning and reviewing the data from all new hires. Likewise, tracking high volumes of uploads and downloads during early days of onboarding a new hire is strongly recommended.
Also, of note in this purported malicious activity by Khatilov is his supposed attempts to obfuscate the exfiltration of 26,000 files from Tesla’s systems. Obfuscation is common activity that should be captured to provide a full audit trail of admissible evidence should an insider attack be attempted. In this case, a full audit trail would also answer the open questions of whether Khatilov illegally took additional files, if he copied files from the Dropbox account to other locations in the days before he was confronted by Tesla, and whether he sent any of the purportedly stolen files to other persons or entities.
In the case of what will surely be a long and closely watched federal lawsuit brought by Tesla against Khatilov, it is clear that visibility of meta-data elements such as his search and download of files unrelated to his project and scope of work, as Tesla asserts, along with the recognition of the new Python script, would have triggered ‘reconnaissance’ and ‘aggregation’ activities and pushed a DTEX user risk score to a threshold worthy of investigation long before the 26,000 files where pushed to Dropbox.
For more information about the Insider Threat Kill Chain and best practices on how to protect against insider threats, be sure to download our latest eBook: https://www.dtexsystems.com/resources/ebooks/dtex-and-the-insider-threat-kill-chain/
 and  New York Post, ‘Ex-staffer being sued by Tesla denies he stole massive cache of code days after starting work, Noah Manskar, January 22, 2021.