Fired VMware admin admits virtual rampage launched from a McDonald's

Disgruntled Typical sysadmin admits attack that destroyed former employer's servers

Virtual computing is supposed to mean businesses running on computers that aren't really there in the sense they're supposed to be.

Virtual "servers" are files running on an unrelated physical server while a separate piece of software lies to each of them about which is the absolute ruler within that particular world, aging the messages it passes between them to mimic the look of packets that have travelled across long stretches of network between the two kingdoms.

Metaphorically it's much more "Three Musketeers" than "The Collected Works of A.M.Turing."

[IT admins gone wild: 5 rogues to watch out for and Monitor your employees' PCs without going too far]

At least it would be if there were any potential of betrayal, tragic loss and obsessive quest for revenge.

Speaking of which...

...A Georgia man angry over disputes with management that led to his being laid off from an IT job at a pharmaceutical company pleaded guilty yesterday to having attacked and destroyed the entire virtual population of 15 VMware host servers and with them most of his former employer's computer infrastructure.

Crouched menacingly over his laptop keyboard at a table in a Smyrna, Georgia McDonald's, Jason Cornish launched his attack with a free McWiFi connection that took him into the mainstream of the Internet and north to Florham Park, N.J., U.S. headquarters of Japanese drug maker Shionogi.

He was armed with his knowledge of the virtual territory and a list of passwords incompletely deleted after a series of conflicts between local IT staffers and management led Cornish to quit and prompted his boss into a series of minor rebellions that resulted in his being fired as well.

Among those offenses was his refusal to turn over network passwords and control to representatives of the parent company. That decision made the mission much easier for Cornish, who remained with the company for two months as a consultant after his resignation before being laid off against his will, in September of 2010.

On the morning of Feb. 3, Cornish used a Shionogi account to penetrate Shionogi's perimeter defenses and call on the power of a VMware vSphere management console he had secretly installed weeks before.

There were 88 servers running on the network that day – virtual, most of them, but they didn't know that. Life was real enough to each of them.

He scanned the 88. They were doing the work they did every day -- email, order tracking, accounting, fulfillment, customer databases. Security.

One by one he shut them down, deleted their images and sent them into oblivion. All 88.

One by one he did the same to the 15 physical servers in which they'd lived, leaving only empty, mindless husks unable to manage the company's orders, communications, paychecks, or even access the Internet to read about their own tragedy.

The attack cost Shionogi at least $300,000, a number that rose to $800,000 as survivors realized the real impact in lost data, lost business, lost time and the pain of unexpected, undeserved loss.

Cornish closed his laptop and left.

Investigators who closed in afterward were able to trace the attack to the Smyrna McDonald's.

It wasn't quick; it never is. The attack crossed state lines and the web, so it was the feds tracking down the attacker, not local yokels. Feds never know when to quit.

At the McDonald's in Smyrna the trail grew cold, and a little greasy, with that sick feeling you get eating fries that have been away from the hot oil too long.

Eventually one of the feds realized the perp must have been in the McDonald's for a while. Must have ordered something to eat or drink as an excuse for being there. Didn't want it to be too obvious to the locals that the guy using a laptop on an isolated table in the red-and-yellow hell of that greasebucket was using a clandestine virtual infrastructure console to remotely collapse and delete virtualized workloads on a VMware cluster in New Jersey.

People know that kind of trouble when they see it in Smyrna, but a cup of coffee with a sausage, egg and cheese biscuit allays a lot of fears.

Maybe the perp wasn't as smart as he thought, the feds realized. Maybe he left a trail of real paper when he launched his campaign of virtual mayhem.

They were right. They checked the credit receipts.

They noticed a former employee of Shionogi had used his credit card at that same McDonald's just minutes before the attack. It could have been a coincidence. IT guys eat a lot of McDonald's.

This one had good reason to resent Shionogi and what management remained there.

On July 1 they went to visit Cornish.

Cornish is facing 10 years and a fine of $250,000. He almost certainly doesn't have the money.

If he ate at McDonald's a lot, me might not have the time, either.

He'll find out how much time the feds will take when he's sentenced Nov. 10.

Until then, well, if you need a computer consultant with demonstrated skill at virtual infrastructure consolidation and the prevention of VM sprawl, give Cornish a call.

He could probably use the company.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies