Rogue IT Admin Goes Off The Rails And Shuts Down Train Switches

R

rgMekanic

[H]ard|News
Joined
May 13, 2013
Messages
6,943
The Register is reporting that a former IT administrator for Canadian Pacific Railway has been jailed for 366 days for sabotaging the railway's computer network. Christopher Victor Grupe had convinced the railway to let him quit instead of firing him following a 12 day suspension for insubordination. After signing a resignation letter, he took his work notebook and credientials, logged into the CPR's computer network, and started his mischief. Grupe removed administrator-level accounts, deleted certain key files, and changed the passwords for other accounts on the networking hardware then wiped the laptop he used to sideline the switches, destroyed all and any logs in an attempt to cover his tracks, and handed back the computer.

Stiff penalty for sabotaging the system like this. I guess he didn't learn his lesson from the 12 day suspension, then being fired. Perhaps a year and a day will help calm him down. Thanks to cageymaru for the story.

On January 5, the network hit the buffers. IT staff at CPR tried to log into the switches, and found they were locked out. According to court documents parts of the system went down, and staff had to force reboot, and presumably factory reset, all the switches to regain access to the equipment.
 
Last edited:
Since this was intentional, 366 days is not enough. They should have given him 1 year for every network device he sabotaged.
 
Locked switches can cause train derailments or collisions. A switch determines which track a train goes on. He's damn lucky he can only got a year.

Or were these managed network switches? Either way interfering with critical infrastructure can have deadly results.
 
I want to know, why was he initially suspended in the 1st place? Obviously whatever review that occurred found in favor of his termination, but what did he do to get that review in the 1st place?
 
The supervisor that let Mr Grupe access the network after resigning in less then good graces should also face punitive measures from the company. Agree that his sentence is not near enough. Depending on what the network controlled, he could have easily put hundreds of folks at risk.
 
'Shots down'
rgMekanic said:
The Register is reporting that a former IT administrator for Canadian Pacific Railway has been jailed for 366 days for sabotaging the railway's computer network. Christopher Victor Grupe had convinced the railway to let him quit instead of firing him following a 12 day suspension for insubordination. After signing a resignation letter, he took his work notebook and credientials, logged into the CPR's computer network, and started his mischief. Grupe removed administrator-level accounts, deleted certain key files, and changed the passwords for other accounts on the networking hardware then wiped the laptop he used to sideline the switches, destroyed all and any logs in an attempt to cover his tracks, and handed back the computer.

Stiff penalty for sabotaging the system like this. I guess he didn't learn his lesson from the 12 day suspension, then being fired. Perhaps a year and a day will help calm him down. Thanks to cageymaru for the story.

On January 5, the network hit the buffers. IT staff at CPR tried to log into the switches, and found they were locked out. According to court documents parts of the system went down, and staff had to force reboot, and presumably factory reset, all the switches to regain access to the equipment.
Click to expand...

Um, "Shots Down" instead of "Shuts Down" in the title.
 
I laughed last year and I laughed now.

October 10, 2017

However, on December 17, 2015, before returning his laptop and remote access device, GRUPE used both to gain access to the CPR computer network’s core “switches” – high-powered computers through which critical data in the CPR network flowed. Once inside, GRUPE strategically deleted files, removed administrative-level accounts, and changed passwords on the remaining administrative-level accounts, thereby locking CPR out of these network switches. GRUPE then attempted to conceal his activity by wiping the laptop’s hard drive before returning it to CPR.


On January 6, 2016, while trying to address a networking problem, the CPR network staff discovered that they were unable to access the main network switches. After CPR IT staff was able to regain access to the switches through a risky, but successful, rebooting procedure, they discovered evidence in logging data stored in the memory of the switches connecting the damage to GRUPE. CPR hired an outside computer security company to identify the source and scope of the intrusion as well as conduct an incident analysis, which also connected the damage to GRUPE. In total, CPR experienced a financial loss of approximately $30,000 as a result of GRUPE’S conduct.
Click to expand...

https://www.justice.gov/usao-mn/pr/...d-company-found-guilty-damaging-ex-employer-s


Mohs said Grupe, who spent 28 years in the military and served in Iraq, had a spotless personnel record in his two-plus years with Canadian Pacific until “he had a confrontation with his immediate boss, yelling at him and using some language he probably shouldn’t have.”

The attorney attributed the outburst and Grupe’s retaliatory crime to stress caused by “working around the clock.”
Click to expand...
http://www.startribune.com/former-c...f-damaging-the-company-s-it-system/450423803/
 
In the IT world reputation is everything. I'm a sys admin for many companies. Now ya I have been let go from some of them. When I leave I make sure the new person that replaces me has all the documention all the scripts and everything I did on the network on a daily basis. The companies I was let go from allways gave me a good word when I moved to others or was hired somewhere else. I'm now a private contractor for major cell phone companies. I was hired by reputation only. I never even has to give a resume.
 
I used to work with the BNSF IT helpdesk. Seriously, the cost of delays for certain shipments can be in the multi-billion dollar range. 366 days is a light sentence.
 
Who watches the Watchmen?

Some places have redundant admins who have their own administrative rights to all systems in case one goes rogue. But most places...that's too much money to spend.
 
the-one1 said:
Who watches the Watchmen?

Some places have redundant admins who have their own administrative rights to all systems in case one goes rogue. But most places...that's too much money to spend.
Click to expand...

According to the article, he deleted the admin rights for the other admins, or altered their passwords. Not every IT device has multiple level admin rights either. For some devices it's "Right to alter settings (Y/N)" and that counts as admin.
 
Another example of why you don't let your IT person touch anything before he's being fired. This is SOP almost everywhere.
 
This is a failure of both HR and IT.
  1. Why was he allowed to even use the laptop after signing the document?
  2. Why was he not immediately escorted of the premises?
  3. Why was all his accounts still active after signing the document?
  4. Why was there no backup IT access that he could not override?
There is plenty of incompetence going on here, and his actions are the product of an inferior business and IT process to handle situations like this. If you set up the processes correctly, this should be 100% avoidable.
 
BloodyIron said:
Why was all his accounts still active after signing the document?.
Click to expand...

Even before that, why did he have access while under suspension? Maybe you don't disable all his accounts, but at least have him turn in his hardware and disable any accounts that let him work remotely. This was a failure on so many levels.
 
BloodyIron said:
There is plenty of incompetence going on here, and his actions are the product of an inferior business and IT process to handle situations like this. If you set up the processes correctly, this should be 100% avoidable.
Click to expand...

It's Canadian Pacific, a railway company.

It wouldn't surprise me if any of the other Canadian or American railway companies operated exactly like this, with incompetence at all levels.
 
DigitalGriffin said:
Locked switches can cause train derailments or collisions. A switch determines which track a train goes on. He's damn lucky he can only got a year.

Or were these managed network switches? Either way interfering with critical infrastructure can have deadly results.
Click to expand...

I think they are talking about the network switches, not the rail switches. Now such equipment as rail switches are probably controlled across the network so it could come have the same result. But I tried to actually read the story and I can't find a link in the news post so .......
 
James Robinson said:
I want to know, why was he initially suspended in the 1st place? Obviously whatever review that occurred found in favor of his termination, but what did he do to get that review in the 1st place?
Click to expand...

It's right above, he was suspended for insubordination. You know, like telling your supervisor to go fuck himself is insubordination.
Christopher Victor Grupe had convinced the railway to let him quit instead of firing him following a 12 day suspension for insubordination. After signing a resignation letter,.....................................
Click to expand...
 
Dead Parrot said:
The supervisor that let Mr Grupe access the network after resigning in less then good graces should also face punitive measures from the company. Agree that his sentence is not near enough. Depending on what the network controlled, he could have easily put hundreds of folks at risk.
Click to expand...

Or maybe he had some self restraint and didn't put anyone at risk.
 
Wolf_Tech said:
In the IT world reputation is everything. I'm a sys admin for many companies. Now ya I have been let go from some of them. When I leave I make sure the new person that replaces me has all the documention all the scripts and everything I did on the network on a daily basis. The companies I was let go from allways gave me a good word when I moved to others or was hired somewhere else. I'm now a private contractor for major cell phone companies. I was hired by reputation only. I never even has to give a resume.
Click to expand...


Exactly, my current job is similar, I was known by many including the government contracting officer. They hired me without an interview.
 
the-one1 said:
Who watches the Watchmen?

Some places have redundant admins who have their own administrative rights to all systems in case one goes rogue. But most places...that's too much money to spend.
Click to expand...


Maybe, but with physical access you aren't going to keep them out. At best this arrangement would force the guy to take enough time getting into something vital that it would be noticed and then stopped.
 
lcpiper said:
It's right above, he was suspended for insubordination. You know, like telling your supervisor to go fuck himself is insubordination.
Click to expand...

I know, I know... but there has to be something more to it then just "oh he walked into my office out of the blue and told me to go fuck myself while I was eating my tuna sammich!"
 
rgMekanic said:
The Register is reporting that a former IT administrator for Canadian Pacific Railway has been jailed for 366 days for sabotaging the railway's computer network. Christopher Victor Grupe had convinced the railway to let him quit instead of firing him following a 12 day suspension for insubordination. After signing a resignation letter, he took his work notebook and credientials, logged into the CPR's computer network, and started his mischief. Grupe removed administrator-level accounts, deleted certain key files, and changed the passwords for other accounts on the networking hardware then wiped the laptop he used to sideline the switches, destroyed all and any logs in an attempt to cover his tracks, and handed back the computer.

Stiff penalty for sabotaging the system like this. I guess he didn't learn his lesson from the 12 day suspension, then being fired. Perhaps a year and a day will help calm him down. Thanks to cageymaru for the story.

On January 5, the network hit the buffers. IT staff at CPR tried to log into the switches, and found they were locked out. According to court documents parts of the system went down, and staff had to force reboot, and presumably factory reset, all the switches to regain access to the equipment.
Click to expand...


I think Cageymaru just made the whole thing up since it's not linked :ROFLMAO:
 
That's really no excuse.


MrDeaf said:
It's Canadian Pacific, a railway company.

It wouldn't surprise me if any of the other Canadian or American railway companies operated exactly like this, with incompetence at all levels.
Click to expand...
 
You must log in or register to reply here.
Back
Top