{"id":7696,"date":"2026-04-03T18:38:04","date_gmt":"2026-04-03T18:38:04","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7696"},"modified":"2026-04-03T18:38:04","modified_gmt":"2026-04-03T18:38:04","slug":"a-core-infrastructure-engineer-pleads-guilty-to-federal-charges-in-insider-attack","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7696","title":{"rendered":"A core infrastructure engineer pleads guilty to federal charges in insider attack"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

When Daniel Rhyne pleaded guilty on April 1 to having launched an insider extortion attack against his then-employer, authorities enumerated the techniques he used, including unauthorized remote desktop sessions, deletion of network administrator accounts, changing of passwords, and scheduling unauthorized tasks on the domain controller.\u00a0<\/p>\n

After he shut down key systems and accounts, he sent a note to employees<\/a> in which he claimed to have deleted all backups, and threatened to continue shutting down servers unless he was given bitcoin worth roughly $750,000.<\/p>\n

But what consultants and analysts found most concerning is how commonplace and routine were the techniques he used. In other words, standard security procedures should have blocked almost all of them.<\/p>\n

Preventive actions missing<\/h2>\n

Enterprise insider threats are hardly new<\/a>, but consultants and analysts said that many enterprises don\u2019t take every preventive move that they can, and should, because the IT staff resists, seeing the efforts as excessive monitoring of their activities, and something that also slows down their work.<\/p>\n

Cybersecurity consultant Brian Levine<\/a>, executive director of FormerGov, said, \u201cwhat makes the case interesting was how boringly predictable the attack path was.\u201d<\/p>\n

Levine noted that backups need to always be immutable. \u201cNobody in the company should be able to delete or modify or encrypt the backup for a set period of time,\u201d he said. He also stressed that the principle of least privilege needs to be applied to workers whose jobs change for any reason.\u00a0<\/p>\n

Critically, he argued that the use of various tools should be instantly flagged as concerning. \u201cInstrument Task Scheduler, PsExec, PsPasswd, and net user are high\u2011risk signals. These are the insider\u2019s equivalent of lockpicks,\u201d he said. \u201cThey should generate behavioral alerts when used at scale, off\u2011hours, or from unusual hosts.\u201d<\/p>\n

Levine also suggested extensive system monitoring. \u201cIf someone is RDP\u2019ing into a domain controller at 7:48 a.m. and creating 16 scheduled tasks, you should have a video\u2011like audit trail.\u201d<\/p>\n

Paul Furtado<\/a>, a distinguished VP analyst at Gartner, said he encourages clients to make sure that no single admin can cause this kind of damage.\u00a0<\/p>\n

\u201cCreate a tiered administration model with fragmented authority. This rotates ownership of crown jewel processes, even among senior engineers and administrators,\u201d Furtado advised. IT should also include \u201ca break-glass admin credential stored in hardware security modules or digital vaults [that are] only to be used via testing drills and in case of emergency.\u201d<\/p>\n

Added Flavio Villanustre<\/a>, CISO for the LexisNexis Risk Solutions Group, \u201cthe same accounts used to administer their networks [in the Rhyne case] seemed to be able to irreversibly destroy their backups too, which is an indication that strong segregation of duties was not in place.\u201d<\/p>\n

Rhyne now faces considerable jail time. US Justice Department filings<\/a> said, \u201cthe extortion charge to which Rhyne pleaded guilty carries a maximum penalty of five years in prison, and the intentional damage to a protected computer violation to which Rhyne pleaded guilty carries a maximum penalty of 10 years in prison.\u201d<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

When Daniel Rhyne pleaded guilty on April 1 to having launched an insider extortion attack against his then-employer, authorities enumerated the techniques he used, including unauthorized remote desktop sessions, deletion of network administrator accounts, changing of passwords, and scheduling unauthorized tasks on the domain controller.\u00a0 After he shut down key systems and accounts, he sent […]<\/p>\n","protected":false},"author":0,"featured_media":7697,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7696","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7696"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7696"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7696\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7697"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7696"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7696"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7696"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}