Sysadmin

An Oregon sportswear company is suing its former IT administrator, alleging he left backdoor accounts on their network and used them more than 700 times to search for information for the benefit of its new employer.

According to court documents, Michael Leeper worked for Columbia Sportswear between 2000 and 2014, going through several positions up to senior director of technology infrastructure.

In March 2014, Leeper left Columbia Sportswear to become the CTO at Denali Advanced Integration, a company that sold IT products and provided various consulting services.

During his tenure at Columbia, Leeper had interacted with Denali several times, as Denali was one of the many companies from where Columbia bought hardware and software for its business that spanned several states.

Leeper left two backdoors on Columbia's network

In court documents filed by Columbia on March 1, the company alleges that days before he left, Leeper installed two backdoors on their network.

The backdoors included an account named "jmanning" for a non-existent employee named Jeff Manning, which granted Leeper access to Columbia's network via VPN (Virtual Private Network) and VDI (Virtual Desktop Interface) connections.

The second backdoor was an account named "svcmon," which already existed on the company's network, and which Columbia's IT admins used to monitor network activity.

Columbia said the account had been discontinued in 2007, as they've moved to another monitoring system that didn't need that account. Furthermore, they say that before he left, Leeper also assigned extra permissions to the svcmon account.

Leeper used accounts to get insight in Columbia's business decisions

Columbia claims Leeper used these two accounts (mainly the jmanning account) on more than 700 different occasions to access its network and then to access the email accounts of various Columbia employeesm from where he gained insight into the company's upcoming business decisions, especially those related to its IT infrastructure.

This information allowed Leeper to gain a competitive advantage in his dealings as Denali CTO with his former employer. The legal complaint gives the following example:

In at least one case, Leeper specifically targeted an email concerning a transaction in which Denali had a potential business interest. As of approximately 3:47 p.m. on July 27, 2016, Leeper had logged into the two IT employees’ email accounts and was accessing messages in one of the employees’ “Sent Items” folder.  
At 3:47:26, a message with the subject line “Pure Storage Partner Discussion” arrived in the other employee’s inbox. Within the same second—i.e., at 3:47:26—Leeper switched into the recipient’s email account and accessed the new message.  He then returned to and continued accessing the “Sent Items” folder of the first employee.  Pure Storage, Inc. is a well-known provider of computer equipment with whom Columbia was exploring a potential transaction. Though Denali resells equipment of the type that Pure Storage manufactures, Denali was not at that time an approved reseller for Pure Storage.  As a result, Denali would not have been eligible to participate as a reseller in that transaction. However, during the summer or early fall of 2016, Columbia learned that Denali had become an “approved” Pure Storage reseller.

Hack discovered in the summer of 2016

Columbia said it discovered the intrusion in the summer of 2016, during an upgrade to its email system. The FBI was called in to investigate, and the sportswear maker also allocated financial resources to investigate and deal with the hack.

"Columbia brings this lawsuit to recover damages associated with Defendants’ unlawful intrusions into its private computer network, to secure the return of whatever unlawfully accessed Columbia information they may still possess, and to recover the reasonable attorneys’ fees and costs it incurs in bringing this action," the company stated in its complaint.

Leeper fired from Denali

For its part, Denali said in a statement released on March 6 that it will cooperate with any investigation. The company also placed Leeper on leave.

In a second statement published on March 14, Denali announced it fired Leeper after they discovered he broke internal policies.

"In conducting our own investigation into claims made by Columbia Sportswear, we discovered that Mike violated Denali policy through his use of a personal laptop that he acquired while employed by Columbia, and that he had used for his work at Columbia," said Denali CEO Majdi Daher. "This violation spurred his termination."

Denali also denied any involvement in the hacks.