Cyber Incident Victim: Tesla
Date:
Mar 2021
Location:
United States of America
Summary
Hackers compromised surveillance systems at Tesla, Cloudflare, financial institutions, healthcare facilities, and correctional facilities by exploiting hardcoded credentials for a Verkada super admin account found in exposed DevOps infrastructure. The breach enabled unauthorized access to live camera feeds and administrative control, including root shell access to security systems at Tesla's headquarters and Cloudflare, with the latter confirming impacted cameras were in unused offices and posed no risk to customers. Verkada disabled all internal administrator accounts, initiated an investigation with external security experts, and alerted law enforcement, while the attackers promoted the intrusion under the #OperationPanopticon hashtag, referencing pervasive surveillance concepts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 9, 2021, hackers gained unauthorized access to live surveillance camera systems at multiple high-profile organizations, including Tesla, Cloudflare, Equinox, healthcare clinics, correctional facilities, and financial institutions such as the Bank of Utah. The breach originated from compromised super administrator credentials for Verkada, a surveillance technology provider servicing these entities. Tillie Kottmann, a reverse engineer affiliated with the hacking group, disclosed that the attackers obtained hardcoded credentials for a Verkada super admin account through exposed DevOps infrastructure. This privileged access enabled real-time viewing of surveillance feeds across client sites and full administrative control over the systems. The hackers publicly shared images captured from cameras inside Tesla facilities, Equinox gyms, and bank premises, alongside screenshots demonstrating root shell access to Linux-based surveillance servers at Tesla headquarters and Cloudflare. Network card MAC addresses visible in these screenshots corroborated the compromised systems as Verkada-managed devices. The intrusion campaign, branded #OperationPanopticon, highlighted the attackers' ability to monitor sensitive locations without detection, leveraging Verkada's centralized management platform.
Verkada terminated the unauthorized access after Bloomberg News alerted the company to the breach, disabling all internal administrator accounts to contain the incident. The company initiated an investigation with its internal security team and an external firm, while also notifying law enforcement agencies. Cloudflare confirmed that affected cameras were located in offices closed for several months, asserting no impact on customer operations or data. Tesla did not publicly disclose specific operational consequences beyond the confirmed system access. The breach exposed live footage from healthcare environments, financial institutions, and correctional facilities, raising concerns about potential privacy violations and unauthorized surveillance of secure areas. Verkada’s infrastructure compromise demonstrated systemic risks associated with hardcoded credentials in DevOps environments, enabling attackers to bypass organizational security controls through a third-party vendor. No further details regarding data exfiltration, financial impact, or long-term remediation measures were disclosed in the immediate aftermath.