A Top Nissan Exec Secretly Hired a Company to Hack Carlos Ghosn's Email in 2018: Report

Before the escape and arrest came a bit of corporate espionage.

Lebanon Carlos Ghosn
AP—Copyright 2020 The Associated Press. All rights reserved.

The most exciting thing to come out of Nissan since 2018 has been the arrest and daring escape of former CEO Carlos Ghosn. From espionage and white-collar theft to hacking and cryptocurrency, this Hollywood-esque style novella has just about everything, and the best part? It's still unfolding. Most recently, newly uncovered documents suggest that one of Nissan's senior officers hired a firm to hack into Ghosn's email even before he departed the company.

It all starts with one of Nissan's Senior Vice Presidents, Hari Nada, who worked directly under Ghosn and Nissan CEO Hiroto Saikawa. At this point, Ghosn had stepped down as Nissan's CEO, but remained on as chariman of the company. Records obtained by Bloomberg show that Nada hired a French cybersecurity firm called Wavestone to assess the security of its network in 2018. This type of assessment, called a penetration test (or "pentest" for short), is a common method used to gauge a corporation's readiness to defend against and respond to cyber-related threats.

During the initial scoping phase of the project, the firm conducting the pentest will typically ask the client to identify key areas that it wishes to probe. This could be anything from the building's physical security, to obtaining a specific file hosted on a remote network share. Almost anything can be in scope. According to Bloomberg, which obtained a copy of the report detailing the pentest's results, one of the key objectives identified in the test would be for the firm to gain access to Ghosn's email accounts. Wavestone did exactly that, gaining access to Nissan's internal networks and moving laterally into the company's Microsoft Exchange server where it proved to Nada that it could access Ghosn's mailboxes.

One of the key points of any pentest is to keep it under wraps. The goal is to complete your objectives while going unnoticed—whether that be by moving undetected through a network from a remote location, or hiding in plain sight by using social engineering tactics to pose as someone who looks like they belong. If you're caught, someone like the Chief Information Officer generally provides a "get out of jail free card," which is more or less a piece of paper stating that the individual or the company that they represent has permission to be testing the organization's security.

However, the way that Nada reportedly kept the pentest hidden from key Nissan stakeholders until it was completed goes a bit off the rails. Individuals familiar with the matter say that Nada commissioned the test without informing CEO Saikawa or any of the managers and compliance staff in IT. In fact, this staff wasn't even made aware that a test was happening until the intrusions were detected. 

Wavestone was able to gain access to several critical segments of Nissan's networks, including one that housed the vehicle production system and another that contained plans for future models.

While the report from the security contractor outlined exactly what the company gained access to, it's not clear what Nada did with this information, or what he may have accessed. What is known, however, is that the time periods in which Ghosn's mailboxes were accessed by the contractor and when Nada began cooperating with authorities are both overlapping.

Could Nada have used this as an opportunity to exfiltrate data from Ghosn's mailboxes or elsewhere on the network that the SVP would otherwise not have access to? Ghosn has called the case against him "a campaign of lies" and suggested that it was nothing more than a coup, so could this have been the opportunity to plant data? And if Ghosn was doing something nefarious, why would he use his Nissan-controlled email account?

While everything just seems to fit together, it's important to remember that everything at the surface is simply circumstantial. Now, with contentious data integrity and chain-of-custody, it becomes questionable if the data handed over to prosecutors by Nissan should hold up in court. If anything, this should serve as a friendly reminder to never have an expectation of privacy when using a corporate-owned device.

Got a tip? Send us a note: tips@thedrive.com