Claim No: CFI-027-2014
THE DUBAI INTERNATIONAL FINANCIAL CENTRE COURTS
In the name of His Highness Sheikh Mohammad Bin Rashid Al Maktoum, Ruler of Dubai
IN THE COURT OF FIRST INSTANCE
BEFORE JUSTICE SIR RICHARD FIELD
BETWEEN
LEGATUM LIMITED
Claimant
and
ARIF SALIM
Defendant
Hearing: 15, 16 & 17 September 2015
Counsel: Duncan McCall QC (instructed by Al Tamimi & Company) for the Claimant
Dr Reyadh Kabban of Al Kabban & Associates for the Defendant
Judgment: 11 November 2015
JUDGMENT OF JUSTICE SIR RICHARD FIELD
Summary of Judgment
| The Claimant, Legatum Limited, brought a claim against the Defendant, Mr Arif Salim, for deliberately interfering with and interrupting the proper functioning of its IT system, a wrongful interference with property under Article 41 of DIFC Law No. 5 of 2005. The Claimant sought compensatory damages under Articles 23, 24 and 25 of DIFC Law No. 7 of 2005.
The Defendant, a former employee of the Claimant, denied that he had sabotaged the Claimant’s IT system. He denied that he had accessed the system after his employment had come to an end, until he was asked to return to help when the IT system crashed. Justice Sir Richard Field adopted an approach whereby strong and convincing evidence would be required for serious allegations to be proved on the balance of probabilities. The case was based on circumstantial evidence. Justice Sir Richard Field found the attack to be an internal, rather than an external, one. It was fanciful to suggest that a third party outsider would have had knowledge of accounts and password necessary to carry out the attack. Only the Defendant knew of the availability of IP numbers used to hide the Claimant’s data. There was no tenable basis for suggesting that someone else within or outside the Claimant made changes, which constituted part of the attack. The Defendant’s secret creation of a server, secret copying of data onto that server (data that was later deleted in the attack) and his failure to disclose the existence of the server either during the handover prior to leaving employment with the Claimant, or when he returned to help after the attack, was very powerful evidence against him. There was no reasonable doubt but that the Defendant was the perpetrator of the attack. Proof of motive was not necessary to establish the Defendant’s role in the attack. Justice Sir Richard Field tended to the view that the attack was carried out to punish the Claimant for not appointing him to replace another member of staff, and to give himself the opportunity to appear to be the Claimant’s saviour when called in to help after the attack, by ‘discovering’ the secret server containing a copy of the deleted data. The Defendant’s denials that he was the perpetrator were found to be knowingly and dishonestly false. The Claimant was awarded compensatory damages totalling USD 690,533. This comprised damages for the costs of an external company restoring the system and investigating the incident, the purchase of emergency servers, the cost of building emergency servers, and employee time incurred in dealing with the attack and its effects. The Claimant had satisfied the requirements promulgated in Aerospace Publishing Ltd & Anr (“Aerospace”) v Thames Water Utilities Ltd [2007] Bus L.R. 726, to support its claim for compensation linked to employee time incurred in dealing with the attack or its effects. It had produced such evidence as it could reasonably produce of the diversion of staff and had established that the diversion of staff caused significant disruption to its business. Had the staff not been diverted from their usual activities, they would have directly or indirectly generated revenue for the Claimant in an amount at least equal to the cost of employing them during that time. The parties were invited to serve written submissions as to costs and interest. |
This summary is not part of the Judgment and should not be cited as such
INTRODUCTION
1. On 21 June 2014, the IT system of the Claimant (“Legatum”) was sabotaged.
2. This is the trial of a claim by Legatum that it was the Defendant (“Mr Salim”), a former senior member of its IT team, who was responsible for this attack on the Legatum IT system by deliberately interfering with and interrupting its proper functioning.
3. The burden of proof is of course on Legatum and the standard of proof is the civil standard, namely the balance of probabilities. Lord Nicholls said in In re H (Minors)(Sexual Abuse: Standard of Proof)[1996] AC 563, 586D-H:
“The balance of probability standard means that a court is satisfied an event occurred if the court considers that, on the evidence, the occurrence of the event was more likely than not. When assessing the probabilities the court will have in mind as a factor, to whatever extent is appropriate in the particular case, that the more serious the allegation the less likely it is that the event occurred and, hence, the stronger should be the evidence before the court concludes that the allegation is established on the balance of probability. Fraud is usually less likely than negligence. Deliberate physical injury is usually less likely than accidental physical injury…Built into the preponderance of probability standard is a generous degree of flexibility in respect of the seriousness of the allegation.”
“Although the result is much the same, this does not mean that where a serious allegation is in issue the standard of proof required is higher. It means only that the inherent probability or improbability of an event is itself a matter to be taken into account when weighing the probabilities and deciding whether, on balance, the event occurred. The more improbable the event, the stronger must be the evidence that it did occur before, on the balance of probability, its occurrence will be established.”
4. The House of Lords has subsequently emphasised that Lord Nicholls was not saying that in civil cases involving serious allegations a “heightened” civil standard of proof is required, see In re B (Children) (FC) [2008] UKHL 35. This no doubt is true, but common sense tells one that in practice where serious allegations are made in civil proceedings, strong and convincing evidence will usually be required for such allegations to be proved on the balance of probabilities and this is the approach I propose to adopt in this case.
5. The case against Mr Salim is based on circumstantial evidence. It is well known that whilst circumstantial evidence can be strong evidence, careful consideration must be given as to whether the evidence reveals any other circumstances which weaken or destroy the case against the accused and care should be taken to reach conclusions based only on reliable evidence and not on mere speculation.
THE FACTUAL WITNESSES
6. The witnesses of fact called by Legatum were: Mr Conor O’Flynn, a Senior IT Analyst employed by Legatum, Mr Paul Sheriff, Legatum’s CFO and Mr Mark Stoleson, Legatum’s CEO. When I use the word “fact” I do not include any opinion that Mr Salim was responsible for the sabotage or any conclusionary reasoning supporting an allegation that Mr Salim was the culprit.
7. Dr Al Kabban, who appeared for Mr Salim, made a number of criticisms of the evidence given by these witnesses. For instance, he observed that some amendments were made to some of the witness statements before the witnesses gave sworn evidence and in the case of Mr O’Flynn that he (Mr O’Flynn) had changed in his second witness statement what he had said in his first statement about how data was copied onto a virtual server. In my judgment, none of Dr Al Kabban’s criticisms undermine the reliability of the sworn factual evidence given by Legatum’s witnesses from the witness box. In my judgment, the factual evidence given by all of these witnesses was truthful and reliable. Mr Stoleson had a tendency to argue Legatum’s case from the witness box but abstained from doing so after a comment from myself. Notwithstanding these lapses into advocacy, I have no hesitation in accepting Mr Stoleson’s factual evidence.
8. Mr Salim was the sole factual witness called by his side. He gave evidence by video link from Australia and had a tendency to speak very fast. Unfortunately, many of his answers in cross-examination were not picked up in the recording of his evidence. Both sides have provided such notes as they were able to produce of his answers which I found very helpful. In the circumstances, I propose to give my considered assessment of the reliability of Mr Salim’s evidence after I have considered Legatum’s case based principally on undisputed facts and Mr Salim’s response thereto. Suffice it to say at this stage that I did not find Mr Salim to be a reliable witness on a number of important matters and I am therefore prepared to accept only those parts of his evidence that are corroborated by the oral testimony given on behalf of Legatum or by other reliable evidence.
THE FACTUAL BACKGROUND: PART I – MR SALIM’S KNOWLEDGE OF THE IT SYSTEM; THE IT TEAM; MR SALIM’S RESIGNATION
9. Legatum was created by its Chairman, Mr Christopher Chandler, a wealthy investor. It is a private investment firm based in the DIFC, Dubai which invests proprietary capital in listed entities around the world. In carrying on its business it is highly dependent on its IT system. Data security is therefore extremely important to it.
10. Mr Salim was employed as a member of Legatum’s IT team from 16 September 2004 until 31 May 2014 when his resignation from the company became effective. His actual leaving date was 29 May 2014. On 16 March 2008 he signed a new contract of employment dated 12 February 2008 which described his role at that time as “Server Architect”.
11. By early 2014, when Mr Stoleson asked each member of the IT team to describe his role in the company, Mr Salim’s role had expanded considerably over the previous 9 years 10 months. In a memorandum he produced in response to Mr Stoleson’s request, Mr Salim described himself as “IT Vice President” and stated that his role was
“… to take complete responsibility of datacentre systems, servers, applications and DR [Disaster Recovery] functionalities for Legatum and private offices across the globe. This includes research, planning, designing, implementing and maintaining all Legatum systems and server projects (such as Tradar, SUN and Data archive etc). The role also helps Head of IT with yearly budgeting, decision making, and IT strategy planning”.
12. Amongst the specific responsibilities Mr Salim went on to list in this memorandum were responsibilities for all server hardware and data storage systems, backup support, and all disaster recovery systems.
13. It is clear that over the 10 years he was with Legatum Mr Salim acquired a detailed knowledge of all aspects of Legatum’s IT system. During that period owing to his seniority he was involved in every single IT project, whether in a planning capacity or in implementing or running projects. Also, all members of the IT team covered for each other where necessary and thus Mr Salim would have had a good understanding of that part of the system that was the direct individual responsibility of each of his colleagues.
14. Mr Salim served notice of his resignation by an email to Mr Stoleson dated 17 April 2014. This followed the departure in early 2014 of the head of the Legatum IT team, Mr Benvir Padda. A shared services survey conducted in December 2013 had shown that the IT team had been underperforming. Mr Padda had been more a policy and strategy man than a hands-on man with a close knowledge of the system.
15. After Mr Padda left the company, the IT team consisted of Mr Salim, Mr O’Flynn and Mr Srdjan Radivojeric (Technical Support Analyst). Later, on 11 June 2014, Ms Krisztina Nagy joined the team as a Technical Support Analyst.
16. Mr O’Flynn was responsible for all network components and internet connectivity across all the Legatum sites and Mr Radivojeric was responsible for managing and maintaining all desk top and helpdesk level support including all of the IT user end facilities.
17. Mr O’Flynn testified that:
(i) Mr Salim felt insulted when asked by Mr Stoleson in March 2014 to put into writing his role and responsibilities; in Mr Salim’s view, senior management ought to have known what the role of each member of the IT team was.
(ii) Mr Salim also resented the fact that after Mr Padda’s departure he had to seek authorisation from certain senior managers for purchases for the IT system, whereas Mr Padda had been given prior authority to make purchases up to a certain value.
(iii) Mr Salim was upset when he learned that Legatum were intending to replace Mr Padda by appointing someone from outside the company rather than himself.
(iv) Mr Salim felt that his services would be dispensed with in the near future.
18. Mr Salim denied in cross-examination that he bore any resentment towards Legatum or that he thought that he would be let go if he did not resign. I reject Mr Salim’s denials and accept the evidence of Mr O’Flynn.
19. Mr Salim’s last day in the office was 29 May 2014.
THE FACTUAL BACKGROUND: PART II – LEGATUM’S IT SYSTEM
20. Legatum’s IT system consisted of: (i) the computers (work stations) located in Legatum’s DIFC office for use by Legatum personnel; (ii) equipment located in a data centre in the DIFC office premises; (iii) further equipment sited at other small locations around the world.
21. The equipment in the DIFC data centre comprised a number of network components, primary and secondary domain controllers and all of the primary data servers and storage for the system. In total, there were approximately 55 servers. It was possible to gain access to the system from any of the work stations, as well as remotely over the internet via a secure and encrypted connection. Access to the system required the use of appropriate credentials and thus only people with the requisite knowledge thereof could do so.
22. Within the System, there were thousands of possible “IP addresses” (also known as “IP numbers”) though only a small number were used at any one time. An IP address is a unique number assigned to a device (e.g. a computer) which is part of the network. Legatum’s IP addresses/numbers were organised in ranges of 254 addresses per range. Servers were held on one range, PCs on another range, phones on another, and so on. Given the large number of IP addresses/numbers, there was no need to reassign an IP address to another device once the device to which that IP address has been assigned was no longer in use.
23. The IP addresses/numbers were dynamically assigned using a Dynamic Host Configuration Protocol (DHCP), which allowed IP addresses to change after a period of inactivity of 14 days. However, given the infrequent changes of machines and the fact that PCs were rarely shut down for longer than 14 days the DHCP, IP addresses/numbers at Legatum usually stayed assigned to individual PCs as the preferred IP addresses.
24. Access to the servers was administered and controlled by three Microsoft domain controllers in Dubai and three other domain controllers in different locations. The servers ran a variety of applications, including e-mail, file and print sharing, SQL databases and various business applications which accessed either databases or files. These applications included all of Legatum’s financial applications (SUN Financials and 4Series), two document management systems (CODEX and eDocs), Legatum’s intranet system, including Sharepoint, and Legatum’s external websites. Most critical data was replicated to the disaster recovery site in Thailand and data was backed up to physical tapes incrementally each night as a safeguard. Usually, there would be one up-to-date copy of all of the company’s data on tape each week. These backup tapes were kept in a small room adjacent to the data centre itself.
25. If the domain controllers were immobilized, access to the system would be rendered impossible.
26. The network storage SAN had connectivity with two physical servers, each of which ran six mounted “virtual” servers. A “virtual” server is not a physical piece of hardware but is instead comprised of a set of electronic specifications and configuration files which run on a “host” server or computer. If a virtual server is “mounted”, it can be seen on the system. If it is “unmounted” it is invisible on the system.
27. The Legatum IT system used Active Directory (AD) which is a centralised and standardised system that: (i) automates network management of user data and security and distributes resources; and (ii) enables interoperation with other directories. Active Directory worked with the Primary Domain Controller (PDC) to authenticate and authorise all users and computers in the Windows domain network – assigning and enforcing security policies for all computers and installing or updating software. Thus, when a user logged into a computer that was part of the Windows domain, Active Directory checked the submitted password and determined whether the user was a system administrator using an administrator account or a normal user using a user account.
28. An administrator account is an account that can be used to change security settings, install software and hardware and access all files on the computer. It can also be used to make changes to other user accounts.
29. A user account is a collection of information that tells Windows which files and folders can be accessed, what changes can be made to the computer and the user’s personal preferences.
30. The Primary Domain Controller and Backup Domain Controller (BDC) are functions that can be assigned to a server in a network of computers that use the Windows NT operating system. Windows NT uses the idea of a domain to manage access to a set of network resources (applications, printers, and so forth) for a group of users. The user needs only to log into the domain to gain access to the resources, which may be located on a number of different servers in the network. The Primary Domain Controller manages the master user database for the domain. One or more other servers are designated as backup domain controllers.
31. Mr Salim’s workstation at the DIFC office had the designation (DBX-ANS-1) within the Legatum IT system.
32. Before he left Legatum on 29 May 2014, Mr Salim made available to Mr O’Flynn handover notes about Legatum’s IT system. These notes took the form of over 1,000 pages of Excel spreadsheets, Word documents and screenshots. The handover was done, as Mr Salim well knew, to enable the IT team to run the IT system in Mr Salim’s absence, Mr Salim knowing far more about the IT system than the remaining members of the IT team. Included in the notes was a list of IP numbers for servers, workstations and printers and a list of passwords for numerous accounts.
33. After Mr Salim’s departure, his passwords on his own personal account (“arifs”) and the Active Directory system user accounts identified in the handover file were changed.
THE FACTUAL BACKGROUND: PART III – THE LEGATUM IT SYSTEM CRASHES
34. The first signs that Legatum’s IT system had been sabotaged emerged on Saturday 21 June 2014 when Mr Sheriff was unable to access his emails whilst in Scotland on business. This led to Mr O’Flynn going to Legatum’s DIFC office to investigate the problem where he found that no access could be obtained to the Primary Domain Controller, the Active Directory or the servers.
35. At about 11.00 am that morning Mr O’Flynn telephoned Mr Salim to ask for his help. Mr Salim gave Mr O’Flynn some details of what to check in order to try and get the system back up and running, including old recovery passwords for the PDC and local administration accounts that were set on the machines. However, none of these worked. It was at this point that Mr O’Flynn first called Mr Salim to verify the passwords on the handover sheet and to check if there were other passwords that could be tried to gain access to the domain controller.
36. Mr O’Flynn asked for Mr Salim’s help several times that day and at one point asked whether he might be willing to come into the office, as he understood the system better than anyone else. Mr Salim enquired several times whether Mr O’Flynn had been asked by anyone in management to request his help. He wanted any involvement to be cleared with senior management first, in particular with Mr Stoleson. He also asked if Mr Stoleson had been in touch with Mr O’Flynn and whether he had mentioned anything about asking him (Mr Salim) to come in. He raised the same enquiry in respect of the Chairman, Mr Chandler.
37. Mr Salim eventually arrived at the Legatum office at approximately 6 pm on the Saturday evening. Having first asked if it was all right for him to do so, he sat at his old computer and logged into his old account to see if he could restore some of the servers from there. Since the domain controllers were down, along with the AD, his old account could not be re-activated and the password reset to allow him to log back in with his former Windows account. He therefore had to set up a profile on the PC, so that he could log in and get access to the network and systems. Mr O’Flynn believes that Mr Salim created another “Arif” account with which to log in and get access to the servers using remote desktop connections.
38. Mr Salim said he wanted a contract to cover his work in assisting the recovery of the IT system and asked for an assurance from Mr Stoleson that he would not be held responsible for any actions that he may take to retrieve our IT system. Mr Robert Vickers, Legatum’s Senior Vice President (Legal), prepared a draft contract for Mr Salim to sign. However, two days later, Mr Salim refused to sign the contract and gave a number of vague reasons as to why he would not agree to the terms outlined in the draft contract, including that his brother, whose sponsorship he was then under, did not approve of him entering into a consultancy contract. Mr Salim also said that he had plans to fly to Australia with his family on holiday that week. However, when Mr Sheriff asked him whether he had booked his tickets, he said he had not.
39. On Sunday 22 June 2014, it was agreed that an individual called Chris from ITSec would try to restore the domain controllers using software that needed to be on either a USB key or a DVD and inserted into the server located in the data centre. Mr Salim proceeded to make an issue over the fact that a DVD was being used in preference to a USB notwithstanding that if the machine could read the files on the media storage, it mattered not if the files were stored on a CD/DVD or on a USB key. Mr Salim also became quite agitated in the data centre when Chris, the ITSec man, attempted to work on the domain controllers. At this point Mr O’Flynn received a call from Amir Kolahzadeh from ITSec who said that Mr Salim was interfering with Chris’s work and making it difficult for him to do his job. Later, when Mr O’Flynn spoke to Mr Salim about this, he said that Chris did not know what he was doing. However, one of the domain controllers was restored.
40. Messrs Sheriff, Radivojeric, O’Flynn and Salim then had a meeting to come up with a plan of action. Mr Salim said he was confident that he could restore the system if only he was left alone to do it. He said that he could not help if others were making changes or trying different things. Mr O’Flynn thought he clearly seemed unhappy that other professionals had been asked to assist with the response to the crash of the system.
41. McAfee Foundstone Professional Services (“McAfee”) was engaged by Legatum on the Sunday to help recover Legatum’s lost data. Mr Paul Wright, who is Legatum’s expert witness, was the first IT McAfee professional to arrive at the office at around 7pm on that evening. After explaining how McAfee worked and what they would be doing, Mr Wright started asking basic questions to gain an understanding of what had occurred and what the Legatum people knew. A number of his questions were directed to Mr Salim but Mr Salim did not answer all the questions and was quite vague in his responses to others. This was surprising to Mr O’Flynn because some of the questions were pretty basic and involved matters he would have expected Mr Salim to know about.
42. The following day (23 June 2014) the IT team met with Mr Sheriff and discussed a plan that envisaged Mr Salim leading the recovery effort. Mr Salim told Mr O’Flynn that he would like to run the entire recovery project, clean up whatever had happened, come up with a revised infrastructure and network, write new policies and procedures for the system globally and separate the Neritum domain that served Mr Chandler personally from the Legatum domain. Mr Salim said that he could only do this if and when all external professionals had been removed. He said his concern was that too many people were making attempts to recover the system and it was difficult to track what was being done.
43. At one point, Mr Salim suggested that he could try a few things to recover the virtual host machines and said he was confident of doing so. Mr O’Flynn was keen for him to get started but Mr Salim then hesitated to get started and when he realised that Mr O’Flynn and several others were not leaving his desk, he said that he needed time to think about the situation to see what needed to be done and to read a few notes or emails. Whilst Mr O’Flynn and Mr Radivojeric were standing at his desk, Mr Salim appeared to be playing around with his computer mouse and not doing very much at all. However, Mr O’Flynn eventually left Mr Salim’s desk and a short time later Mr Salim recovered some of the virtual host servers. In light of this behaviour of Mr Salim, Mr O’Flynn reset the passwords again on those parts of the system that he knew were now up and running.
LEGATUM’S EXPERT WITNESS, MR PAUL WRIGHT
44. As stated above, the expert witness called by Legatum was Mr Paul Wright. Mr Wright has an MSc (with Distinction) in Professional Computing from Staffordshire University. From 1987 to 2009 he was a Detective Sergeant with the City of London Police working in the area of computer crime during which period from mid November 2001 he was a member of the National Hi-Tech Crime Unit. Since February 2009 he has held high-level civilian positions as a consultant investigator into computer incidents and as an advisor on computer security. He joined McAfee in June 2014 as EMEA Technical Director for Cybercrime Consulting.
45. In the course of investigating the crash of the Legatum IT system, Mr Wright captured a number of forensic images from computers and servers located in the Legatum IT network and conducted a forensic analysis on the workstations of the past and current members of the Legatum IT team, save for that used by Ms Krisztina Nagy who had only joined the team very recently.
46. Mr Wright also investigated Legatum’s Windows Event logs for 2014 which are a repository of digital information about particular computers showing every activity on the System. However, he found that the VPN logs relating to the secure and encrypted connection – Remote Access Connection, Dynamic Host Configuration Protocol (“DHCP”), Domain Name Server, and Core Switches and Cisco network devices – had been immobilised and rendered unavailable.
47. In the course of his investigation, Mr Wright identified login activity between March and June 2014 linked to the IP numbers 172.25.25.16, 172.20.0.240 and 172.25.26.29 and the accounts “clsadmin”, “dxbbackup” and “spsadmin”. The IP number 172.25.26.29 was the IP number assigned to Mr Salim’s workstation.
48. On 17 July 2014, Legatum staff discovered that a new virtual unmounted device existed on the Legatum IT system and learned later it had been named “Ptolemy 1”. A screen shot of Ptolemy 1 shows the IP number for that device as 172.25.25.35 and also that the credential “arifs” made 9 attempts to logon to Ptolemy 1 on 31 March 2014. It was also discovered that the files for a user profile for the account “clsadmin” had been created on Ptolemy 1 at 15:57 hours on 6 May 2014.
49. Further investigation revealed that the data that had been deleted from the IT system during the sabotage carried out on 21 June 2014 had previously been copied from an existing server called “Ptolemy” onto the virtual, unmounted Ptolemy 1, where it remained.
50. Using the information found on the Windows Event logs and the forensic analysis of images taken from the computers he examined, Mr Wright produced what he called the “Attack Timeline of Events”, the final version of which was set out in his Second Report. The events identified in this list (“the Attack Timeline”) and their dates and times were not disputed at the trial by Mr Dinesh Bareja, Mr Salim’s expert witness. This, however, did not deter Dr Al Kabban from contending in his closing submission that since Legatum’s IT system has been rebuilt, there is no alternative to relying on the information made available by the Claimant to the Court, “[h]owever the validity and the truthfulness of this information is doubted.” Mr Bareja having accepted the accuracy of the Attack Timeline and the trial having progressed on this basis, this judgment will also proceed on that basis.
51. It was Mr Wright’s opinion that the sabotage inflicted on the Legatum IT system was not carried out by an external third party but by someone with intimate inside knowledge of the system. Mr Salim trailed the possibility that an external consultant who had worked on the system was responsible by mistake or design for the incident on 21 June 2014, but the main thrust of his defence, as we shall see, was that a fellow member of the IT team had caused the incident by mistake.
52. In Mr Wright’s judgment, the fact that data was copied onto a hidden virtual server, Ptolemy 1, before being deleted on the other servers indicates that the attack was carried out by an insider who wanted the option to recover the data from Ptolemy 1 at a later stage. Also, there was no evidence of any external reconnaissance before the attack, only internal reconnaissance both before and after the attack. Further: (i) there was no evidence of the use of Trojans (programs designed to breach the security of a computer system while ostensibly performing some innocuous function) or a rootkit (a set of software tools that enable an unauthorised user to gain control of a computer system without being detected); (ii) no ransom demand was received and no mention was made on the internet of the attack or that Legatum data was being disseminated; and (iii) there was no evidence that anyone outside had carried out a reconnaissance of the physical Legatum environment.
53. Mr Wright’s opinion that the damage done to the Legatum IT system was not carried out by an external third party but by someone with intimate inside knowledge of the system was not seriously challenged on behalf of Mr Salim.
54. On 2 July 2015, Legatum made voluntary disclosure of a hard disc containing Event Logs and Forensic Images of various hard discs. Included in that disclosure was this screenshot taken from a text Notepad file:
55. The highlighted middle section of the screen shot appeared to show that Mr Radivojeric (srdjan) had logged on to the Legatum IT system using the “clsadmin” account on 21 June 2014 at 4:35:17 hours. In a supplementary Third Report produced on the second day of the trial, Mr Salim’s expert witness, Mr Dinesh Bareja, expressed the view on the basis of this screenshot that Mr Radivojeric had accessed the invisible virtual server Ptolemy 1 on 21 June 2014 after Mr Salim had left Legatum. If this conclusion were soundly based it would have seriously undermined Legatum’s case that the existence of Ptolemy 1 was not known to Legatum until it was discovered on 17 July 2014.
56. Mr Wright answered Mr Bareja’s third report in a further (third) report which he confirmed on oath in the witness box. His evidence was that the screenshot was taken from a text Notepad file and was not an event log as had been assumed by Mr Bareja; rather, it was a draft working document in text format he had created in the course of his investigation. It had been included in Legatum’s voluntary disclosure in error and had not found its way into his finished work product. He further testified that he had once again checked the original event logs and was able to confirm there was no log of any type showing that the user “LEGATUM\Srdnanr” had accessed Ptolemy 1 at any time on 21 June 2014. Mr Wright’s evidence as to what the text Notepad file was, how it had been included in the voluntary disclosure made on 2 July 2014 by mistake, and his confirmation that having rechecked the original event logs there is no log of any type showing that the user “LEGATUM\Srdnanr” had accessed Ptolemy 1 at any time on 21 June 2014, was not challenged on behalf of Mr Salim. Further, Mr Bareja expressly accepted when cross-examined that he was not suggesting that Mr Wright had deliberately doctored any material.
57. In his written closing submissions, however, Dr Al Kabban, asserts that the screen shot shows that Mr Radivojeric accessed Ptolemy on 21 June 2014 and concludes, “As such, the Claimant’s contention that they were not aware of the existence of Ptolemy 1 and they did not have knowledge about the password to the clsadmin account is false.” And Dr Al Kabban does not stop there. He goes on:
“The Claimant expert’s justification and reasoning that the log is an amalgamation of entries is absurd as one cannot see any common factor or link between the three log entries in the screenshot. As confirmed by the Claimant’s Counsel that logs cannot be altered, it is the Defendant’s position that indeed logs cannot be altered but they can be copied onto a note pad document as seen in the screenshot thereby concluding that the entries are genuine log entries taken from the Claimant’s data base which confirms the Defendant’s position that selective information has been made available to the Defendant and the Honourable Court” [paragraph 47].
“Even, if one were to believe that the inclusion of this log in the hard drive was a part of the rough work file belonging to the Claimant’s expert, the authenticity of this log cannot be ignored or denied. A detailed review of that particular log indicates that the Claimant’s expert obtained this piece of information from the Claimant’s data base and accidently forgot to erase it before sending over the hard drives to the Defendant. This revelation clearly indicates that the Claimant’s expert has been selective in the information he has made available to the Defendant and the Honourable Court. The Claimant’s expert has deliberately provided the Honourable Court with information that supports the case filed by the Claimant’s management against the Defendant while concealing information that clearly shows that the Defendant was not responsible for the alleged System Incident …” [paragraph 51].
“With regards to the Defendant’s last expert report submitted on 16/09/2015, the Defendant’s expert discovered a new log entry in one of the hard drives handed over by the Claimant to the Defendant. The hard drive contained a log entry which shows that one of the Claimant’s employee, Mr. Srdjan, accessed Ptolemy 1, a few hours before the System Incident was allegedly launched. The Claimant’s expert has made a futile attempt of dismissing the Defendant’s new finding as a part of his work file which does not hold any relevance in this case. The Defendant’s expert refuses to believe the same as the Defendant’s expert was given the hard disks in sealed plastic containers that declared the “Chain of Custody”. However, the Claimant Expert’s statement that the new piece of information in the form of a log entry is a part of his rough work states that the hard disks provided to the Defendant were contaminated with the Claimant expert’s personal files. The hard disks made available to the Defendant were supposed to be images of Ptolemy 1 and other systems and this statement raises a doubt about the veracity of all the event logs and data that has been supposedly analysed and reported to the Honourable Court throughout the course of these legal proceedings” [paragraph 74].
58. None of these criticisms and serious allegations was put to Mr Wright in cross-examination or asserted in evidence by Mr Bareja and it is most regrettable that they are now advanced by Dr Al Kabban.
59. In my judgment, Mr Wright was a transparently honest witness and I accept his evidence about how the Notepad text came to be included in the material disclosed on 2 July 2015. Accordingly, I reject the contention that the screen shot shows that Mr Radijoveric accessed Ptolemy 1 on 21 June 2014.
60. Indeed, I found Mr Wright to be an impressive expert witness. The mistake over the Notepad text apart, the investigation he carried out was technically extremely proficient and he presented his findings clearly and objectively.
61. In his first two reports he concludes that his factual findings coupled with information provided by Mr O’Flynn and Mr Radivojeric establish conclusively that it was Mr Salim who sabotaged Legatum’s IT system. Whether or not Mr Wright was entitled to state this opinion on the ultimate question to be decided in this trial, I place no reliance on it since it is for the court, not the expert witnesses, to decide whether the case against Mr Salim has been established to the necessary standard of proof.
THE KEY EVENTS IN THE ATTACK TIMELINE VIEWED IN THE LIGHT OF OTHER EVIDENCE
Change of Encryption Key and Backup System Passphrase.
62. On 7 April 2014 the encryption key and passphrase for Legatum’s backup system were changed using IP address 172.25.25.213. The back-up system was Mr Salim’s responsibility. It was Mr O’Flynn’s evidence that neither he nor Mr Radivojeric (the only other members of the IT team on 7 April 2014) carried out this operation.
63. No mention was made in Mr Salim’s handover notes that the backup tapes were encrypted or that the encryption key and passphase had been changed on 7 April 2014.
64. Mr Salim denied that it was he who had changed the encryption key and passphrase. He testified that he was unaware that there was an encryption key and passphrase because when using the back-up tapes system, these were never required. It was also his case that during the attempts to recover lost data after 21 June 2014, an external consultant, a Mr Valerio, had mistakenly overwritten the database related to the tape backup software and it was only after this there was any prompting for the encryption key and passphrase.
Deletion of 300,000 files from Mr Salim’s hard drives
65. Mr Wright examined the hard drive found in Mr Salim’s Legatum computer and another hard drive hidden within Mr Salim’s work station.
66. On three occasions on 27 and 28 May 2014 approximately 300,000 files were wiped from Mr Salim’s two hard drives using “CCleaner” software.
67. Prior to the trial, Mr Salim claimed that he only deleted personal information, but artefacts discovered on his Legatum computer show that he kept company data on his computer including “audit information”, “minutes and resolutions” of meetings and a large number of other Legatum documents. In cross-examination, Mr Salim first denied deleting company data from his hard drives but when shown the evidence that he had deleted a large amount of company data, he maintained that this must have happened without him being aware of it.
Ptolemy 1
68. The operating system for Ptolemy 1 (the invisible virtual server discovered on 17 July 2014) was installed on Ptolemy 1 on 31 March 2014 and the “clsadmin” account was created on it on 6 May 2014. This was admitted by Mr Salim. Ptolemy 1 itself was therefore created some time prior to 31 March 2014.
69. Between 4 and 13 June 2014 (after Mr Salim’s departure from Legatum on 29 May 2014) there were interactions between the “clasdmin” account, Ptolemy 1 and IP address 172.20.0.240. This latter address came from the Legatum’s disaster recovery range of IP addresses and I accept the evidence of Mr O’Flynn that it was an inactive address.
70. At 10.30 pm on 17 June 2014, “clsadmin” was used to trigger a run on a “Robocopy” file on Ptolemy 1 using a program called “Task Scheduler”. This task was completed the following day. Task Scheduler is used to arrange for a task to run at future point in time. The Robocopy software was used to copy Legatum’s data to Ptolemy 1.
71. Further copying of data to Ptolemy 1 triggered by “clsadmin” occurred on 18, 19, 20 June 2014, on each occasion at 10.30 pm, the same time of day that the copying began on 17 June 2014.
72. The “clsadmin” account was also used to connect to Ptolemy 1 on 21 June 2014 at 04:31 am.
73. The data copied to Ptolemy 1 was not deleted during the sabotage carried out on 21 June 2014. It consisted of all of the Legatum data that was deleted from elsewhere on the Legatum IT system on 21 June 2014, save for a few emails. This data on Ptolemy was not discovered until after the existence of Ptolemy 1 emerged on 21 June 2014.
74. Forensic traces of “Robocopy” executable, namely the file or program that causes a computer to execute a task, were found on Mr Salim’s workstation during the McAfee investigation. The use of Robocopy to copy material onto Ptolemy 1 prior to his departure was admitted by Mr Salim when interviewed by Mr Wright on 7 August 2014 (“the interview”). No such traces were found on the workstations of any of the other members of the IT team.
75. It is not disputed that Mr Salim did not disclose the existence of Ptolemy 1 (which was invisible on the IT system) in the handover notes provided to Mr O’Flynn. He also did not disclose the existence of Ptolemy 1 when he was being asked to help in the recovery of Legatum’s lost data over the phone and at Legatum’s office, although he must have known that at least some of the lost data had been copied from Ptolemy to Ptolemy 1, since he carried out the copying operations that were undertaken before his departure from Legatum.
76. At the interview, Mr Salim said that he did not disclose the existence of Ptolemy 1 in his handover notes because the migration of data from Ptolemy to Ptolemy 1 was not yet complete; he was still testing how this migration should be done. And when Mr Wright put it to Mr Salim that since the copying was incomplete, Ptolemy 1 should have been included in the handover notes, Mr Salim said, “Yeah, it should have been.”
77. In his first witness statement made almost a year after the interview, Mr Salim stated that:
“Ptolemy 1 was purely a test server which was built in April- May 2014 when the data migration project was underway in the Claimant’s office. Ptolemy 1 server was created for a project under the instructions of the management whereby they instructed me to migrate data from one of the old servers (Ptolemy) to the newly built virtual environment servers called Host1 and Host2. The purpose of Ptolemy 1 server was to test the various methods that can be used to transfer data from the old server i.e. Ptolemy. Once the testing was done and the method(s) to be used for data transfer was selected through the testing done on to Ptolemy1, it was meant to be deleted and replaced with a fresh and newly built live server. The old Ptolemy was to be decommissioned after the selected data transfer method was used and data was transferred on the newly built live server. Emitec Consultants were also involved in this project. This project was not completed when I had resigned from my position and left the company…” (paragraph 33).
“All the members of the IT team and the external consultants were aware that the company data on Ptolemy1 server was being copied using test scripts to see and test how the data would be migrated from the existing old servers to the newly created servers … The test scripts were automated and schedule to run for a number of days to ensure that they are working properly before they could be used for real data migration”. (paragraph 35).
“The Claimant has also accused me of failing to mention the details of Ptolemy1 in my handover notes, however in my opinion it was not necessary to mention this information as Ptolemy1 was an ongoing project, it was in the testing phase and everybody in the IT team including the external consultants were aware of its existence. Nevertheless, its exclusion from the handover notes was not deliberate and was a mere lapse. The fact that Ptolemy1 was not mentioned in the handover notes is irrelevant, particularly when everybody in the IT team including the management were aware of the existence and purpose of creation of Ptolemy1”. (Paragraph 40).
78. The external consultants referred to by Mr Salim were Emitec who between 18 and 24 March 2014 did work on the virtual environment of the Legatum IT system.
79. Mr Sheriff’s evidence was that until Ptolemy 1 was discovered on 17 July 2014, no-one at Legatum knew of the existence of Ptolemy 1, let alone that data had been copied thereon from another server. The evidence of Mr O’Flynn (who had received Mr Radivojeric’s confirmation that he had not known of Ptolemy 1) was to the same effect. Mr Sheriff also testified that the several consultants who in the past had done different work on the Legatum IT system had each completed a questionnaire sent to them by Legatum that asked for details of any work carried out, when, the servers accessed, the account names seen, who provided the access credentials, any use or receipt of the credentials for the “clsadmin” account and any connection to the IP numbers 172.25.25.16; 172.25.26.29; nd 172.20.0.240. In answering the questionnaire sent to it, Emitec reported that between 18 and 24 March 2014 they had installed 2 HP DL585 G7 Servers and installed and enabled Windows 2012 R2, Hyper-V services and SCVVMM 2012 R2 using a service account the credentials for which were provided by Mr Salim. The “clsadmin” account had been used to configure Windows 2012 R2 Hyper-V cluster and SCVMM but the password was inserted by Mr Salim whenever required.
80. All of the respondent consultants approached by Legatum reported that they had not connected to any of the specified three IP numbers.
81. Mr Wright’s forensic examination of the workstations of the other members of the IT team showed that none of those devices had been used to access Ptolemy 1.
82. Included in Mr Salim’s handover notes was a section headed “Legatum device server roles” under which, inter alia, four test servers were identified and three “Interaction” servers. When asked in cross-examination why he identified these servers but not Ptolemy 1 he replied that these servers were old physical servers that had been turned into test servers whereas Ptolemy 1 was a new virtual server.
83. When asked during the interview why he did not tell the Legatum IT and McAfee recovery teams about Ptolemy 1 and the data that was on it, Mr Salim said the project was on-going, he was testing it and he had not copied everything.
84. In cross-examination he said that he did not tell the recovery teams about Ptolemy 1 because only a small amount of data had been transferred and it may have been overwritten.
85. Whilst management may have approved the expenditure on the work done by Emitec in March 2014, I accept the evidence of Mr Sheriff and Mr O’Flynn that neither the Legatum IT team (other than Mr Salim) nor Legatum’s management knew anything of Ptolemy 1 until it was discovered on 17 July 2014; and that accordingly they knew nothing about any copying onto a new virtual server of Legatum data until this too was discovered after 17 July 2014. If they had had this knowledge, Ptolemy 1 and the data it contained would certainly have been revealed in the early days of the recovery attempts. Also, Mr Salim’s evidence involves the suggestion that many individuals within Legatum have conspired falsely to allege that Ptolemy 1 was unknown until 17 July 2014, which I regard as a fantastic and wholly unrealistic proposition.
86. I also find that Emitec did not know Legatum data was being copied on to one of the new virtual servers and did not know the password for “clsadmin”.
87. I further find that Mr Salim deliberately omitted to disclose the existence of Ptolemy 1 both in his handover notes and when he returned to Legatum’s offices on 21 June 2014 and thereafter. On his own evidence the test copying of data from the old Ptolemy to Ptolemy 1 was on-going and therefore incomplete when he left the company. He therefore had as much reason to disclose the existence and purpose Ptolemy 1 in his handover notes as he did to disclose the four test servers and three Interaction servers he did disclose under the heading “Legatum device server roles”.
88. As to his failure to tell the recovery teams about Ptolemy 1, I find his different explanations for this to be wholly unconvincing and contrived. Mr Salim well knew that the recovery teams were working on the basis that the whole of Legatum’s data had been deleted from the IT system. In these circumstances, even if only part of the data on old Ptolemy had been transferred to Ptolemy 1 by the time Mr Salim had left on 29 May 2014, it is incredible that he did not disclose or mention to the teams the existence of Ptolemy 1 and his copying thereon of Legatum data, especially since it is clear from Mr Wright’s Appendix K, which is a sample of many Ptolemy 1 artefacts found on Mr Salim’s work station, that a considerable quantity of corporate data had been copied over pre 29 May 2014, including information relating to Middle East benefit packages, Legatum salary review and settlements, asset register reconciliation, sovereign finance and Indian banks.
Use of the “clsadmin”, “spsadmin” and “dxbbackup” accounts to access the Legatum IT system
“clsadmin”
89. Prior to his departure from Legatum on 29 May 2014, Mr Salim frequently used the “clsadmin” account from his workstation to access the IT system. On 27 May 2014 “clsadmin” accessed the Legatum IT systems’ domain controllers and the Disaster Recovery server, all from Mr Salim’s workstation. In particular at 4:45 pm the “clsadmin” account was used to make multiple connections within a few seconds of each other to six disaster recovery servers.
90. On 28 May 2014, the “clsadmin” account was used from Mr Salim’s work station to access the Zeus backup server at 08:38 am and 12:07 pm, the Zeta2 at 08:40 am and the Beta domain controller at 12:07 pm, 4:10 pm and 4:23 pm.
91. On 29 May 2014, the “clsadmin” account was used from Mr Salim’s workstation to access the Zeus backup server at 08:10 am and the Beta domain controller at 2:53 pm and 3:03 pm.
92. After 29 May 2014, the “clsadmin” account was used to access the IT system (Ptolemy 1 in particular, see paragraphs 68 – 72 above) from IP number 172.20.0.24 and from 20 June 2014 this account was also used on occasion from IP number 172.25.25.35 and on other occasions from IP number 172.25.25.16.
93. On 21 June 2014 (the day of the sabotage) “clsadmin” logged on to Legatum’s financial system’s data base from IP number 172.25.25.16 and was used from the same IP number to delete that database at 05:27 am.
94. At 06:07 am on 21 June 2014 Legatum’s SOGNO domain controller was shut down by the “clsadmin” account.
95. At 06:15 am on 21 June 2014 Legatum’s Beta domain controller was shut down using the “clsadmin” account from IP number 172.25.25.16.
96. Mr Wright’s forensic examination of the workstations of Mr O’Flynn, Mr Radivojevic and Mr Padda revealed that none of these devices ever used the “clsadmin” account.
97. I accept Mr O’Flynn’s evidence that whilst Mr Salim was employed by Legatum he (Mr Salim) must have been the only member of the IT team to use the “clsadmin” account and that neither he (Mr O’Flynn) nor Mr Radivojevic knew the password to the “clsadmin” account.
98. I find that Mr Salim did not disclose the “clsadmin” account in his handover notes, as alleged by Legatum. In cross-examination he suggested for the first time that he may have disclosed the account in some part of the notes other than the materials that had been included in the trial bundle. Until this point, he had impliedly accepted that “clsadmin” had not been disclosed and his case was that he may have missed a few details as he prepared the notes from memory based on what his replacement might need to know to start work with the servers.
99. The entire handover notes had been available to Mr Salim throughout the proceedings. Legatum had found no mention in the notes of “clsadmin”. In these circumstances it was for Mr Salim to examine the notes to make good his late-in-the-day suggestion that he did indeed disclose the account. However, he failed to produce any evidence from the notes to make good his assertion and on the evidence before me I have no hesitation in finding that he did not reveal the existence of “clsadmin” in his handover notes.
“spsadmin”
100. On 3 May 2014 at 11:07 am the “spsadmin” account was used to access the Legatum IT system (Seti04) from Mr Salim’s workstation (IP number 172.25.26.29). I find on the basis of Mr O’Flynn’s evidence in paragraph 18 of his first witness statement that this use by Mr Salim of the “spsadmin” account before he left Legatum can have had nothing to do with his normal duties.
101. On 4 June 2014 the “spsadmin” account accessed Zeus from IP number 172.20.0.24.
102. On 9 June 2014 the ‘spsadmin” account was created on Ptolemy 1 (8:57 pm) and accessed Zeus from IP number 172.20.0.24 (9:40 pm).
103. On 13 June 2014 the “spsadmin” account from IP number 172.20.0.24 accessed: (a) Zeus at 8:09 pm; and (b) Seti04 at 8:38 pm.
104. On 21 June 2014 the “spsadmin” account from IP number 172.20.0.24: (a) accessed Zeus at 06:03 am; and (b) shut down the Alpha domain controller at 06:27 am.
105. The forensic examination of the workstations of the other members of the IT team conducted by Mr Wright showed that those devices had not accessed the “spsadmin” account.
106. I find that the existence of the “spsadmin” account was unknown by the Legatum IT team. It was not referred to in Mr Salim’s handover notes.
“dxbbacup”
107. On 9 June 2014 at 9.37 pm; and on 10 June 2014 at 7:31 pm; and on 13 June 2014 at 02:03 am, the “dxbbackup” account accessed Zeus from IP number 172.20.0.24.
108. On 21 June 2014 at 05:45 am “dxbbackup” from IP number 172.20.0.24 was used to shut down Zeus (Symantec Backup Exec system).
109. The forensic examination of the workstations of the other members of the IT team conducted by Mr Wright showed that those devices had not accessed the “dxbbackup” account.
110. I find that the existence of the “dxbbackup” account was unknown by the Legatum IT team and was not referred to in Mr Salim’s handover notes.
The use of IP numbers 172.20.0.24 and 172.25.25.16
111. On 27 May 2014, Mr Salim’s workstation (DBX-ANS-1) attempted to connect to IP 172.25.25.16 between 6:54 pm and 7:02 pm.
112. On 29 May 2014, Mr Salim’s workstation (DBX-ANS-1) again attempted to contact to IP 172.25.25.16 between 08:24 am and 08:25 am.
113. As recorded above, IP numbers 172.20.0.24 and 172.25.25.16 were used in conjunction with accounts “clsadmin”, “spsadmin” and “dxbbackup” after 29 May 2014 to gain access to the Legatum IT system and on 21 June 2014 to sabotage it.
114. I accept the undisputed evidence of Mr O’Flynn that: (i) the IP number 172.25.25.16 had last been assigned to a very old server (one of the company’s first), which had been decommissioned and switched off in July 2013; and (ii) the device to which IP number 172.20.0.240 was allocated was part of the disaster recovery system in Thailand and was an inactive address.
115. I find on the evidence that the existence of IP numbers 172.20.0.24 and 172.25.25.16 was unknown to the Legatum IT team. It is not disputed that they were not mentioned in Mr Salim’s handover notes.
Attempt to contact IP number 172.20.0.240 on 21 June 2014
116. Mr Wright’s forensic examination of Mr Salim’s workstation revealed that it had not been used after 29 May 2014 until it was employed in an attempt to access IP number 172.20.0.240 at 7:17 pm on 21 June 2014, at which time Mr Salim was at Legatum’s office apparently to assist in the recovery of the lost data.
117. Mr Salim did not deny that he was at Legatum’s office at 7:17 pm on 21 June 2014 and that his workstation was made available to him but he denied in cross-examination that it was he who used his workstation in an attempt to connect to IP number 172.20.0.240.
The usability of the “clsadmin”, “spsadmin” and “dxbbackup” user accounts to achieve remote access to the Legatum IT system
118. It was the evidence of Mr Wright and Mr O’Flynn that the Legatum virtual private network (“VPN”) uses “split tunnelling” which allows a remote VPN user to access the internet at the same time as the user is accessing resources on the VPN. In this way, a user can connect to file servers, database servers and other servers on Legatum’s network through the VPN connection by allocating a Legatum internal IP number to the accessing device. At the same time, the user can access the system through an alternative IP number allocated to the user’s machine.
119. In cross-examination in answer to a question how Mr Salim could have had remote access to the Legatum IT system after 29 May 2014, Mr Wright explained that “the Active Directory gives permission to people with certain accounts to come in to Legatum from outside. We know from witnesses and from the interview of Mr Arif Salim that “spsdmin” could do so. Looking at the … the user of the Active Directory, we can see that “spsadmin” is in a container folder named “location global”. Therefore other accounts in that will also have access from the outside. “Clsadmin” is in the same container”.
120. This evidence of Mr Wright was not challenged or disputed.
121. It was Mr Salim’s case until a fairly late stage in his cross-examination that the user accounts “clsadmin”, “spsadmin” and “dxbbackup” could not be used to gain remote access to the Legatum system because they were Legatum internal IP addresses and accordingly could not be directly utilised or connected to from outside the company premises.
122. To begin with Mr Salim stoutly adhered to this contention but it was then put to him that if this were true, whoever carried out the attack on 21 June 2014 using “clsadmin” would have had to be present in Legatum’s office pretty much all night on 21 June 2014. At this point Mr Salim stated that “clsadmin” could be used remotely if the user had first connected to system using a user account with VPN access enabled on it. He also confirmed that he was not suggesting that whoever perpetrated the incident must have been in the office all night on 21 June 2014.
123. In light of: (i) the evidence of Mr Wright and Mr O’Flynn referred to above in paragraphs 118-120 above; and (ii) Mr Salim’s admission that “clsadmin” could be used remotely if used in the right way, I have no hesitation in finding that the user accounts “clsadmin”, “spsadmin” and “dxbbackup” could indeed be used remotely to access Legatum’s IT system as Legatum has contended at all material times.
THE INTERVIEW
124. As mentioned above, Mr Salim was interviewed by Mr Wright on 7 August 2014. The interview was recorded and a transcript was in evidence at the trial. Mr Salim attended the interview voluntarily.
125. In the course of the interview, Mr Wright reviewed the many factors which he maintained linked Mr Salim to the attack on the Legatum IT system and accused Mr Salim of having perpetrated the attack, to which Mr Salim responded with neither a protest of his innocence, nor an admission that he was the culprit but instead insisted he was telling Mr Wright what he knew and reiterated the help that he claimed to have given to recover the lost data.
MR SALIM’S CASE
126. Mr Salim’s case is fully set out in his two witness statements. In these statements he denies that he was responsible for the sabotage of Legatum’s IT system, maintaining that he did not access the system on any occasion in the period after his departure from Legatum on 29 May 2014 down to his return to the office in the evening of 21 June 2014.
127. In summary form, in addition to the contentions and evidence of Mr Salim already referred to above, his contentions are as follows:
(a) He had a very limited knowledge of the networking aspect of Legatum’s servers and other networking equipment.
(b) His account passwords had been re-set on his departure so that he was completely removed from and could not access the Legatum IT system after his departure on 29 May 2014.
(c) The system could have been attacked by a Legatum insider or by an external consultant who had acquired knowledge of the “clsadmin”, “spsadmin” and “dxbbackup” user accounts and the passwords thereof.
(d) Since the VPN logs were deleted, Legatum cannot prove who had attacked the IT system.
(e) External consultants had been given full privileges and access to the IT system over time and therefore had access to the internal systems from their offices via VPN.
(f) As for Legatum’s allegation that Mr Salim used the IP number 172.25.25.16 before 29 May 2014, in preparation for the handover, he must have gone through all the servers and tried to connect to all (old and new) of them.
(g) In the period March – May 2014 Emitec was assisting Legatum in installing and upgrading the old backup system and were given access to the “dxbbackup” account.
(h) External consultants used the “clsadmin” account to log onto the system and Mr Salim’s use of the account was within his job profile.
(i) Messrs Graham and Collin, members of the Corporate Communications team, knew of and used the “spsadmin” account.
(j) Mr Salim was not the only one who knew the system’s passwords; the IT team knew them and some were stored on the RDC manager. Accordingly, Mr Salim was not required to remember all the passwords.
(k) The handover notes were sufficiently detailed and thorough. Mr Salim believed that the notes would be scrutinised by Legatum who would raise any omissions from the notes.
(l) There was nothing strange or unusual about Mr Salim’s behaviour when he returned to the Legatum office to help recover the lost data.
(m) The Legatum IT system was not secure and was vulnerable to attack.
(n) Mr Salim denied the alleged motive he had for the attack, namely that it was a response to his having been passed over as Mr Padda’s replacement that would allow him to show himself as a saviour of the company.
THE EXPERT EVIDENCE OF MR DINESH BAREJA
128. The expert witness called by Mr Salim was Mr Dinesh Bareja who has worked for many years as an information security consultant and investigator into digital information security incidents. Amongst the positions he has filled are: (i) Chief Surveillance Advisor, Jharkhand Police – Cyber Defence Research Centre (Special Branch), Ranchi, Jharkhand (India); Principal Consultant, CSI Consulting Inc., Toronto (Canada); Principal Consultant, Secure Matrix Pvt Ltd, Mumbai (India).
129. Mr Bareja is based in Dubai. He left it to his team in India to examine the event logs relied on by Mr Wright that had been disclosed by Legatum in the proceedings. The examination was not carried out until after the service of his First Report.
130. I have dealt with Mr Bareja’s Third Report above. His first two reports effectively reiterated Mr Salim’s Defence and proceeded on the basis that what Mr Salim said there was true. The First Report responded to a preliminary statement of findings produced by Mr Wright on 28 August 2014 as part of his investigation. Mr Wright’s report as an expert witness was not served until after Mr Bareja’s First Report had been served. The principal conclusions Mr Bareja reached at the end of his First Report were: (i) the breakdown of the Legatum IT system was a systemic risk waiting to happen; (ii) the absence of the VPN logs (the DHCP, DNS and Core Switches and Cisco networks logs) meant that Legatum had no proof to establish its claim against Mr Salim; (iii) the failure of various of the Legatum team members to practise security hygiene and their common use of credentials had led to a situation where anyone could use any other person’s machine or username-password; and (iv) the incident on 21 June 2014 appeared to be the result of a big error committed by some team member.
131. Mr Bareja’s Second Report responded to Mr Wright’s First Expert Report along the lines of his (Mr Bareja’s) First Report. In particular, he maintained that Mr Salim could not have gained access to the Legatum IT system after he had left the company on 21 June 2014 and all users at Legatum’s office had free access across the networks.
132. It was Mr Bareja’s opinion that: (i) during a handover there is mutual responsibility on both parties to enable a complete transition; (ii) in view of the overwriting by Mr Valerio of the backup data during the recovery period, it is incorrect to attribute any sort of malicious intent to Mr Salim in not sharing encryption keys which were never in his possession and basing this demand on a system error message that can be traced to a mistake by an external consultant.
133. In cross-examination, Mr Bareja conceded that in reaching the conclusion expressed at the end of his First Report that Legatum’s loss of data was the result of a big error he had not considered the evidence provided by the event logs studied by Mr Wright that had previously been made available through disclosure. And this was despite that fact that in his preliminary statement of findings, Mr Wright had stated that Windows Event Logs for 2014 had identified suspicious logging activity between March and June 2014 linked to IP numbers 172.25.25.16 and 172.20.0.240 and “clsadmin”, “dxbbacup” “spsadmin” and the IP number for Mr Salim’s computer 172.25.26.29.
134. Indeed, Mr Bareja conceded that not a single one of his conclusions was based on forensic evidence. Instead he had built an image in his mind of what had transpired at Legatum with the IT team and the system growing organically.
135. Mr Bareja also frankly and very properly conceded that where he made factual statements about the Legatum IT system and its operation, for instance the statement that clsadmin account could not be used remotely, he was relying on what he had been told by Mr Salim.
136. Mr Bareja also agreed that Mr Wright’s attack timeline was accurate and went on to state that Mr Salim had had “God rights” when employed by Legatum in that he had domain administrator rights by which he could change the privilege settings – the things a user is allowed to do on the system – in any way he wanted on any account.
137. In addition, Mr Bareja accepted that once a user gained remote access to the Legatum network, he could use internal IP addresses to access the different parts of the system.
CONCLUSIONS
Factual culpability
138. In my judgment, notwithstanding the absence of evidence as to which particular computer was used to carry out the attack, the evidence and findings set out above in paragraphs 45 – 137, constitute strong and convincing proof that satisfies the civil standard of the balance of probabilities that it was Mr Salim who sabotaged Legatum’s IT system.
139. I accept Mr Wright’s opinion that the 21 June 2014 attack was not perpetrated by an outsider (or outsiders) but by an insider.
140. The user account “clsadmin” was used on 21 June 2014 to: (i) delete Fin2 (Legatum’s financial systems database) [05:27 am]; shut down the SOGNO domain controller [06:07 am]; (iii) shut down the Beta domain controller [06:15 am].
141. On 27 May 2014, two days before he parted company with Legatum, Mr Salim used “clsadmin” to access the Legatum IT systems’ domain controllers and the Disaster Recovery server; in particular at 4:45 pm the “clsadmin” account was used to make multiple connections within a few seconds of each other to six disaster recovery servers. As Mr Wright observed in his First Report these mirrored the sabotage method and were unnecessary for the fulfilment of Mr Salim’s daily duties.
142. And, as recorded above in paragraphs 90 – 91: (A) on 28 May 2014 the “clsadmin” account was used from Mr Salim’s work station to access the Zeus backup server, the Zeta2 and the Beta domain controller; and (B) on 29 May 2014, the “clsadmin” account was used from Mr Salim’s workstation to access the Zeus backup server and the Beta domain controller. There can be no doubt in my view that it was Mr Salim himself who used the “clsadmin” account on these occasions on 27, 28 and 29 May 2014. This is because only Mr Salim knew the password for the “clsadmin” account and the occasions all took place during office hours, so that if another member of the IT team all of whom worked from the same table, had dared to use Mr Salim’s computer, he would have been quickly spotted doing so.
143. Mr Salim also created the “clsadmin” account on Ptolemy 1 on 6 May 2014 and, as recorded in paragraphs 68 – 72 above, that account was used on a number of occasions to access Ptolemy 1 between 4 and 21 June 2014. In particular, “clsadmin” was used to run a Robocopy file on Ptolemy 1 using the Task Controller program, after which data was copied onto Ptolemy 1 on 18, 19 and 20 June 2014.
144. No-one within Legatum knew of the “clsadmin” account. The workstations of Mr O’Flynn and Mr Radivojeric had never used this account. Emitec knew of the existence of the “clsadmin” account but they did not know the password. Mr Salim did not disclose the account in his handover notes. This in my judgment was a deliberate act. He knew that following his departure from Legatum the passwords on his own company account (Legatum\arifs) and the main administrator account (Legatum\administrator) would be changed and so he suppressed the existence of the “clsadmin” account (whose password of course he knew) so that he could use the account after his departure to sabotage Legatum’s IT system.
145. On 21 June 2014: the “dxbbackup” account shut down Zeus (Legatum’s Symantec Backup Exec system); and the “spsadmin” account was used to access Zeus at 06:03 am and to shut down the Alpha domain controller. Previously, on 3 May 2014, “spsadmin” was used by Mr Salim to access the Legatum IT system (Seti04). This latter use had nothing to do with his normal duties.
146. As recorded above in paragraphs 101 – 103 above, the “spsadmin” account was used: (i) on 4 June 2014 to access Zeus; (ii) on 9 June to access Ptolemy 1; and (iii) on 13 June 2014 to access Zeus and Seti04.
147. No-one in Legatum knew of the “spsadmin” and “dxbbackup” accounts. They had never been used on the workstations of Mr O’Flynn and Mr Radivojeric. They were not disclosed in Mr Salim’s handover notes. It is fanciful to suggest that a third party outsider would have known of these accounts and their passwords and that the accounts continued to be available for undetected use after Mr Salim’s departure.
148. As recorded in paragraphs 92 – 95; 100 – 104; 107 – 108 above, the IP numbers 172.20.0.24 and 172.25.25.16 were used in conjunction with the accounts “clsadmin”, “spsadmin” and “dxbbackup” after 29 May 2014 to gain access to the Legatum IT system and on 21 June 2014 to sabotage it.
149. As I have already found (see paragraphs 118 – 123 above) those accounts could be used to access remotely the Legatum IT system.
150. Mr Salim attempted to connect to IP address 172.25.25.16 on 27 May 2014 and on 29 May 2014, his last day at Legatum. As Mr Salim well knew from his extensive knowledge of the Legatum IT system: (i) the IP number 172.25.25.16 was inactive having last been assigned to a very old server switched off in July 2013; and (ii) the IP number 172.20.0.240 was also an inactive address having been originally allocated to part of the disaster recovery system in Thailand.
151. No-one within or without Legatum other than Mr Salim was in a position to know of the availability of the IP numbers 172.20.0.24 and 172.25.25.16 out of the thousands of IP numbers within the Legatum IT system. Nor was anyone other than Mr Salim in a position to know that these IP numbers could be used without a conflict occurring with other IP numbers, which can happen when two computers on a local area network have been assigned the same IP number.
152. On 21 June 2014 at 7:17 pm when Mr Salim was back in the Legatum office ostensibly helping to reactivate the Legatum IT system and recover the deleted data, his Legatum workstation was used in an attempt to access IP number 20.0.240. I have no doubt that it was Mr Salim who made this attempt. I am also in no doubt that it was no coincidence that he tried to access IP number 172.20.0.240, this being the IP number from which: (A) the “spsadmin” account was used to access: (i) Zeus on 4 June 2014; (ii) Ptolemy 1 on 9 June 2014; (iii) Zeus and Seti04 on 13 June 2014; (iv) Zeus and Alpha domain controller on 21 June 2014: (B) the “clsadmin” account was used to access: (i) Ptolemy1 three times on 9 June 2014; (ii) Ptolemy 1 on 17 June 2014; (iii) Ptolemy 1 on 21 June 2014: (C) the “dxbbackup” account was used to access: (i) Zeus on 9 July 2014; (ii) Zeus on 10 June 2014; and (iii) Zeus on 13 June 2014; (iv) Zeus (Symantec Backup Exec System) on 21 June 2014.
153. As recorded in paragraph 62 above, on 7 April 2014 the encryption key and passphrase for Legatum’s backup system was changed. I accept the evidence of Mr O’Flynn that neither he nor Mr Radivojeric, the other two members of the IT team, made these changes.
154. The backup system was Mr Salim’s responsibility. He alone had the necessary knowledge to make these changes. On the evidence before me I have no doubt that it was he who made the changes and that he deliberately failed to disclose them in his handover notes. His defence that he did not know the encryption key or the passphrase and his reliance on the overwriting on the system during the recovery operation do not hold water, for they ignore the facts that: (i) the encryption key and passphrase were indeed changed on 7 April 2014; (ii) the backup system was his responsibility; (iii) there is no tenable basis for believing that anyone else, whether within or outside Legatum, made the changes.
155. Almost all of the Legatum data that was deleted on 21 June 2014 had been copied onto Ptolemy 1, and remained on that invisible server after the attack. Mr Salim admits that it was he who created Ptolemy 1 and that before his departure from Legatum he had migrated data from the old servers (Ptolemy) to this new virtual server and that this process was on going at the time of his departure. In accessing Ptolemy 1 prior to his departure, Mr Salim used the “clsadmin” account. As recorded in paragraphs 69 – 73; 102 above, Ptolemy 1 was accessed after 29 May 2014 numerous times using the “clsadmin” and “spsadmin” accounts, neither of which was disclosed by Mr Salim in his handover notes. During this period, Robocopy was used to copy further data onto Plotemy 1. Forensic traces of the use of Robcopy prior to 29 May 2014 were found on Mr Salim’s workstation. No such traces were found on the workstations of Mr O’Flynn and Mr Radivojeric. Although what had been copied onto Ptolemy 1 by the time Mr Salim left Legatum was not the whole of Legatum’s data, a significant amount of the data had been migrated to Ptolemy 1, including Middle East benefit packages, Legatum salary review and settlements, asset register reconciliation, sovereign finance and Indian banks.
156. Ptolemy 1 was unknown to anyone within or without Legatum. Mr Salim listed in his handover notes four other test servers and three “Interaction” servers but he deliberately, as I have found, failed to disclose in those notes Ptolemy 1’s existence. Mr Salim also deliberately made no mention of Ptolemy 1 to the recovery teams after he returned to Legatum’s office ostensibly to help in recovering the deleted data.
157. Mr Salim’s secret creation of Ptolemy 1, his secret copying onto Ptolemy 1 of almost all of the data deleted in the attack and his failure to disclose Ptolemy’s existence in his handover notes and when he returned to Legatum’s office after the attack, is very powerful evidence against him.
158. The attack on the Legatum IT system targeted Legatum’s most vital data both at the Dubai office and at the recovery site in Thailand. This plainly shows, as Mr Wright opined, that the perpetrator had an intimate knowledge of the system. Mr Salim had such knowledge. On the evidence before the court there is no reasonable doubt but that he was the perpetrator.
159. Reliance was placed by Mr Bareja on what he said were serious shortcomings in the Legatum IT system’s security in support of his view that the 21 June 2014 incident was a big accident. Although the security of the system could have been improved, it is clear from the evidence of Mr O’Flynn that it was not nearly as bad as asserted by Mr Bareja. But in any event, even if there were a serious lack of security, Mr Bareja’s point goes nowhere because the evidence I have rehearsed at length in this judgment is consistent only with the attack having been carried out by an insider.
160. The establishment of Mr Salim’s role in the attack on Legatum’s IT system does not depend on the proof of a motive for the attack and I make my finding that it was Mr Salim who sabotaged Legatum’s system independently of any consideration of motive. That said, it is inconceivable that he did not have a motive for the attack and as to that I tend to the view that he carried out the attack in order to punish Legatum for not appointing him to replace Mr Padda, whilst at the same time giving himself the opportunity of appearing to be Legatum’s saviour when, having been called in to help as he correctly predicted he would be, he “discovered” Ptolemy 1.
Mr Salim’s evidence
161. It follows from the above conclusions that Mr Salim’s denials in his evidence that he was the perpetrator were knowingly and dishonestly false. He also knowingly gave false evidence when he at first denied that he had copied corporate data from his second hard drive (see paragraph 67 above). Hence my conclusion expressed in paragraph 8 above that Mr Salim was an unreliable witness whose evidence I was not going to accept unless it was corroborated by the oral testimony of the Legatum witnesses or by other reliable evidence.
Legal culpability
162. Article 41 of DIFC Law No. 5 of 2005 (the “Law of Obligations”) states:
“(a) A defendant is liable to another person if he wrongfully interferes with property in which the other person has an interest such that the other person suffers loss.
(a) A defendant interferes with property if:
…
(b) he deals with or (in respect of property as to which he owes a duty of care) neglects the property so that it is destroyed or damaged.
…
(c) A defendant’s interference is wrongful if it occurs without the permission, express or implied, of the person with an interest in it.
163. By sabotaging Legatum’s IT system in the manner I have described, Mr Salim wrongfully interfered with Legatum’s property under Article 41. Dr Al Kabban submitted that, assuming Mr Salim had carried out the 21 June 2014 attack, his actions were not covered by Article 41 because he had not used or acquired Legatum’s information to cause damage. I reject this submission. In my view the sabotage inflicted on Legatum’s IT system by Mr Salim could not be a plainer instance of someone interfering with the property of another so as to cause that other person to suffer loss.
164. Pursuant to Articles 23, 24, and 25 of the Law of Damages and Remedies (DIFC Law No 7 of 2005), Legatum has a right to damages to compensate it for its losses resulting from Mr Salim’s breach of Article 41 of the Law of Obligations. The measure of those damages is that sum of money which would put it in the same position as it would have been in if it had not sustained the wrong committed by Mr Salim.
Loss and damage
165. Legatum claims loss and damage in the sum of USD 690,533, calculated as follows:
| Description | Invoice (USD) |
| McAfee’s costs for restoring the IT System and investigating the incident | 189,750 |
| Network Rebuild | 20,926 |
| Network Rebuild Contractors’ Fees | 62,605 |
| Indirect costs | 417,252 |
| Total | 690,533 |
166. Details of the first four heads of loss were given in evidence by Mr Sheriff. “Network Rebuild” is a reference to the emergency servers that Legatum purchased following the 21 June 2014 incident. In my judgment, there is no basis for requiring Legatum to give credit for the value of these emergency servers: the cost involved does no more than to put Legatum back in the position as near as may be to that obtained before the attack.
167. “Network Rebuild Contractors’ Fees” refers to consultancy costs incurred to engage the appropriate contractors with relevant expertise to build the emergency servers in an expedient manner.
168. “Indirect costs” refer to the value of estimated Legatum employee time incurred in dealing with the attack or its effects, which could have been spent elsewhere. The value of this time was calculated by reference to the relevant employee’s salary and the proportion of the relevant employee’s contractual time engaged.
169. Mr Sheriff believed that the personnel identified in the table below had spent the corresponding proportion of their contractual time in dealing with the attack or its effects. He testified that these costs cover the period immediately after the attack and do not cover the indirect costs Legatum has suffered due to the extensive management time involved in preparing its legal case.
| Personnel engaged in response to Attack | Period engaged | Proportion of time engaged for relevant period |
| IT Team:
Conor O’Flynn Srdjan Radivojeric Ryan Smiley (from 16th July) Kristina Nagy |
25 weeks 25 weeks 21 weeks 25 weeks |
100% 100% 100% 100% |
| Rob Vickers | 12 weeks | 50% |
| Paul Sheriff | 12 weeks | 50% |
| Mark Stoleson | 6 weeks | 20% |
| Lost productivity as a result of not having access to data/e-mails for remaining employees over a period of 6 weeks | 6 weeks | 25% |
170. Mr Sheriff accepted that the indirect costs claimed are based on an estimate of the cost of wasted Legatum employee time in dealing with the incidents and its effects. He told the court that a conservative estimate had been used. In almost all cases where a claim is made for staff time spent in the aftermath of a wrongful act, the amount of time so spent will be based on an estimate rather than on specific time-keeping records. So long as the court is satisfied that the estimate is reasonable, as I am in this case, the estimate can found a recovery for staff time if the first two of the following three propositions propounded in the English Court of Appeal’s decision in Aerospace Publishing Ltd & Anr (“Aerospace”) v Thames Water Utilities Ltd [2007] Bus L.R. 726, the Court of Appeal are satisfied:
(a) The claimant must adduce such evidence that it could reasonably adduce to show the extent of the diversion of staff;
(b) The claimant must also establish that the diversion of staff caused significant disruption to its business;
(c) If the first two elements can be established, the court may infer that, had the staff not been diverted from their usual activities, they would have directly or indirectly generated revenue for the claimant in an amount at least equal to the cost of employing them during that time.
171. In my judgment, Legatum have satisfied the first two requirements promulgated in Aerospace Publishing Ltd & Anr (“Aerospace”) v Thames Water Utilities Ltd. It has produced such evidence as it could reasonably produce of the diversion of staff and has established that the diversion of staff caused significant disruption to its business. Accordingly, it is open to me to find, and I do find, that had the staff not been diverted from their usual activities, they would have directly or indirectly generated revenue for Legatum in an amount at least equal to the cost of employing them during that time.
172. The damages I award Legatum are therefore the total it claims, namely USD 690,533.
173. Following delivery of this judgment, the parties are invited to serve written submissions as to costs and interest in accordance with the following timetable: (1) Claimant’s first round of submissions to be served within 7 days of the hand down date; (2) Defendant’s reply submissions 7 days thereafter; (3) Claimant’s responsive submissions 7 days thereafter.
Issued by:
Natasha Bakirci
Assistant Registrar
Date: 11 November 2015
At: 10am
The post CFI 027/2014 Legatum Limited v Arif Salim appeared first on DIFC Courts.