eCases

•                 NOT RECOMMENDED FOR FULL-TEXT PUBLICATION
  File Name: 15a0710n.06
  Case No. 14-5718
  UNITED STATES COURT OF APPEALS
  FOR THE SIXTH CIRCUIT
  FILED
  Oct 22, 2015
  UNITED STATES OF AMERICA,                           )                         DEBORAH S. HUNT, Clerk
  )
  Plaintiff-Appellee,                          )
  )       ON APPEAL FROM THE UNITED
  v.                                                  )       STATES DISTRICT COURT FOR
  )       THE EASTERN DISTRICT OF
  IBRAHIMSHAH SHAHULHAMEED,                           )       KENTUCKY
  )
  Defendant-Appellant.                         )
  )
  )
  BEFORE: BOGGS, SUTTON, and STRANCH, Circuit Judges.
  BOGGS, Circuit Judge. On the evening of August 23, 2012, Ibrahimshah Shahulhameed
  was fired from his job at GlobalSource IT as a contractor for Toyota Motors. A few hours later,
  Toyota experienced a cyberattack that rendered several of its computer servers inoperable.
  Toyota’s investigation revealed that the attack came from Shahulhameed’s Toyota-owned laptop
  and Shahulhameed’s user account.       An independent investigator and the FBI corroborated
  Toyota’s findings.
  Shahulhameed was arrested and charged with “knowingly caus[ing] the transmission of a
  program, information, code, or command, and as a result of such conduct, intentionally caus[ing]
  damage without authorization, to a protected computer,” resulting in at least $5,000 of damage in
  a one-year period, in violation of 18 U.S.C. § 1030(a)(5)(A), (c)(4)(B)(i). After a five-day trial,
  Case No. 14-5718
  United States v. Shahulhameed
  a jury returned a guilty verdict. Shahulhameed appeals on the ground that there was insufficient
  evidence to support the conviction.     After carefully considering the evidence, we affirm
  Shahulhameed’s conviction.
  I
  In reviewing the sufficiency of the evidence, we must affirm the conviction if “after
  viewing the evidence in the light most favorable to the prosecution, any rational trier of fact
  could have found the essential elements of the crime beyond a reasonable doubt.” United States
  v. Warshak, 

  631 F.3d 266

  , 308 (6th Cir. 2010) (quoting Jackson v. Virginia, 

  443 U.S. 307

  , 319
  (1979)).
  II
  A
  A reasonable jury could have found that Shahulhameed knowingly transmitted computer
  codes and commands to a protected computer. Dennis James Seibert, Jr., a specialist in Toyota’s
  information security department, testified that Shahulhameed’s password-protected user account
  (“ishah”) logged in to Toyota’s remote-access system on the following occasions:
  Login                         Logout
  August 23, 2012                August 24, 2012
  Access #1                    11:56:04 PM                    1:55:26 AM
  August 24, 2012                August 24, 2012
  Access #2
  3:10:10 AM                     4:20:07 AM
  August 24, 2012                August 24, 2012
  Access #3
  4:40:45 AM                     6:13:48 AM
  August 24, 2012                August 24, 2012
  Access #4
  6:26:07 AM                     6:55:09 AM
  The IP address associated with these log ins, 10.235.0.150, matched the IP address of the
  Toyota-owned laptop issued to Shahulhameed for work. Logging in to the remote-access system
  2
  Case No. 14-5718
  United States v. Shahulhameed
  from a Toyota-owned laptop using an assigned user name and password is the only way to access
  Toyota’s servers from outside of Toyota’s facilities.
  That night, during those remote log-in sessions, Shahulhameed’s laptop accessed
  Toyota’s computer servers and transmitted codes and commands to them. Shahulhameed’s
  laptop made changes to the configuration files for the ToyotaSupplier.com website, the eKanban
  system, the Long Lead Time Parts system, and the Oracle Business Intelligence system. A
  search of the Internet browsing history on Shahulhameed’s laptop confirmed that his laptop
  accessed the servers.    Because these changes came from Shahulhameed’s laptop and his
  password-protected user account, a reasonable jury could have found that Shahulhameed was
  behind them.
  In addition, Toyota’s computer systems were “protected.” A “protected computer” is a
  computer “used in or affecting interstate or foreign commerce or communication.” 18 U.S.C.
  § 1030(e)(2)(B). Tom Cantrell, assistant manager at Toyota’s information systems technology
  department, testified that approximately 700 suppliers across the United States interact with
  Toyota through ToyotaSupplier.com, and that the above-mentioned computer systems are used
  by Toyota employees in states across the country. Based on the foregoing evidence, a reasonable
  jury could have found that Shahulhameed knowingly transmitted computer codes and commands
  to Toyota’s protected computer systems.
  B
  The evidence also shows that Shahulhameed acted without authorization. Authorization
  requires approval or sanction. See WEC Carolina Energy Sols. LLC v. Miller, 

  687 F.3d 199

  , 204
  (4th Cir. 2012). Andrew Sell, a technical recruiter for GlobalSource IT, testified that he received
  a call on August 23, 2012, from Adi Gimpaunu, a GlobalSource contractor working for Toyota,
  3
  Case No. 14-5718
  United States v. Shahulhameed
  stating that Shahulhameed had harassed Gimpaunu by demanding that Gimpaunu pay
  Shahulhameed a “finder’s fee,” or something to that effect. Managers at Toyota heard about the
  incident and called GlobalSource that evening, stating that one of the two contractors had to be
  removed. Sell called Shahulhameed on the evening of August 23, 2012, and “told him that the
  decision has been made that your project has been terminated, that you should have no contact
  with anyone at Toyota, [and] that you should not report to Toyota tomorrow morning, the next
  day.” Sell asked if Shahulhameed understood, and Shahulhameed said, “yes, okay.” Sell also
  sent Shahulhameed an e-mail that same evening clarifying that he should not report to work the
  next day and that he should not have contact with anyone at Toyota. Shahulhameed testified that
  he received the e-mail and replied to it.
  Shahulhameed argues that his access was authorized because Toyota did not disable his
  user account until at least eight hours after his conversation with Andrew Sell. But Toyota’s
  failure to disable his account does not mean that his access was authorized; the phone call and e-
  mail from Sell are sufficient to establish a lack of authorization. Given the late hour—Sell e-
  mailed Shahulhameed around midnight—it is not surprising that Toyota waited until the next
  business day to disable his account. A reasonable jury could have found that Shahulhameed was
  not authorized to access Toyota’s computer systems.
  C
  Shahulhameed intentionally caused damage to Toyota’s computer systems.             Dennis
  Seibert testified that the configuration changes traced to Shahulhameed’s laptop on the morning
  of August 24, 2012, included: (1) disabling load balancing between ToyotaSupplier.com servers,
  which prevented users from accessing the systems; (2) changing letters in connector names,
  which made it impossible for servers to communicate with each other, effectively shutting the
  4
  Case No. 14-5718
  United States v. Shahulhameed
  servers down; and (3) adding unknown password requirements for access to administrative
  consoles, which made it impossible to use the consoles. Based on this evidence, a reasonable
  jury could discredit Shahulhameed’s claim of only trying to help Toyota close his projects or
  transition them to others.
  The destructive nature of these changes betrays an intention to cause damage. Seibert
  testified that in his opinion, the changes were not consistent with a business purpose. Some of
  the changes were minute and difficult to detect without a specialized tool. In one instance, the
  letter “S” was changed from uppercase to lowercase, and in another, the letter “O” was switched
  with the number “0.” Adam Keown, a special agent with the FBI, testified that making these
  subtle changes, without coordinating with colleagues, was harmful and inconsistent with a
  legitimate business purpose.
  The attacker also used a touch command, which changes the timestamp for when the file
  was last modified. Agent Keown testified that the touch command is commonly used by cyber-
  attackers in an attempt to hide their changes. Justin Hall, an outside forensic investigator with
  Cincinnati Bell Technology Solutions, testified that the attacker removed history files and
  modified files in a way that “you wouldn’t do unless you were trying to hide something.”
  Shahulhameed contends that it would be irrational for him, an experienced professional
  with family obligations, to commit such an easily-detectable crime intentionally. But emotions
  can lead to rash decisions, and Shahulhameed’s attempts at hiding his tracks suggest that he may
  well have thought that he could escape detection. A reasonable jury could have concluded that
  Shahulhameed intentionally damaged Toyota’s computer systems.
  5
  Case No. 14-5718
  United States v. Shahulhameed
  D
  Finally, the evidence shows that Shahulhameed’s conduct resulted in at least $5,000 of
  damage in a one-year period. Agent Keown investigated the costs that Toyota incurred as a
  result of the cyberattack. Toyota provided Keown with documentation showing that Toyota
  employees spent 2,133 hours responding to the cyberattack between August 24 and October 30,
  2012, with an estimated value of $152,070. Toyota also paid Cincinnati Bell Technology
  Solutions for 200 hours of labor at $175 per hour between August 24 and September 30, 2012,
  totaling $35,000. These figures were not challenged at trial. Contrary to Shahulhameed’s
  argument, the prosecution demonstrated exactly how it calculated the damage that Toyota
  suffered. Based on this evidence, a reasonable jury could have found that Shahulhameed caused
  at least $5,000 of damage.
  III
  Shahulhameed cites United States v. White for the proposition that “evidence which
  requires a leap of faith in order to support a conviction” is insufficient. 

  932 F.2d 588

  , 590 (6th
  Cir. 1991) (per curiam). White held that the defendant’s mere awareness of a marijuana patch
  growing behind his house was insufficient to establish possession or intent to distribute when:
  (1) the marijuana patch was not on his property; (2) there was no testimony that he was ever seen
  in the patch; (3) there was no path connecting his trailer home to the patch; (4) there was
  overgrowth between his trailer and the patch; (5) the fertilizer in the patch did not match the
  fertilizer in his trailer; (6) the police found no seeds, scales, or drug paraphernalia when they
  searched his trailer; and (7) his physical disability suggested that he lacked the physical capacity
  to grow a twenty foot by thirty foot marijuana patch. 

  Ibid. Here, no leap

  of faith is required.
  The cyber-attack came from a laptop assigned to Shahulhameed and in Shahulhameed’s
  6
  Case No. 14-5718
  United States v. Shahulhameed
  possession. It was launched from his password-protected account, just hours after he was fired.
  The nature and extent of the damage and Shahulhamed’s attempts to cover his tracks could lead a
  reasonable jury to believe that he intended to cause damage.
  A rational trier of fact could have found beyond a reasonable doubt that Shahulhameed
  knowingly transmitted codes and commands that intentionally caused damage to Toyota’s
  protected computers without authorization, resulting in at least $5,000 of damage in a one-year
  period. Shahulhameed’s conviction is AFFIRMED.
  7
  

• Sign In
• Sign Up