A highly sensitive government department contracted Encode to help it proactively detect and prevent cyber-attacks. Within the first week of the engagement, Encode’s Enorasys Security Analytics platform alerted its Security Operation Centre that an endpoint device was showing signs of compromise. Encode’s Cyber Incident Response Team began a process of isolating the endpoint and conducting a detailed forensic investigation which discovered a sophisticated and custom written cyber-attack tool had been installed on the laptop of a senior member of the department.
The tool was recording local audio conversation and keystrokes, effectively bugging senior individuals within the government department and sending these conversations to a server in another country. Through in-depth analysis, it was discovered that the attack had been on-going for nearly 11 months and had evaded detection by traditional and up to date anti-virus and next generation firewall products installed within the department. Following discovery and interdiction of the breach, the government department has suffered from no further successful attacks and has used Encode consulting services to further improve security processes and help raise security awareness through additional staff training.
As part of the initial engagement, Encode evaluated and strengthened the departments’ access controls and deployed probes on the network to begin the process of benchmarking its systems and patterns of the traffic flow across the organisation and its staff. This data was then fed into Enorasys, a Security Analytics platform hosted within Encode’s Security Operation Centre that is designed from the ground up to detect early compromise by understanding the “attack logic” and exploitation path of advanced threats. Enorasys evaluates relevant activity and through a unique combination of pattern detection with activity profiling and external/environment-specific context, assigns risk scores to users, nodes and corresponding activity attributes.
Within two days of the Enorasys platform going live, it detected a correlation of factors that suggested a particular endpoint may have been compromised. This alert was passed to the Encode Cyber Incident Response Team (CIRT) which began a forensic investigation. The suspected endpoint was a laptop used by a senior member of the government department who regularly handled highly sensitive material. With the laptop still powered on, the CIRT began by disconnecting it from the Wi-Fi network and then created images of the active memory, BIOS and hard disk to investigate the cause of the anomalous activity the endpoint was exhibiting.
Through the forensics process it was discovered that the laptop had been infected with a cyber-attack tool that had gone unnoticed by the installed and updated anti-virus software through sophisticated rootkit and evasion techniques. The tool matched no known signature and was believed to have been custom written to avoid traditional signature-based detection methods. Through further study, it was determined that the tool was actively recording all audio conversation using the Laptop built-in microphone and sending these recordings to a fake ‘hobby’ website along with full keystroke transcripts of everything typed on the keyboard. The sophisticated malware was designed to be as unobtrusive as possible and had a number of additional features such as the ability to transfer via USB stick which was not turned on but lying dormant within its coding. As the command and control website the tool was communicating with was outside of the national border, the CIRT was unable to ascertain the identity of the attacker. However, it is suspected that a state sponsored group was involved due to a number of artefacts uncovered during the forensic investigation. Encode did a full sweep of all end-point devices, servers and removable media within the organisation and found that no other systems were infected and the network showed no other signs of similar types of attack.