Maryman- Digital Forensic Services

State-Sponsored Advanced Persistent Threat (APT) Breach

CASE STUDY

Incident Response Case Study - State-Sponsored APT Breach

Tags
State-Sponsored, Advanced Persistent Threat (APT), Large-scale breach, Threat Intelligence, Web Shells
Retail Point of Sale (POS) Breach

Background

A global private investigations (PI) firm contacted the Maryman team to assist with the forensics for a large-scale breach of a Fortune 100 company. The company was targeted by a state-sponsored attack group and ultimately fell victim to the attack. The Maryman team was retained because the previous incident response firm was unsuccessful in identifying key elements of the attack. These elements were crucial to the PI firm’s regulatory obligations for reporting to various federal oversight agencies.

Scope

The Maryman team were ultimately tasked with conducting a complete, entirely independent investigation to determine how the attackers got in, what data they accessed, and how was the data exfiltrated from the corporate environment.

Preservation

All one hundred and twenty (120) virtual servers and network logs had already been preserved by the previous incident response company. All were provided to the Maryman team for analysis.

The PI firm was able to add one crucial element to the analysis. Working with the United States Attorney’s Office, they were able to get one of the hacker’s servers out of Southeast Asia. In a rare event, the US Attorney’s Office provided Maryman with a forensic image of the hacker’s server.

Analysis and Findings

The Maryman team quickly determined only 16 of the servers were impacted by the attackers. Using deep Linux filesystem analysis, we uncovered the output from the port scanning tool used by the attackers, showing the discovery of a second subnetwork. Even though the servers appeared in two separate subnetworks, the Maryman team was able to show that the attack group was the same. This was significant for the client, because it provided evidence to show the entire attack was from a single group.

Utilizing the hacker’s server, a very large and comprehensive timeline was established to show the initial discovery of the vulnerability by an attack group in Europe, and the suspected sale of the vulnerability to another attack group in Asia about 12 months later. The timeline was able to show a consistent attack against the infrastructure for about seven weeks in which the attackers were able to infiltrate the network, access the database and ultimately exfiltrate gigabytes of client data.

Next Steps

The discovery of the bridge between the subnetworks was crucial to instigate a comprehensive network mapping of the environment, which revealed other subnetwork bridges that were unknown to the client. Additionally, the environment was compromised due to unpatched vulnerabilities in the web application stack, which were ultimately remediated. The report was successfully used by the investigations team, the legal team, and the client in various legal matters pertaining to the breach, including investigations by federal agencies, class-action lawsuits, and future tabletop exercises.

Outcomes

The Maryman team was able to accomplish what the previous incident response team failed to do. We were able to establish that a single threat group executed a large-scale breach of the client network; determine the exact target data for the attack group; and build a comprehensive timeline using the hacker’s server. We were also able to help improve the configuration of the client’s security systems using the threat intelligence gathered from the hacker’s server. Additionally, we were also able to identify nearly 100 web shells deployed by the attacker group and assist the client in removing them.

Our Mission

To provide our clients with solutions that are conducted with complete confidentiality and proven expertise, replacing questions and liabilities with answers and value. To be responsive to the unique and individual needs of our clients and consistently deliver quality professional services at reasonable costs.

Request a
Consultation Today

818-290-3775

Maryman- Digital Forensic Services
© Copyright 2001 – 2023. Maryman PI Number: CA PI # 26012 | Privacy Policy | All Rights Reserved.
Maryman- Digital Forensic Services

Founded in 2001, Maryman is a professional services firm with 100+ years of experience in digital forensics, specializing in the  full range of investigative and litigation support for cyber matters. Headquartered in Los Angeles, we serve our clients nationwide with local response and global reach across all continents.

Our Services

Digital Forensics Incident Response (DFIR)

Cyber Investigations

Electronic Discovery (e-Discovery)

Expert Witness Testimony Services

Email Forensics (Device & Cloud Accounts)

Mobile (Cell Phone) Forensics

Contacts

joe.greenfield@maryman.com
818-290-3775
  • 16000 Ventura Blvd. Suite 1204 Encino, CA 91436
  • *Office visits are by appointment only
© Copyright 2001 – 2024. Maryman PI Number: CA PI # 26012 | Privacy Policy | All Rights Reserved. Developed by TLG Marketing
Scroll to Top