CASE STUDY

Countering Destruction to Save a Business

by | Apr 16, 2020 | Adversary Research, Case Study, Outside Intel

The Challenge

A healthcare technology company (the Client) suffered a wide-scale destructive compromise after an attacker targeted the Client’s backend point of sale technology and deleted all customer data.

Why Nisos

In addition to the primary forensics firm that was called in to assess the breach and damage, we were called to help recover the stolen data and determine if the data was being sold online in any malicious forums or published to publicly embarrass the client. The Client did not have appropriate disaster recovery and the backups were encrypted; therefore the Client’s customers (individual outlet retail stores) were missing all their customer data. Our unique value lied in our ability to use external data and conduct an investigation outside the Client’s network, while the forensics firm assisted with remediation of the breach.

Preparation

The destructive attack occurred from a SQL injection attack against the Client’s frontend PHP code allowing the attacker access to their backend cloud infrastructure and backups storing all sensitive client data. We accessed the Client’s environment in coordination with the forensics company doing the breach response, where we found vital clues to start looking for external servers that might have held the Client’s data.

Execution

Using this information, we leveraged our external telemetry not available to the Client to determine the data was copied on external servers in a foreign country that were being controlled via the TOR anonymity network. We contacted the virtual private server (VPS) provider who informed us of other servers maintained by the provider and used by the attacker that held more customer data than was previously discovered during the initial forensics investigation.

After analysis of the forensics copy of the servers the attacker was using, we determined the attacker was preparing an ecommerce website attached to bitcoin wallets where the attacker intended to propagate the stolen data, creating a public relations nightmare for the client. Meanwhile, the attacker had all the data stored and archived when the client originally assumed the attacker had deleted the data.

Impact

In close coordination with Client’s outside counsel, as a result of our continued investigation over six months, the Client was able to frustrate the attacker long enough to repair their code, recover their customer data, and prevent reputational damage and legal action that may have put the Client out of business.

In addition, our investigations determined that the Client was continuously targeted likely by the same attacker and the attack was not a target of opportunity. The company was able to use the context of these targeted attacks to gain insurance coverage for not only the breach and appropriate third-parties, but also for remediation costs to build a more secure cloud environment.  

About Nisos

Nisos is the Managed Intelligence company. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.

For additional information, contact info@nisos.com

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights Retainer℠
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks