Investigating a Destructive Administrator Following Merger and Acquisition
A global manufacturing company (the Client) experienced a corporate-wide outage due to being locked out of their router devices between corporate headquarters and their branch offices across the globe. After internal investigation and significant downtime resulting in major losses in revenue, it was suspected this outage was likely caused by malicious insider activity involving a recent acquisition.
The Client engaged Nisos due to our ability to leverage the numerous expertise domains this problem set required to include forensics, insider threat monitoring, cloud log analysis and experience with law enforcement coordination. In addition, we leveraged technology-enabled OSINT abilities to discover new evidence where data was exfiltrated outside of the Client’s environment.
The outage initially resulted in the Client’s inability to access corporate resources and having the root password changed on all their VPN infrastructure, effectively locking them out of the devices. Malicious insider activity was suspected due to a limited number of individuals who maintained access to the shared administrator keys.
The Client also discovered they could not access the central cloud-hosted virtual router which aggregated remote connections into an environment controlled by a recent acquisition to the branch offices. The Client discovered that the VPN configuration files, or routing tables, which facilitate network connectivity between the cloud environment and the router devices at the branch locations had been deleted from the server and from numerous days worth of backups.
The incident caused a wide-scale network outage at the company’s branch offices and substantial down time to a critical business application, resulting in significant revenue loss and remediation costs for the Client. The outage also brought down the phone systems at the branch locations, resulting in a loss of sales from customers not being able to phone in orders for a substantial amount of time.
A significant portion of the remediation cost was due to the fact that the Client was forced to make an expedited purchase of new VPN routers and deploy them to the branch locations in order to restore full network connectivity and other business functions (i.e. printing, phone systems) that had been affected by this incident. The company was also forced to pull non-IT personnel from their normal work responsibilities at the various branch locations to assist in the rapid deployment of the new devices.
We were provided access to the internal corporate environment and the limited cloud logging that was in place.
Working with the Client and outside counsel, we assessed the attack on Client infrastructure was likely conducted in a coordinated fashion by an individual or individuals with intimate knowledge of how the acquired company’s network was configured. We discovered that an actor or actors took steps to destroy evidence and minimize the artifacts left behind. While it is believed these activities were intended to be malicious and in violation of the corporate policy, the Client believed these activities may also constitute violations of criminal law.
For example, forensic analysis of the main router server revealed that logging had been disabled. Investigators also discovered a program designed to clear bash history from Linux/Unix servers. Investigation of the router server also revealed that the log directory on the server was cleared out by the administrative user several days after the outage. Audit logs were also deleted from other Linux servers in the acquired company’s cloud environment. Outside of that previously copied file, we did not see evidence of further violations of company policy, tampering, or destruction of the company’s network.
Numerous gaps and recommendations were provided to the Client to more appropriately audit their cloud and corporate environment. The Client recognized that undertaking these recommendations at the time of acquisition would have saved them time and money from this attack. The gaps included:
- Shared root ssh keys
- RDP access directly from the internet
- Linux auditing not enabled or enforced
- Windows auditing not enabled or enforced
- No SSH key key management in place
- Outdated and unpatched versions of Windows
- No clear disaster recovery plan
- Outdated Active Directory content and no review process
- No active inventory or control systems
- Permissive firewall policy
- Weak computer services expense tracking policy
Following the investigation by Nisos, representatives from the Client were able to deliver the full report of activities to law enforcement personnel. Having a full report pointing to key evidence from the intrusion allowed law enforcement to quickly verify the report and subpoena evidence from outside sources before data was lost. With this evidence in hand, law enforcement produced a conviction in under six months.
Nisos is the Managed Intelligence company. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.
For additional information, contact email@example.com