Eight Hours to Attribution
A multinational manufacturer (The Client) came to Nisos for help responding to an unusual incident. An unauthorized user opened a trouble ticket in the Client’s internal IT ticketing system. In the ticket, the actor demonstrated access to sensitive client resources and associated the ticket with a senior IT security executive. The actor provided two other pieces of information; a PowerShell snippet with valid credentials to the client network, and an anonymized email address at which to reach them.
The Client was aware of Nisos’ threat hunting capabilities against their internal network environment and combining this with external data analysis, geolocation, and social media attribution capabilities to investigate and attribute the threat actor. In this case, attribution was especially important given the apparent insider knowledge the attack maintained and the need for Client to characterize the nature of the threat.
While Nisos maintained remote internal network access as part of ongoing support to threat hunting and threat intelligence operations, our analysts conducting the external attribution investigation did not need network access to the client’s environment. We used our access to external telemetry and proprietary datasets to support the engagement.
We based our investigation on the following data points. The perpetrator included a screenshot of a PowerShell script with credentials. He had used these credentials to access the network, peruse the corporate Sharepoint, check email, and open the trouble ticket. The account was a widely shared account. From the anonymized email address, the actor sent taunting emails to a senior executive. The Client provided Nisos analysts with source IP addresses for the taunting emails.
While Nisos maintained remote internal network access as part of ongoing support to threat hunting and threat intelligence operations, we used OSINT analytic expertise to surface additional email addresses, phone numbers, and social media handles used by the actor.
Leveraging internal datasets and multiple corroboration points, Nisos analysts conclusively attributed the perpetrator as an IT analyst working for a foreign engineering firm.
Additional open source research indicated the actor had previously written PowerShell scripts to partially automate processes, in addition to conducting preventative and audit checks with the aid of his custom scripts. These scripts were similar to those he used in his unauthorized access of the Client environment.
During our investigation, the Client revealed additional information. The threat actor had mentioned the name of a former Client employee in his support ticket to the senior executive but did not elaborate about the nature of their relationship. Research on social media showed first degree connections between the actor and the former Client employee. Further, our netflow analysis matched the originating IP address with the actor’s known place of work, the foreign engineering firm where the former Client employee also worked.
We were ultimately able to show that the former Client employee had a management position in the foreign engineering firm for which the attacker now worked. The screenshots left by the actor to prove access also contained browser bookmarks confirming a link between the attacker and the former employee.
Within eight hours of the incident, the Client was able to use the information we provided to remediate the malicious activity and prevent the threat actor from accessing the network in the future. Further, with strong, conclusive attribution of the threat actor, the Client understood his likely motivations and profile in order to characterize the threat and prepare themselves for potential future attacks. Since the actor was not able to take further malicious steps nor monetize their access, our Client saved significant time and money while neutralizing the potentially high reputational risk such a provocative threat actor posed.
Nisos is the Managed Intelligence company. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.
For additional information, contact email@example.com