Client Data Breach

As a Managed Service Provider, one of our main focuses is cyber security. Numbers of attacks are on the rise, and they are becoming increasingly sophisticated, the devastation that a temporary or more permanent interruption to business can have is frequently capable of forcing a company to close forever.

So one of the biggest frustrations we have about cyber security is the lack of attention or respect it gets from all companies, but SME’s especially. Many studies have shown that despite the rise in attacks the majority of SME’s do not have a strategy, policy or budget for addressing the risk. ‘Last year, statistics revealed around 60-70% of UK SMEs suffered a cyber-attack, and amongst those, only 11% had cyber cover.’ The cyber security threats SMEs need to be aware of in 2021 – NMU: NMU The main reasons for this are usually that they feel their industry or data would not be of interest to a cyber criminal or they may be too small to be a target, but this misses the point.  A ransomware attack is just like the bully in the playground taking your dinner money. It’s easier to pick on the smaller kids.

Monday morning 8am:

We got a call from one of our clients saying that they were unable to access a couple of their files. Could we take a look?

Using remote access it became immediately clear that the files they were trying to access had been encrypted, and the first alarm bells started ringing.
Our engineers started a thorough deep dive on their system to see how badly it had been compromised and how much could immediately be done to both sanitise and then rectify the situation. At this stage it wasn’t looking promising, and so the Chief Engineer set off to get on site as quickly as possible.

Meanwhile the engineers back at AAG continued their analysis. It was a high-level hack and some sensitive client data had already been extracted. It was crucial to find out the extent of the loss.

The Chief Engineer arrived and immediately started the process of protecting the system, disabling as many terminals and stations as quickly as possible, while forensically searching for clues as to the origin and intent of the breach. He came across a ransomware ‘e note’, left by the hackers in a drive that they knew a service engineer would find.

Around the same time that we were narrowing down the entry point for the hack, the client received a call from a BBC journalist.

‘We understand you’ve been hacked… would you like to make any comment?’

The journalist had retrieved the information on Twitter from a feed from HackNotice, a company friendly website that registers security breaches, designed to alert those who have suffered attacks but also consistently used by hackers to advertise the names of companies and examples of some of the data they have grabbed. Within an hour a call from the police followed.

In the meantime though, a lot of progress had been made. AAG had managed to narrow down the source of the problem to two potential places and had begun monitoring both of them to make sure no fresh activity was allowed.

Not only that, we had also managed to access the entry point the hackers had used, and in doing so had ‘hacked the hackers’. We now had a complete browsing history for the hackers, all of the companies they had been researching, reports and accounts and profiling.  The extent and professionalism of the process was impressive, these guys were good.

How long have they been in? The client asked.

‘Think of them like a burglar, but one who gets inside your house and then hides in your attic. Every time you go out they come down and explore a little bit more, finding out what you have, what’s valuable to you, all your information. When you come home, they go back up into the attic until… eventually… they empty your house.’ We discovered they had been there for a while, about three or four weeks.

Their own browser history gave us the identity of the machine, and also the fact they were Russian (google translate was frequently visited). In fact, everything pointed to it being a renowned international player, the same group responsible for many large, well known, well orchestrated hacks. Among them, a recent attack on an American energy pipeline that caused a loss of 1.2 million barrels of oil a day and was specifically highlighted by President Biden. AAG also gained access to a bitcoin wallet used by the hackers, empty at the time but with records showing that almost a billion dollars had been washed through it.

Hard to understand why a group who had focused on such large targets were also interested in much smaller companies… but scary at the same time.

By this stage National Security Agencies from two countries were involved, as some of the other companies who had been researched were located overseas, liaising with AAG engineers and asking for our help. We advised on the best strategy to secure the clients network and data and prevent the hackers from creating any further damage.

It must be said at this stage that the client did have anti-virus software in place, which did protect the system from an initial attack a few weeks previously. However, the hackers were able to gain access through a remote network, and once they were in they removed the anti-virus software outside of normal service desk hours and walked straight back in ‘through the front door’. This was then picked up as soon as the service desk reopened after the weekend.
As the situation developed, the difficulty of trying to accommodate and navigate the different legal requirements and constraints that the two National Agencies had was becoming more and more of a challenge, while keeping the business of the client safe remained our priority.

Ultimately, AAG insisted that the security violation was closed to protect their client and the two governmental agencies agreed.

Monday late afternoon:

In under 9 hours AAG had managed to identify the breach, address it and secure all remaining data. In a situation where time is quite literally money, this incredibly quick response was critical to the survival of our client.

On top of that we helped two government agencies understand and start to develop strategies to combat this group, [MW6] certainly saving at least six more companies from either having to make ransomware payments or being closed completely.

The client lost no money through having to pay the hackers, and only two days of business. One during the process of sanitising and protecting them from the breach, the other due to the investigation from the National Security Agency.

The client did have certain levels of security in place before the breach, but this whole situation showed the value of having full protection. Penetration testing was undertaken, the two-factor authentication was extended to all devices and local networks (highlighting the increased risks that working from home can bring). They adopted our next generation endpoint protection software which is supported by a 24/7 SOC (Security Operations Centre) that identifies, analyses and remediates any threats as and when they occur on a 24/7 basis. This would almost certainly have flagged the breach much sooner and would have allowed AAG to intervene before any data at all had been stolen. They implemented SIEM (Security Information and Event Management), and all staff were given cyber security training.

‘9 hours’ to resolve a data breach

‘Average length of time to identify a breach 197 days, and to contain a breach 69 days’ with a direct correlation between costs and breach period. Cost of a Data Breach Report 2021 | IBM

Later that same month, there were numerous reports that the hackers company had shut down after losing access to all of its servers.