<img alt="" src="https://secure.kota3chat.com/187521.png" style="display:none;">
Icon

National Power Company Completes Forensic Investigation Using GuardYoo’s Compromise Assessment Platform

Customer
Customer

National power company

Industry
Industry

Energy

Sector
Sector

B2B, B2G

Challenge
Challenge

To conduct a forensic investigation following a cyber attack at a critical infrastructure facility in the energy sector that resulted in a partial black-out at one of the capital city's power substations

 

Large infrastructure with outdated hardware and software

Scope of Work
Scope of Work

2000+ log files


18,000+ artifacts collected


Total of 30+ Gb of data

Results
Results

Strong evidence that infrastructure was compromised including malicious activities performed on the network

 

Techniques identified which indicated targeted cyber attack took place

 

GuardYoo recommendations highlighted risks that needed to be addressed in order to fix IT infrastructure

Icon
Organisation

This customer is a state-owned national power company which is responsible for operating a national Integrated power system employing some 9000 people.

The company also oversees electricity transmission from generating plants to distribution networks via trunk power grids. Their network includes 8 regional power plants covering the entire country.

Icon
Challenge

The company experienced an outage at one of the state capital’s power stations which resulted in the loss of 20 percent of the city’s power.

Following the outage, the company engaged GuardYoo to undertake a Compromise Assessment of their IT infrastructure to identify any previously undetected cyber-attacks, track all infected devices / systems and establish the source of the breach.

Icon
Approach

As part of the GuardYoo Compromise Assessment audit, all Windows Log Data and any Indicators of Compromise were investigated and a Full Asset Discovery was undertaken.

This approach allows for a multi-layer analysis that can identify both active and dormant Cyber Threats. GuardYoo’s aim with this forensic investigation was to detect any evidence of a targeted cyber-attack.

Icon
Process

The customer provided GuardYoo with all available Windows Log Data which was uploaded to a private instance within AWS (which boasts high levels of encryption and two factor authentication).

GuardYoo proprietary algorithms prepared the data for analysis and then sent the data to the GuardYoo analytics engine. Throughout the audit process the company had full visibility of proceedings via their secured private account, allowing them to monitor each phase and the validation process.

Once the machine learning and data analysis process was completed and initial findings were made available, expert security data analysts validated the results and added any additional context that was relevant.

GuardYoo discovered malicious Security Violations and indicators that suggested another cyber-attack was imminent.

The level of risk associated with these security violations and related IOC’s, and the likelihood of them being exploited by attackers was assessed.

Icon KEY FINDINGS
Unauthorised use of PSEXEC on critically important servers

Unauthorised use of PSEXEC on critically important servers

Evidence of activity from malicious software on the network

Evidence of activity from malicious software on the network

Instances of Mimikatz credential interception tool were identified

Instances of Mimikatz credential interception tool were identified

Evidence that the SCADA was compromised

Evidence that the SCADA was compromised

Compromised authentication data was identified

Compromised authentication data was identified

Malware which was dormant on the network for more than 9 months

Malware which was dormant on the network for more than 9 months

Open administrative sessions between multiple servers was identified

Open administrative sessions between multiple servers was identified

Icon
Results

Enough critical information was gathered to indicate the company’s infrastructure was compromised and parts of their network was controlled by external attackers. This suggested the previous power cut was the result of a targeted cyber-attack.

The information gathered during the audit highlighted how the attackers gained access to the network and the subsequent steps they took to increase their access privileges across the infrastructure.

GuardYoo’s AI algorithms identified numerous Compromised User Accounts and passwords. These compromised accounts allowed criminals to perform malicious activity across the network.

The forensic analysis undertaken by GuardYoo highlighted the lateral movement of the attackers across the network and this allowed the Network Team to isolate any compromised assets. The team were then also able to identify and remove further threats such as sleeper agents.

Icon

“The forensic investigation was executed very professionally and effectively. We were impressed with the GuardYoo technology and the level of the team’s expertise and professionalism.”


CISO, National Power Company

Icon
Conclusion

GuardYoo’s Compromise Assessment audit resulted in the fast and accurate detection of a targeted cyber-attack.

The analysis of Windows Log Data and identified Indicators of Compromise, as well as a Full Asset Discovery delivered detailed information revealing evidence of intrusion and malicious activity within the network which led to the power cut at the state capital power station.

The GuardYoo Compromise assessment audit led to a critically important update and review of the company’s cyber-security strategy.

Detailed recommendations were provided allowing the company to improve their long-term cyber security strategy.