Case Study - National Power Company
This customer is a state-owned national power company which is responsible for operating a national integrated power system and employs 9000 people.
The company also oversees electricity transmission from generating plants to distribution networks via trunk power grids. Their network includes 8 regional power plants covering the entire country.
The company experienced an outage at one of the state capital’s power stations which resulted in the loss of 20 per cent of the city’s power.
Following the outage, the company asked GuardYoo to undertake a Compromise Assessment of their IT infrastructure to identify any previously undetected cyber attacks, track all infected devices/systems and establish the source of the breach
As part of the GuardYoo Compromise Assessment audit, all Windows Log Data was analysed and a Full Asset Discovery was undertaken.
This approach allows for a multi-layer analysis that can identify both active and dormant Cyber Threats. GuardYoo’s aim with this forensic investigation was to detect any evidence of a targeted cyber-attack.
The customer provided GuardYoo with all available Windows Log Data which was uploaded to a private instance within AWS (which boasts high levels of encryption and two-factor authentication).
GuardYoo proprietary algorithms prepared the data for analysis and then sent the data to the GuardYoo analytics engine. Throughout the audit process, the company had full visibility of proceedings via their secured private account, allowing them to monitor each phase and the validation process.
Once the machine learning and data analysis process was completed and initial findings were made available, expert security data analysts validated the results and added any additional relevant context.
GuardYoo discovered malicious Security Violations and indicators that suggested another cyber-attack was imminent.
The level of risk associated with these security violations and related IOC’s and the likelihood of them being exploited by attackers was assessed
Unauthorised use of PSEXEC on critically important servers
Evidence of activity from malicious software on the network
Instances of Mimikatz credential interception tool were identified
Evidence that the SCADA was compromised
Compromised authentication data was identified
Malware which was dormant on the network for more than 9 months
Open administrative sessions between multiple servers were identified
“The forensic investigation was executed very professionally and effectively. We were impressed with the GuardYoo technology and the level of the team’s expertise and professionalism.” CISO, National Power Company
Compromise Assessment Results
Enough critical information was gathered to indicate the company’s infrastructure was compromised and parts of their network were controlled by external attackers. This suggested the previous power cut was the result of a targeted cyber-attack.
The information gathered during the audit highlighted how the attackers gained access to the network and the subsequent steps they took to increase their access privileges across the infrastructure.
GuardYoo’s AI algorithms identified numerous Compromised User Accounts and passwords. These compromised accounts allowed criminals to perform malicious activity across the network.
The forensic analysis undertaken by GuardYoo highlighted the lateral movement of the attackers across the network and this allowed the Network Team to isolate any compromised assets. The team were then also able to identify and remove further threats such as sleeper agents.
GuardYoo’s Compromise Assessment audit resulted in the fast and accurate detection of a targeted cyber-attack.
The analysis of Windows Log Data and identified Indicators of Compromise, as well as a Full Asset Discovery, delivered detailed information revealing evidence of intrusion and malicious activity within the network which led to the power cut at the state capital power station.
The GuardYoo Compromise assessment audit led to a critically important update and review of the company’s cyber-security strategy.
Detailed recommendations were provided allowing the company to improve its long-term cyber security strategy.