National Power Company Conducts Forensic Investigation with GuardYoo
A state-owned national power company responsible for operational and technological control of the Integrated Power System and electricity transmission via trunk power grids from generating plants to the distribution networks of the regional electricity suppliers. The company’s network includes eight regional power systems, covering the entire territory of the country and employing over 9000 people.
The customer experienced a black-out at one of the major power substations in the capital city, which amounted to a loss of about one-fifth of the city’s power consumption. As part of the investigation, it was decided to conduct a compromise assessment of IT-infrastructure to detect a potential cyberattack, trace all the infected computers and systems, and establish the source
of the breach.
GuardYoo was used as a solution that utilizes a holistic approach to cybersecurity compromise assessment: analyzing all available logs, enriching extracted retrospective events with situational content, asset inventory information, and configuration data, thus, enabling deep multilayer analysis that reveals even the most hidden details of past or active and dormant cyber threats.
Additional managed security services provided by the GuardYoo team of experts allowed to effectively conduct professional forensic investigation and detect evidences of a targeted cyber-attack.
The customer provided application, security, and system log files from endpoints and servers, and all the files from TEMP and TMP folders. The received data was uploaded to the GuardYoo cloud where GuardYoo complex normalization algorithms prepared the data for analysis in the GuardYoo
During the analysis, the customer was able to track data quality and validation process.
After the data analysis phase was over and raw findings became available, security data analysts manually validated these findings, enriched them with context, and reconstructed the entire cyber-attack vector.
GuardYoo investigators discovered violations and indicators of compromise and simulated potential attack scenarios based on the discovered facts. The risk level of potential violations was established as a set of parameters affecting the infrastructure of the organization and the likelihood of the violation being used by attackers.
Abnormal usage of PSEXEC on critically important servers
Usages of xp_cmdshell extended procedure for malicious activities
Usage of Mimikatz credential interception tool
Evidence of SCADA compromise
Malicious scripts, prepared specifically for assets discovery and capture
Compromised authentication data
9+ months dormant malware
Open administrative sessions between multiple servers
Clear and overwhelming evidence demonstrated that the company’s infrastructure was compromised and controlled by adversaries. Therefore the power cut was resulted by a targeted cyber-attack.
Evidence represented how intruders obtained access to infrastructure and which subsequent steps they took to escalate their privileges and capture control.
GuardYoo`s processing algorithms indicated compromised user passwords within the clear text of logs and scripts outputs. The use of compromised administrative accounts allowed criminals to stealthy perform malicious activities inside the infrastructure.
Due to the compromise of the domain controller, it was highly probable that the Kerberos service account was compromised, allowing attackers to interact Microsoft infrastructure with maximum access on behalf of random accounts (while ignoring password changes).
Analysis of application and user activities in terms of internal peer interactions showed adversaries lateral movement, which helped to localize compromised assets further and eradicate internal threats – sleeper agents.
“The forensic investigation was executed very professionally and effectively. We were impressed with the GuardYoo technology and the level of the team’s expertise and professionalism.”
CISO, National Power Company
Conducting the compromise assessment and forensic investigation using GuardYoo resulted in fast and accurate detection of evidence of a targeted cyber-attack.
Analysis of all available logs, enriched by extracted artifacts with situational content, asset inventory information, and configuration data has enabled to execute deep multilayer analysis that revealed mechanisms of intrusion, infrastructure exploration and malicious activity that led to the power cut at one power substation.
The compromise assessment report based on GuardYoo`s analysis outputs enabled critically important review and update of the company’s cybersecurity strategy and tactics.
Detailed recommendations were provided for a further full-scale investigation, quick remediation steps, and long-term strategic measures for securing the infrastructure.