National power company
To conduct a forensic investigation following a cyber attack at a critical infrastructure facility in the energy sector that resulted in a partial black-out at one of the capital city's power substations
Large infrastructure with outdated hardware and software
2000+ log files
18,000+ artifacts collected
Total of 30+ Gb of data
Strong evidence that infrastructure was compromised including malicious activities performed on the network
Techniques identified which indicated targeted cyber attack took place
GuardYoo recommendations highlighted risks that needed to be addressed in order to fix IT infrastructure
This customer is a state-owned national power company which is responsible for operating a national Integrated power system employing some 9000 people.
The company also oversees electricity transmission from generating plants to distribution networks via trunk power grids. Their network includes 8 regional power plants covering the entire country.
The company experienced an outage at one of the state capital’s power stations which resulted in the loss of 20 percent of the city’s power.
Following the outage, the company engaged GuardYoo to undertake a Compromise Assessment of their IT infrastructure to identify any previously undetected cyber-attacks, track all infected devices / systems and establish the source of the breach.
As part of the GuardYoo Compromise Assessment audit, all Windows Log Data and any Indicators of Compromise were investigated and a Full Asset Discovery was undertaken.
This approach allows for a multi-layer analysis that can identify both active and dormant Cyber Threats. GuardYoo’s aim with this forensic investigation was to detect any evidence of a targeted cyber-attack.
The customer provided GuardYoo with all available Windows Log Data which was uploaded to a private instance within AWS (which boasts high levels of encryption and two factor authentication).
GuardYoo proprietary algorithms prepared the data for analysis and then sent the data to the GuardYoo analytics engine. Throughout the audit process the company had full visibility of proceedings via their secured private account, allowing them to monitor each phase and the validation process.
Once the machine learning and data analysis process was completed and initial findings were made available, expert security data analysts validated the results and added any additional context that was relevant.
GuardYoo discovered malicious Security Violations and indicators that suggested another cyber-attack was imminent.
The level of risk associated with these security violations and related IOC’s, and the likelihood of them being exploited by attackers was assessed.
Unauthorised use of PSEXEC on critically important servers
Evidence of activity from malicious software on the network
Instances of Mimikatz credential interception tool were identified
Evidence that the SCADA was compromised
Compromised authentication data was identified
Malware which was dormant on the network for more than 9 months
Open administrative sessions between multiple servers was identified
Enough critical information was gathered to indicate the company’s infrastructure was compromised and parts of their network was controlled by external attackers. This suggested the previous power cut was the result of a targeted cyber-attack.
The information gathered during the audit highlighted how the attackers gained access to the network and the subsequent steps they took to increase their access privileges across the infrastructure.
GuardYoo’s AI algorithms identified numerous Compromised User Accounts and passwords. These compromised accounts allowed criminals to perform malicious activity across the network.
The forensic analysis undertaken by GuardYoo highlighted the lateral movement of the attackers across the network and this allowed the Network Team to isolate any compromised assets. The team were then also able to identify and remove further threats such as sleeper agents.
GuardYoo’s Compromise Assessment audit resulted in the fast and accurate detection of a targeted cyber-attack.
The analysis of Windows Log Data and identified Indicators of Compromise, as well as a Full Asset Discovery delivered detailed information revealing evidence of intrusion and malicious activity within the network which led to the power cut at the state capital power station.
The GuardYoo Compromise assessment audit led to a critically important update and review of the company’s cyber-security strategy.
Detailed recommendations were provided allowing the company to improve their long-term cyber security strategy.