<img alt="" src="https://secure.kota3chat.com/187521.png" style="display:none;">

Case Study -  National Power Company 

Organisation

This customer is a state-owned national power company which is responsible for operating a national integrated power system and employs 9000 people.

The company also oversees electricity transmission from generating plants to distribution networks via trunk power grids. Their network includes 8 regional power plants covering the entire country.

Challenge

The company experienced an outage at one of the state capital’s power stations which resulted in the loss of 20 per cent of the city’s power.

Following the outage, the company asked GuardYoo to undertake a Compromise Assessment of their IT infrastructure to identify any previously undetected cyber attacks, track all infected devices/systems and establish the source of the breach

Approach

As part of the GuardYoo Compromise Assessment audit, all Windows Log Data was analysed and a Full Asset Discovery was undertaken.

This approach allows for a multi-layer analysis that can identify both active and dormant Cyber Threats. GuardYoo’s aim with this forensic investigation was to detect any evidence of a targeted cyber-attack.


Process

The customer provided GuardYoo with all available Windows Log Data which was uploaded to a private instance within AWS (which boasts high levels of encryption and two-factor authentication).

GuardYoo proprietary algorithms prepared the data for analysis and then sent the data to the GuardYoo analytics engine. Throughout the audit process, the company had full visibility of proceedings via their secured private account, allowing them to monitor each phase and the validation process.

Once the machine learning and data analysis process was completed and initial findings were made available, expert security data analysts validated the results and added any additional relevant context.

GuardYoo discovered malicious Security Violations and indicators that suggested another cyber-attack was imminent.

The level of risk associated with these security violations and related IOC’s and the likelihood of them being exploited by attackers was assessed

Key Findings 

932657_ab83339a05bc4aeda72b3ebfa378ffc3~mv2

Unauthorised use of PSEXEC on critically important servers

932657_72c053a5a70c4656a16b09163aaff36f~mv2

Evidence of activity from malicious software on the network

932657_60af31b9b6ed40f6af64949d38b63a31~mv2

Instances of Mimikatz credential interception tool were identified

932657_d98c86df35e2436e9a8c5846d0727d9e~mv2Evidence that the SCADA was compromised

932657_7225116875ed4aeaa87f72a93671954f~mv2Compromised authentication data was identified

932657_933730eecd26468cb205874a7465e13c~mv2

Malware which was dormant on the network for more than 9 months

932657_e08ba35bf322417aa90b6cf246f3493f~mv2Open administrative sessions between multiple servers were identified

“The forensic investigation was executed very professionally and effectively. We were impressed with the GuardYoo technology and the level of the team’s expertise and professionalism.” CISO, National Power Company

Compromise Assessment Results

Enough critical information was gathered to indicate the company’s infrastructure was compromised and parts of their network were controlled by external attackers. This suggested the previous power cut was the result of a targeted cyber-attack.

The information gathered during the audit highlighted how the attackers gained access to the network and the subsequent steps they took to increase their access privileges across the infrastructure.

GuardYoo’s AI algorithms identified numerous Compromised User Accounts and passwords. These compromised accounts allowed criminals to perform malicious activity across the network.

The forensic analysis undertaken by GuardYoo highlighted the lateral movement of the attackers across the network and this allowed the Network Team to isolate any compromised assets. The team were then also able to identify and remove further threats such as sleeper agents.


Conclusion

GuardYoo’s Compromise Assessment audit resulted in the fast and accurate detection of a targeted cyber-attack.

The analysis of Windows Log Data and identified Indicators of Compromise, as well as a Full Asset Discovery, delivered detailed information revealing evidence of intrusion and malicious activity within the network which led to the power cut at the state capital power station.

The GuardYoo Compromise assessment audit led to a critically important update and review of the company’s cyber-security strategy.

Detailed recommendations were provided allowing the company to improve its long-term cyber security strategy.