Facing a state-sponsored attack from China and how to protect your organisation against it
A Dutch medium-sized company in the food industry received a notification from their external Security Operations Centre (SOC) regarding suspicious activity. Receiving such notifications is a weekly, and sometimes daily, routine. However, this notification seemed more serious than others, prompting the company to engage an incident response team. Nerium was approached, and started within 1 hour.
This story describes the course of an incident response case where we dealt with a state-sponsored group from China actively targeting the company. We take you through the decisions the company had to make and share our perspective on how an organisation can defend itself against motivated attackers.
The severity of the attack became quickly apparent to us, especially when we discovered that the attackers had placed backdoors on more than 10 systems. This gave them the ability to maintain prolonged access to the company's digital environment.
The objective of the attack was unclear in the initial phase of the incident response process. Were the attackers seeking financial gain? Would they encrypt files and systems with ransomware? Or were they after stealing information for political, economic, or military advantages?
The first indication that it wasn't a common ransomware attack was the attackers' careful approach. They deliberately avoided systems with security software that could expose their malicious activities.
The company's and Nerium's priority was to secure business continuity and prevent data theft. A quick measure would be to immediately remove the identified backdoors. However, in the early stage of the incident response process, there was no clear picture of where all the backdoors were placed. Removing some without certainty about identifying all of them posed the risk of attackers retaining access, potentially intensifying their activities or changing strategy.
To Disconnect or Not to Disconnect Internet Connection?
An effective measure was to disconnect the internet connection for the entire company. This would immobilise the attackers and reduce the risk of them continuing their activities by using the backdoors in the digital environment.
The recommendation to disconnect the internet connection was shared with the Chief Information Security Officer (CISO) of the company. The CISO listened to the advice but was not in favour. His question was: Is it possible to slow down the internet connection to prevent the theft of large files? It was a creative solution. However, attackers could still deploy ransomware with a slowed internet connection.
The CISO found the risk of potential ransomware placement unacceptable, so the decision was made to disconnect the internet connection. The board was informed, and they agreed as long as one condition was met: business operations must continue. Therefore, it was determined that email should remain functional, along with crucial online services of the company. Additionally, remote access to the necessary security software (Endpoint Detection & Response) needed to address the incident must be maintained. The inability for users to browse the internet was not a problem, as it was not a requirement for business operations.
After in-depth investigation, a clearer picture emerged of the attack. We found evidence that the attackers were after stealing information, and later understood that this information was strategically important for China. We did not personally investigate whether the attack was executed on China's orders. That was conducted by another specialised organisation who provided that conclusion.
Despite the drastic measure of largely disconnecting the internet, the attackers persisted in attempting to regain access to the company's digital environment. This indicated their strong motivation to maintain access.
Ultimately, the attackers succeeded twice in regaining access. One time, they re-entered through an undiscovered backdoor they had previously placed. This backdoor was functional because it was on a system necessary for business operations and thus not disconnected from the internet. The other time, they entered through a backdoor on another system. This occurred despite the internet connection being disconnected, and the system being isolated with security tools. For technical readers: the attackers tunneled malware communication via DNS, also known as DNS tunneling. This was not blocked by the security tools (EDR) and the network firewall.
The fact that the attackers successfully regained access twice was challenging to prevent unless the company was completely cut off from the internet, disrupting business operations. However, because Nerium had taken measures, the attackers were detected promptly and removed quickly. This prevented further impact on the company.
How Could the Company Have Prevented this Incident?
In our opinion, the company was relatively mature in terms of security and had fundamental hygiene largely in place, including:
- Periodic penetration tests and audits
- System patching
- Endpoint protection
- Network segmentation
- Security awareness training
- Account tiering
Despite having many measures in place, the attackers penetrated deep into the digital environment. This could have been prevented by quicker intervention, such as isolating the system where the attackers gained entry. However, the organisation had only 135 minutes for this because that was precisely the time it took for the attackers to access a second system. On average, according to CrowdStrike, this breach time is 79 minutes. After that, it becomes more challenging to intervene without disrupting business operations.
Therefore, swift intervention is essential. The following three elements are needed for this:
- Tools for monitoring and detecting attack activity. An Endpoint Detection and Response (EDR) tool is crucial because it collects events on a system related to attack activity. In the case of suspicious activity, it sends a notification to an analyst. Additionally, a mature EDR solution has a feature to intervene by isolating a system to stop attackers from breaking in.
- Analysts with the right knowledge to assess whether a notification is serious or not. The assessment process is partly still human work and, in our opinion, cannot be fully automated using artificial or artificial intelligence (AI).
- Processes ensuring timely intervention. Agreements on which systems can be isolated 24/7 without permission. Or where automated intervention is acceptable. And processes ensuring that the internet connection is severed, for example, when attackers break through. This is ensured in an incident response plan.
Is your organisation ready to intervene quickly? Contact us for more information on how to protect your organisation against motivated attackers.