Recently, IT Partners was referred to a client after a significant cyber-attack. This case study examines the cyber-attack that occurred in April 2024, targeting a medium-sized business located in the Waikato. The company, which we'll refer to as "Actor A", operates in a highly competitive sector with an annual revenue of approximately $35 million and 55 full-time employees across multiple locations. The incident highlights the growing threat of cyber-attacks on businesses of all sizes and the critical importance of robust cybersecurity measures and incident response planning.
BACKGROUND
“Actor A”, like many businesses, relied on various third-party software providers to support its operations. One such provider was a systems supplier (referred to as “Supplier A”), which had access to “Actor A” systems via a Virtual Private Network (VPN).
THE INCIDENT
In early April 2024, an unknown malicious entity exploited a vulnerability in the “Supplier A” network. This breach allowed the attackers to traverse the “Supplier A” network and gain unauthorised access to “Actor A’s” systems through the VPN. The attackers targeted an “Actor A” workstation that had been left powered on overnight.
Using compromised credentials from the “Supplier A” support account, the attackers logged into the workstation via Remote Desktop Protocol (RDP). They then installed a piece of software called Mesh Agent, which was used to exfiltrate sensitive data from the “Actor A” network to an unknown location.
INITIAL DETECTION AND RESPONSE
The first indication of a problem came a few days later, when “Supplier A” emailed “Actor A” alerting them to potential unauthorised software installations. This initial communication did not fully convey the severity of the situation, as it focused on print server issues and mentioned IP addresses that were later found to be unrelated to the breach.
The true extent of the breach became apparent five days later when “Supplier A” contacted “Actor A” again, this time with evidence that sensitive “Actor A” data had been compromised. The attackers had sent “Supplier A” screenshots containing “Actor A’s” financial data and images of their sensitive client data, proving they had accessed highly sensitive information.
IMPACT AND SCOPE
The breach had significant implications for "Actor A" and its stakeholders:
- Data Compromise: Sensitive information belonging to employees, the company, and customers was exfiltrated, potentially exposing individuals to identity theft and the company to reputational damage.
- Regulatory Compliance: The incident was deemed notifiable under New Zealand's privacy laws, requiring "Actor A" to report the breach to the Privacy Commissioner.
- Business Disruption: While day-to-day operations were not significantly affected, the company faced substantial challenges in managing the aftermath of the breach.
- Financial Impact: The total cost of the incident exceeded $800,000, covering various aspects of the response and remediation efforts.
RESPONSE AND REMEDIATION
"Actor A", with the assistance of several external IT providers and other partners, took several immediate steps to contain and address the breach:
- Isolation and Containment: The affected workstation was isolated, and all "Supplier A" user accounts were disabled. Network connectivity to "Supplier A" was blocked at the firewall level.
- Removal of Malicious Software: The Mesh Agent software was deactivated, and the compromised machine's hard drive was replaced and quarantined for further analysis.
- Stakeholder Communication: "Actor A" engaged in extensive communication with affected parties, including employees and customers whose data was compromised.
- Regulatory Compliance: A notification submission was lodged with the Privacy Commissioner as the law requires.
- Insurance Claim: "Actor A" cyber insurance policy was activated to cover the costs associated with the breach response.
KEY CHALLENGES
The incident presented several significant challenges for "Actor A":
- Third-Party Risk Management: The breach originated through a trusted third-party provider, highlighting the importance of vetting and monitoring the security practices of all vendors with access to the company's network and understanding of third-party risk and liability.
- Detection and Response Time: The delay between the initial breach and its complete discovery allowed the attackers ample time to exfiltrate sensitive data.
- Complex Investigation: The involvement of multiple parties complicated the investigation process, requiring careful coordination and information sharing.
- Stakeholder Management: Senior management faced significant stress dealing with ransom demands and explaining the breach to affected customers.
- Reputational Damage: The public nature of the breach, including media coverage triggered by "Supplier A’s" press release, threatened "Actor A’s" reputation and customer trust.
- Regulatory Compliance: Ensuring compliance with New Zealand's and Australia's privacy laws added another layer of complexity to the response efforts.
LESSONS LEARNED AND RECOMMENDATIONS
This incident offers several valuable lessons for organisations of all sizes.
- Cybersecurity Insurance: Comprehensive cyber insurance coverage proved crucial in managing the financial impact of the breach. Organisations should regularly review and update their policies to ensure adequate coverage.
- Risk Assessment and Penetration Testing: Regular risk assessments and penetration testing can help identify vulnerabilities before attackers exploit them. “Actor A” could have potentially detected and addressed the vulnerabilities in their network configuration that allowed the breach to occur.
- Third-Party Risk Management: Organisations must implement robust processes for vetting, monitoring, and managing the security practices of their third-party vendors. This includes regular security assessments, contractual security requirements, and limited network access.
- Incident Response Planning: A well-defined and regularly tested Major Incident Plan is essential for coordinating internal communications and effectively managing the response effort. This plan should include clear roles and responsibilities, communication protocols, and procedures for engaging with external parties such as law enforcement and regulators.
- Network Segmentation and Access Control: Implementing robust network segmentation and strict access controls can limit the potential damage of a breach by containing lateral movement within the network.
- 24/7 Monitoring and Alerting: Continuous monitoring of network activity and implementing advanced threat detection systems can help identify and respond to suspicious activities more quickly.
- Employee Training and Awareness: Regular cybersecurity training for all employees, including awareness of social engineering tactics and proper handling of sensitive information, is crucial in preventing and detecting potential breaches.
- Secure Remote Access Protocols: Since attackers exploited a remote access connection, organisations should implement robust authentication methods (such as multi-factor authentication) and regularly audit remote access logs for anomalies.
- Data Minimisation and Encryption: Implementing data minimisation practices and encrypting sensitive data at rest and in transit can reduce the impact of potential data breaches.
- Regular Security Audits: Conducting regular, comprehensive security audits of all systems, including those managed by third-party providers, can help identify and address potential vulnerabilities before they are exploited.
CONCLUSION
The cyber-attack on “Actor A” is a stark reminder of the evolving threat landscape facing businesses today. It highlights the critical importance of a multi-layered approach to cybersecurity that encompasses technical controls, robust policies, employee training, and incident response planning. The incident also underscores the potential risks associated with third-party vendors and the need for comprehensive vendor risk management practices.
By learning from this case study and implementing the recommended measures, organisations can strengthen their cybersecurity posture and better protect themselves against similar attacks. As cyber threats evolve, ongoing vigilance, adaptation, and investment in cybersecurity will remain essential for businesses of all sizes.
.png)
