_{*in order to maintain confidentiality, the name of the provider is hidden}

One of Ukraine’s largest telecommunications providers has shown signs of unauthorized interference with the company’s computer network

According to the company’s employees, the attacker could belong to the list of current or former colleagues and acted from the internal network

The IRT team chronologically reproduced the incident, worked with the IT department to block identified vulnerabilities and eliminate compromise on critical servers and intranet workstations.

Recommendations for the incident were made

Further documentation and control over the actions of the attacker was organized in order to identify his person, collect digital evidence and transmit them in due form to law enforcement agencies.

Blackmail or Bug-bounty?

During the investigation, information on where and under what pseudonyms he left traces on underground Internet sites, areas of his interests (availability of registrations on hacker forums), location, phone number of the potential attacker and additional E-mail addresses were collected at the potential offender’s e-mail address

Using unique products of their own development, CyberSEALs experts have correlated between different types of data found on the Internet. If you have only one E-mail, we have established the area of ​​interest, additional e-mail, telephone numbers, location, nicknames, passwords

After collecting and analyzing sufficient evidence, the data was passed to the cyber police. A search and seizure of equipment from the attacker was carried out

Information and software appeared on his computer, which fully confirmed the suspicions of his involvement in the penetration of the provider’s corporate network

The hacker caused damage to the company in the amount of over one million UAH

CyberSEALs experts performed a computer-technical examination of this fact during the pre-trial investigation

Incident Response Team

A focus group was formed to investigate this crime, which consisted of:

Information security analyst/engineer – localization of the hacker in the intranet, identification of compromised machines and ways of hacking

• Analysis of server log files / IDS / IPS / SIEM
• Analysis of netflow / sflow network connection statistics
• Identification of atypical activity
• Analysis of server accounts
• Search backdoor / shell
• Interaction with the pentester

Penetration tester – detection of vulnerable services on external servers

• Perimeter scan
• Detection of vulnerable services
• Attempt to exploit the identified vulnerabilities
• Preparation of recommendations to eliminate the problems found
• Collaborate with ISA / E

IT-lawyer – legal assistance

• Assistance in collecting, recording and providing digital evidence in the case
• Formation of a commission to record unauthorized changes in the client’s system for further transfer of materials to the cyber police
• Work with the client’s employees to prevent leakage of information on the case within the company

Forensic specialist – investigator -collection of digital evidence and further documentation of the actions of the attacker

• Some backdoors left by the hacker have been preserved
• Some vulnerabilities on web servers have not been specifically fixed
• Some accounts were also not blocked