*in order to maintain confidentiality, the name of the provider is hidden
One of Ukraine’s largest telecommunications providers has shown signs of unauthorized interference with the company’s computer network
According to the company’s employees, the attacker could belong to the list of current or former colleagues and acted from the internal network
The IRT team chronologically reproduced the incident, worked with the IT department to block identified vulnerabilities and eliminate compromise on critical servers and intranet workstations.
Recommendations for the incident were made
Further documentation and control over the actions of the attacker was organized in order to identify his person, collect digital evidence and transmit them in due form to law enforcement agencies.
Blackmail or Bug-bounty?
During the investigation, information on where and under what pseudonyms he left traces on underground Internet sites, areas of his interests (availability of registrations on hacker forums), location, phone number of the potential attacker and additional E-mail addresses were collected at the potential offender’s e-mail address
Using unique products of their own development, CyberSEALs experts have correlated between different types of data found on the Internet. If you have only one E-mail, we have established the area of interest, additional e-mail, telephone numbers, location, nicknames, passwords
After collecting and analyzing sufficient evidence, the data was passed to the cyber police. A search and seizure of equipment from the attacker was carried out
Information and software appeared on his computer, which fully confirmed the suspicions of his involvement in the penetration of the provider’s corporate network
The hacker caused damage to the company in the amount of over one million UAH
CyberSEALs experts performed a computer-technical examination of this fact during the pre-trial investigation
Incident Response Team
A focus group was formed to investigate this crime, which consisted of:
Information security analyst/engineer – localization of the hacker in the intranet, identification of compromised machines and ways of hacking
Penetration tester – detection of vulnerable services on external servers
IT-lawyer – legal assistance
Forensic specialist – investigator -collection of digital evidence and further documentation of the actions of the attacker