Results of Cyberattack Incident Investigation

Summary:

• A cybersecurity agency investigated the recent cyberattack incident we encountered and confirmed that the direct cause of the incident was a malware installed by a malicious third party who gained unauthorized access to our internal network.
• The relevant malware, however, will not propagate or infect other PCs and servers because it does not have the ability to do so. There are no data breaches from the malware because it does not have the ability to transmit data (the relevant malware has been completely removed from our network).
• We are investigating further how the malicious third party gained unauthorized access to our network.

Impact to our Clients/ Partners

Data breach

The malware activity was first confirmed on October 20th. We have confirmed that there have been no data breach on or after that date. The malware does not have any data transmission functionality (therefore no data transmission by the malware). Also, no file access by this compromised account was detected during this period. The cybersecurity agency is investigating further in the period before that for any data breach.

Email / attachment from SSRI

The malware will not propagate or infect other PCs and servers because it does not have the functionality to do so. Therefore emails and files we send will not carry the malware and not infect your devices.

Overview and cause of cyber attack

This cyber attack incident was caused by a malicious third party who managed to gain unauthorized access to a VPN account, then logged into the Active Directory server using a compromised administrator account. The malicious third party installed the malware on the AD server and disseminated it within the internal network using the group policy.
This incident affected five servers and 16 client PCs.
The cybersecurity agency is investigating how the malicious third party gained access to the VPN account and the AD server administrator account.

History of Events:

Oct 22 (Thu) evening:

• There were reports from our staff about unknown changes in the extension and encryption of files on our internal file server.
• Upon the receipt of the incident, IT dept staff shut down the file server.
• As of the end of Oct 22, no client PC damage was confirmed.

Oct 23 (Fri):

• Similar incidents (file extension change and encryption) were confirmed on some client PCs. Upon the receipt of the incidents, IT dept shut down all internal LAN and other internal servers.
• On affected client PCs, there were text file containing text on file encryption. Some accounts received email on file encryption.

Oct 24 (Sat):

• We confirmed that our Active Directory server was attacked and harmful group policies were distributed.

Since Oct 25 (Sun), use of all pre-attack internal networks, servers, and client PCs have been suspended.

Malware properties

The cybersecurity agency confirmed that the direct cause of the damage (file encryption) is a PowerShell script which has a ransomware-like file encryption function. The cybersecurity agency also confirmed that the malware neither has a file transfer function nor a function to communicate with the C2 server which are commonly available in regular ransomwares. This malware only affects Windows OS.

• Indicator of Compromise (IOC)

  HHash value:

  • md5: 6f080f2938c6b4b2e678e98e44ac916d
  • sha1: 216faede85e825b46399b4d56c5e29db26551984
  • sha256: aa15e543f3be809608f67bbe83643ca09fc094c60cd77435cd614b5642a8df26

  IP address:

  • 45.144.30.30

  Host name:

  • LESLIN_CIN09562
  • NTUDJWEIDJQW3

  Malware filename:

  • ssri.ps1

Safety measures

We have implemented the following safety measures:

• Suspended the use of VPN
• Construction of new AD server and file server with Microsoft Azure
• Clean installation of all client PCs and implementation of more secure login method.
• EDR-based stronger detection / control of potentially malicious activities
• Closer monitoring of server surveillance

Timeline

We are working to move back to the normal operations with higher security in the following schedule:

Nov 9-: Restoration of some servers incl. web survey server, and internal LAN
Nov 16-: Distribution of client PCs after clean installation / file server restoration