Hackers almost breached this firm’s systems. Here’s what they learned

As reported by ICAEW

At 3.15pm on the Tuesday after the August Bank holiday, cyber attackers phoned five employees at a mid-tier audit firm, posing as the IT helpdesk. Three weren’t at their desks. Another answered the phone but struggled to hear what was being said at the other end of the line. They questioned what was being asked of them, and the attackers hung up.

The third person answered the phone and started to follow the attacker’s instructions before realising, in the nick of time, that something was up.

Within half an hour of the attack at the audit firm, the company’s external security operations centre (SoC) started calling and emailing the team over peculiar activity picked up on the network. By 10pm that night, the team had blocked the fake domain and had the list of five employees, who were informed they were locked out of their systems and needed to contact IT in the morning, where they underwent a full reset that included wiping their laptops. “Those users probably lost half a day, which is not the end of the world. It could have been a lot worse.”

There was no discernible pattern to the people targeted, who were fairly well-established in the business and whose names were likely easily searchable online.

“It was so clearly left to the end of the day because that's probably [when] people are rushing,” The Chief Technology Officer (CTO) of the firm says. “The time that people are a little bit less on guard, they're thinking about getting home.”

IT Helpdesk attacks 

These types of 'IT helpdesk' social engineering techniques are increasingly common. Hackers will either masquerade as IT or will call up IT pretending to be an employee. This was the approach attackers used in the M&S hack. It can be mitigated by putting additional security and validation in place between employees and the IT service desk.

The hackers were trying to get the employees to run commands, which the CTO assumed would have installed remote access software and spread through the environment. They suspect the hackers were attempting to make a ransomware attack, which, for a firm that has thousands of clients, can quickly become costly: “If they encrypt our systems and we can’t operate, the money soon racks up.”

Improving communication

Although the attack itself was dealt with before any real damage could be done, it highlighted several potential challenges.

Firstly, the SoC called from a German number, which was initially distrusted before follow-up emails alerted staff to the suspicious behaviour. It then took hours to find the list of employees affected owing to poor communication from the SoC, which it transpired had reported the five users instantly but buried the information obscurely in a link to an Excel file.

“We've fed that back to the SoC and they're looking at how they report incidents in the future to make them clearer because that didn't help us,” the CTO says. The firm also wasn't covered by 24/7 support from its Managed Service Provider, as this was a user attack and not an infrastructure attack.

Revising protocols

The SoC told the firm to consider locking Microsoft Teams to block chats with external domains, but the nature of the audit firm’s business means that “to be able to actually work with clients it’s not feasible to lock the environment down in that way,” says the CTO. “It’s a fine balance between security controls and being able to actually work and do your job.”

But the incident has prompted the security team to revise a number of protocols. They now have access to the firm’s telemetry data to monitor their infrastructure themselves and watch out for red alerts. “We’ve got a rewrite of our incident response plans that we’re kicking off this month,” the CTO says. The firm also identified inconsistent messaging about what the IT team is called. This has been updated to prevent any confusion.

From attack to training exercise

While the security and phishing training kicked in for the two employees who picked up the calls, the team got them to do a short video explaining what happened. “We put together a 10-minute educational video within four days and pushed that out by the end of that week to the whole firm,” says the CTO. The firm is buying new training too, but this video will also be a compulsory part of another training video for staff “to really hammer home that this can affect anybody, because that’s the thing that makes it real”.

The National Cyber Security Centre (NCSC) encourages organisations to share their experiences of attempted cyber attacks with the wider business community. “We recognise the importance of sharing responsibly, without giving any further information to potential attackers,” wrote Ralph B,Chief Technology Officer, Economy & Society at NCSC. “Sharing information about weaknesses you find can provide information about vulnerabilities that still exist.”

NCSC encourages organisations to share beyond their business sectors. “These ‘near misses’ provide an opportunity for learning about the threat you and others are facing and the effectiveness of cyber defences. Organisations can use near misses to develop realistic scenarios for threat modelling and to improve their response to future incidents, rather than allocating blame. Lessons learned and shared from near misses can be just as valuable as those from real incidents.”