GU Cyber Attack Ackme Oil and Gas Company Forensic Report

Based on the Ransomware attack scenario, you will conduct a forensic investigation to identify, collect and preserve forensic data, extract incident evidence,  and analyze forensic evidence in such a way that it preserves the integrity of the evidence collected for effective use in a legal case.

The FBI and DHS have been actively engaged, providing guidance on IoCs to monitor.  The team has identified some additional IoCs based on related activity discovered inside the ARC network.  The team has discovered that the traffic the FBI identified is not only sourced from the initially identified Platform systems, but also from additional systems that proxy traffic through the Gas systems, that appear to be the source.  This infiltration is much larger than first expected.Several of the systems have files that were hidden by assigning them “legitimate” but rarely or never used program names. They appear to be part of the malware used to infect the systems.  Additional files appear to be tools used by the attackers. IoCs did not directly help identify the files as it appears the tools had been compiled specifically for this attack. The hidden files were identified as lacking proper hashes and therefore not part of the standard image or system generated files.Now that the team has the files as additional IoCs, they need to determine the full scope of the attack in terms of infected systems.  They use a management system to identify which systems contain these hidden files and catalog them, but still have not taken action as the FBI and DHS are keeping the team in a mode of discovery to fully assess the attackers and see if they can figure out attribution to a known or new threat actor group.  The hidden files are extracted from a system, copied bit-by-bit as to preserve the evidence for reverse engineering. A copy has been made for the team to learn more about the attack with the assistance of the FBI.The team has been monitoring the exfiltration of data to observe what files were of interest to the attackers.  A full packet capture was installed at the ARC as it was not a current capability prior to the FBI and DHS engagement.  Although this has been useful to see packet header information and some signalling data, the proxy information captured has been limited to  captures of encrypted streams to the data hosting providers. The hosting providers have recently upgraded to TLSv1.3, eliminating the possibility of passive interception with decryption.  This means for packet content they can only read headers or deduce fingerprints of encrypted traffic. Otherwise they need to be able to access points of origination and receipt.  To obtain the data in cleartext, the systems that are used as proxies have been the most valuable source of information as the files are briefly stored on those systems prior to being sent to the external storage providers.  In a few cases, the team was able to copy off the files from backup systems without the attackers noticing their activity.The team has a big problem, since the systems that were the source of the compromise are connected to NG customer locations, the usage, billing and customer identification codes have all been found in the files exfiltrated.  The bill rate varies by usage and by contract, but has never been disclosed beyond each individual customer.

Customer Identifier Usage Bill Rate

CSR237645 6789 1.45

CSR431728 7801 1.25

CSR782028 2789 1.75

Table 1. Natural Gas (NG) Customer Usage and Bill Rate
The team also needs to figure out how this information is being used.  To date, they have not found files that have been exfiltrated that contain the mapping of the actual customer to the identifier.  Although skimming and redirecting funds may be possible from the other information gathered, the analysis currently shows that the information may be solely for the purpose of understanding usage patterns.  The team suspects the purpose is likely to conduct outages throughout the Ackme product networks at times that will impact customers, including the airport, when it would be the most detrimental to the highest number of people.The FBI and DHS recommend that the team solidify recovery and remediation plans now that the information gathering has been successful and the malware has been examined for additional information on the threat actors.

Assignment:

• Write a Forensic Investigation Report that summarizes the substantive evidence in the Ransomware attack for use in legal proceedings.

Include ALL of the following components in the Forensic Investigation Report:

Forensic Investigation procedures

Incident forensic data gathering procedures

Incident forensic data protection

Incident forensic analysis procedures 

Incident forensic evidence protection

Incident forensic evidence investigation results

Incident forensic investigation conclusion