A Digital Recon Gone Wild - Part 3
Continues from Part 2
We arrived in Europe with the CISO and the members of the customer's CERT. The local law enforcement (LE) representatives in charge of digital-crimes (I hate the word cyber so I don't use it) were waiting for us at the hotel.
We sent them earlier some of the information we found, but we needed to get more details to them. Given that the company we were helping had offices in that country, the CISO used the local branch director as the point of contact for the LE, this way it would help with the legal proceedings.
We sat with the investigators, who had really no idea about digital forensics, digital intrussions or any other things related, but they were our contacts with the LE. We were told that their own experts would be present at some point to check the evidence we had. OK...
Anyway, after a terse 3 hours meeting with these people, we agreed to meet with their experts the following morning and once they OKed the findings, then they would get their legal system involved.
In the meantime we, the Team and the CERT members, decided to collect a little more information about the hosting company for the server. The idea was to get as much informaion about this company and this specific server as we could without stepping into an area that was not legal. And given that we had a shell to the system, we went fishing for more information.
We took turns with the shell, working methodically and getting into as many systems as we could find in the VM farm. This was a big server farm, one of the biggest I've seen, and we found porn sites, e-commerce sites, gambling sites, data stash servers, etc. Some of the servers had data that was, well, aquired by less than honest means.
We copied all the data that we thought would make a good case, especially those that had local information. After several hours massaging and formatting that data, we had a good techical and executive report for the local LE. Both the Team and the CERT guys were confident that this data would help make a good case.
Meanwhile, the honeypot the CERT put in place in the company's network was attracting a lot of interest from the bad guys. We got another weaponized Word document copied and E received a shell to another server in the same server hosting facility. Another point towards trying to convince the LE.
The next morning we met with the digital forensic experts and we presented them with all the evidence we had collected to that point. We handled them the reports we wrote and after a couple of hour of reviews and opinion exchanges, they told us that they would advice legal action. Good.
We asked when we can expect to get access to the records of who was paying or owned those two servers were the data was being copied. They, as expected, told us that we could not have access to that, that it was a legal issue and only a representative of my customer would have access. The CISO told tham that for all intents and purposes we were part of the company and that he wanted us to handle this. The LE members didn't see it this way.
So, what could we do?
Just sit and wait to be called when the customer had access to this data.
More than 3 months later, we received a call from the CISO. They finally had access to this data and they wanted us to help.
What we found on the data that was sent to the CISO was so lame that it didn't make any sense. When I asked about this, the CISO told me that this was all they received. That he knew it was impossible to work with this but that they wanted us to help with some offensive digital tactics. We wouldn't get involved in this, but we would teach the CERT to do it. Which, was fun since they were top of the line professionals.
The last thing I've heard from them was that after an operation they ran, they managed to find the people behind the breach.
I can't go into details, it's a matter of privacy, however also because I don't know and I chose not to know. It's not for us to know.