An Australian small-medium business in a niche field was the target of a Chinese-based hacking campaign set up to put their business out of business, and potentially take over that industry in Australia. The business was a major player in the niche field and served as the main distributor for the industry.
They initially reached out to Small Robot to provide a competitive quote on securing their business, and they were transparent that they had engaged other cyber security companies, one of which they had already paid to do a 'breach/cyber security assessment' of their environment once they thought they were compromised.
Small Robot security team members were more interested in why they thought they were compromised rather than provide a quote for a solution - were they actually compromised, and if so, were they still in a compromised state?
The business had no answers, and were unclear on what the state of their security was, and whether they were compromised or not. The previous cyber security company, whilst giving them a proposal for solutions and services, had left the client not knowing the what and why.
After a little discussion with a Small Robot security analyst, it was found that a suspicious email had triggered this series of events.
Small Robot requested the email to do a quick analysis, at no charge to the client, to ensure they were not currently in a compromised state.
The email chain indicated that indeed an attack was made, via social engineering and a compromised customer's email account.
Basically, the email was discussing some financials between the business and their main customer (with the dollar values in the high tens of thousands), when, in the middle of the email chain, the business asked their customer if they can pay their debts today, and into the bank account details supplied in the email, as they were really short of cash that month.
The customer was willing to process the payment once the account payable person came into work. However, it wasn’t them asking. Luckily for both businesses, the accounts payable person thought this was odd and second checked the email, and although it looked legitimate, something didn't seem right, it was unusual for them to ask this. The person called the main company to confirm the email and they knew nothing of it.
Small Robot analysed the email metadata, and even though it looked legitimate, with all of the same sender/recipients showing in the email trail, in the middle of the email trail the senders had actually changed, but they kept the display names the same, and at a casual glance most people would miss it.
Further analysis found that a similar domain as the main company had been created, to look like them, and had been used to send the email like this:
This was a targeted attack as specific domains and infrastructure were used; generally phishing emails use generic massed produce email domains, or ones representing major companies (like utilities, transport or postal services).
Leveraging in-house Cisco and DomainTools website analysis capabilities, Small Robot determined that this was indeed a targeted attack undertaken by Chinese hackers who had stood up and paid for a Microsoft M365 account linked to the domain, that mimicked the main businesses domain. Mail records and other DNS entries all appeared legitimate. In the background, a lot of Chinese-based malware was hosted on related domains.
Small Robot produced a timeline of the events for the client (well not yet client) and it coincided with Chinese businessmen visiting their customer just prior to that time to discuss some potential trade relationship - we do not draw conclusions from that, but the business were certain of the correlation.
Small Robot submitted the domain to Cisco Talos Threat Intelligence service who blocked the domain instantly as suspicious and marked for deeper investigation. Other Small Robot clients benefited instantly and were protected from that domain/related domains.
The client was surprised at the method of attack, and that they were the target of a such an attack that was only a click or two away from being successful. They were surprised that the prior security company had uncovered none of this - only provided a quote for solution and services.
They realised, that if the client paid that money, it would have gone to the hackers bank account with no recourse to get it back. That would mean the end of the business for their customer, and possibly for their business as they would be owed tens of thousands of dollars that they would never get back. Both business would likely have gone out of business.
They engaged Small Robot to assist them with their security going forwards and continue to be a customer of ours today. Understanding their environment, the threats they may face, and the cost constraints that SMBs face, Small Robot crafted a security solution specifically for them, just like we do with all of our clients.
We take security seriously and we believe businesses should to, as real attacks happen, and real impacts, and having security you can trust, by a company you can trust, is essential.