Cybercrime True Forensics Uncovered - Too Close to Home


Staff member
Malware Hunter
Jul 27, 2015
Author : Tomi Tuominen, Global Technical Director

Quote: " The Nordics are the perfect setting for a scandi-noir forensics thriller. Mist and bitter rain, stark forests, dark lakes. It’s quite a backdrop. Here, on the edge of Europe, physical security compromises are more commonplace than you might think. It’s unsettling having your place of work attacked, like an assault on something close to you. These crime scenes can be investigated using the same methods our incident response (IR) team uses in cyber forensics. Often, organizations are led to unexpected realizations about the reliability of the security measures they put so much trust in.

This particular story begins at the headquarters of a goods distributor in Finland, with over 40,000 employees globally. The building was a monumental block, with some 7 floors including those underground, plus a dock for loading. The land around the site was owned by the organization (our client) and had been for some years.

A rude awakening

In the early hours of November 3, security guards at an outpost were alerted to a silent alarm triggered at the headquarters. Shortly after, another alarm went off at secondary site in a nearby neighborhood, also owned by the client. The guards set off in their patrol car, initially to the location of the second alarm—which was closer to their outpost—then the first. Nothing was found at the remote site. At the HQ building, they followed their established route for security checks. This route was carefully designed to enclose any trespassers so they might not retrace their steps. The sweep of the building took the guards 23 minutes to complete, just like it always did, with no signs of a break-in. None of the external, timed locks had been broken to enter the building (they were set to lock automatically between the hours of 06:00-21:00). Nothing at all seemed awry. A false alarm perhaps... Only when the guards checked the CCTV footage could they see what—or in fact who—was the cause. . At 04:00, the time the first alarm was triggered, a man entered the building. He held something up to the lock on the outer entrance door and it opened. Even with a valid pass, this should not have been possible in any case because of the lock’s timer. The guards chose wisely and notified the site security manager and the company CISO of the security breach, who immediately called our IR team.

A critical flaw

Getting out of my car at the client’s site later that same day, I stood for some time out in the rain and took in my surroundings: a single two-way road down to the central facility; some storage buildings; one main entrance at the front; a car park also at the front and one at the back. I then circled the building, counting 26 CCTV cameras, with one directly above the front entrance. This reconnaissance is part of my routine wherever I go. I'm always trying to work out how I would get access whilst evading detection if I was an attacker. I look for the the features and flaws that make an easy route in. Potential break-in scenarios will go round in my head until I find one that makes the most sense. It's a trait of my red teaming background, absolutely, and it helps me as an incident responder. I see it this way: if you wanted to find out how to break into a building, would you ask a police officer or a burglar? Sitting with the guards in their office, we looked back over the CCTV footage. It was blurry. But sure enough, we saw the attacker take something small from his pocket, subtly move it across the electronic lock, and the door unfastened. What did he have in his hand? That afternoon, I acquired a batch of the same electromechanical locks the client was using. Then, I headed to the lab. I began to disassemble each lock and observe its functionality by performing various tests there at my desk. It wasn’t long until I came across a critical design flaw. When I held 4 super magnets to the lock, the relay would break, unlocking the bolt. This happened regardless of how it was programmed to function. (These “super magnets” I had in my toolkit were nothing special, by the way. They’re the type kids buy for fun online.) Needless to say, the CISO was somewhat perturbed when I returned on site and demonstrated the simple flaw in action. Every door using this lock design was now a known vulnerability.

Nothing to see here

The next mystery to solve was how the attacker managed to appear from nowhere. We could see from the CCTV footage his car, parked out front. Then, him entering the building. Nowhere was there visual evidence of his route from the car to the entrance. I scoured footage for what felt like hours, until it hit me. I was only looking at 25 camera feeds, but I’d counted 26 on my first visit. The camera above the entrance was dead. And from what the guard could tell me, it had been non-operational for some time. Did the attacker take the camera offline while he was there or was it a coincidence that had simply gone unnoticed? Using a ladder, I retrieved the camera. It was full of liquid, which isn’t altogether surprising in a place that gets almost 200 days of rain a year—but this wasn’t rainwater, it was sabotage. The attacker had come in advance and killed the camera with water from a faucet, creating a blind spot at the point of entry.

The attacker is unmasked

We’d made a big step forward. We now knew how the attacker had evaded security to enter the building and how he had bypassed the electronic locks. This guy wasn’t an opportunist. He clearly knew where he was going, how to bypass the guards’ set route, and how to make an exit. Never once did he hesitate or retrace his steps; he was always walking away from them and entered rooms only once. When he left the building, he did so through a door to the rear carpark and drove away.I followed his path step-by-step to see how long it took from start to finish. Again, and again, I tried, but was at least 5 minutes quicker than him every time. I mimicked his detours and stopping points, yet something was missing. There was a step we couldn’t see. I left, got in my car, and drove around the site to scout out the immediate area. There was an ATM but a 2-minute walk away. Surely not. Surely the attacker wasn’t bold enough to use this before making his escape."

Quote : " Though we could trace the attacker’s walking route, there were some blind spots where CCTV cameras were pointing the wrong way or didn’t exist at all. This left us wondering what he had been up to whilst in the building—where could he have easily gone without being seen? Nothing struck us. The CCTV evidence had been exhausted. It was time to look at some computers. First, I scoured through the logs on the card-operated physical access control system, which ran separately to the system controlling the external electromagnetic locks. We found out which rooms the attacker had accessed, but this raised a glaring question—where had he got his access card from? The events couldn’t be tied to any existing user access card, so he’d been moving freely with a card that was never officially issued to someone. For and by whom it was created we couldn’t tell, but it had been activated 4 years prior, with privileges to go anywhere in the building. The attacker had his very own skeleton key. The logs led us to rooms familiar to the team, then, one that wasn’t. Side by side with the CISO and one of the guards, I ventured into what was assumed to be a cleaning closet. What we found was a small hosting room, full of servers. And not just any servers; it was a junction point for devices owned by telecommunications organizations and internet service providers (ISPs). The client was housing a co-operative hosting facility for tenants dealing in critical national infrastructure (CNI) and not one person I’d spoken to knew about it."

Quote: " 1 month later, following the implementation of our recommendations, the attacker returned. "

Full source :