National Power Company Case Study

Organisation

This customer is a state-owned national power company that is responsible for operating
a national integrated power system and employs 9000 people.

The company also oversees electricity transmission from generating plants to distribution
networks via trunk power grids. Their network includes 8 regional power plants covering
the entire country.

Challenge

The company experienced an outage at one of the state capital’s power stations which
resulted in the loss of 20 per cent of the city’s power.

Following the outage, the company undertook a Compromise Assessment of their IT
infrastructure to identify any previously undetected cyberattacks, track all infected
devices/systems and establish the source of the breach.

Approach

As part of the Compromise Assessment, all Windows Log Data was analysed and a Full
Asset Discovery was undertaken.

This approach allows for a multi-layer analysis that can identify both active and dormant
cyber threats. This forensic investigation aimed to detect any evidence of a targeted
cyber-attack.

Process

The customer provided all available Windows Log Data which was uploaded to a private
instance within Microsoft Azure (which boasts high levels of encryption and two-factor
authentication).

Proprietary algorithms prepared the data for analysis and then sent the data to the
analytics engine. Throughout the audit process, the company had full visibility of
proceedings via their secured private account, allowing them to monitor each phase and
the validation process.

Once the machine learning and data analysis process was completed and initial findings
were made available, expert security data analysts validated the results and added any
additional relevant context.

The Compromise Assessment discovered malicious Security Violations and indicators that
suggested another cyber-attack was imminent.

The level of risk associated with these security violations and related IOC’s and the
likelihood of them being exploited by attackers was assessed.

Compromise Assessment Results

Enough critical information was gathered to indicate the company’s infrastructure was
compromised and parts of their network were controlled by external attackers. This
suggested the previous power cut was the result of a targeted cyber-attack.

The information gathered during the assessment highlighted how the attackers gained
access to the network and the subsequent steps they took to increase their access
privileges across the infrastructure.

Artificial Intelligence algorithms identified numerous Compromised User Accounts and
passwords. These compromised accounts allowed criminals to perform malicious activity
across the network.

The forensic analysis undertaken highlighted the lateral movement of the attackers across
the network and this allowed the Network Team to isolate any compromised assets. The
team were then also able to identify and remove further threats such as sleeper agents.

Conclusion

The Compromise Assessment audit resulted in the fast and accurate detection of a
targeted cyber-attack.

The analysis of Windows Log Data and identified Indicators of Compromise, as well as a
Full Asset Discovery, delivered detailed information revealing evidence of intrusion and
malicious activity within the network which led to the power cut at the state capital power
station.

The Compromise Assessment led to a critically important update and review of the
company’s cyber-security strategy.

Detailed recommendations were provided, allowing the company to improve its long-term
cyber security strategy.

 

STIC – National Power Company Case Study