General mobilisation. It is difficult to describe in any other way our intervention with one of our major clients at the beginning of the calendar year. This international company was the victim of a cyberattack and was able to count on our fast and efficient support, well beyond our contractual obligations.
At NRB, we ensure that we meet the needs of our clients and exceed their initial expectations. Early this year, our teams rescued a company that was the victim of a major cyberattack. While we were only responsible for the operational part of its infrastructure, we mobilised substantial resources to enable it to ward off the hackers and resume its activities as quickly as possible.
Step 1: detection of the alert
In the middle of the night, the client's night watch received several alerts: many platforms were no longer working. He tried to access the infrastructure but his access was denied. "Our guard was quickly contacted by the company concerned. He was able to access the systems and regain control of the infrastructure. He then quickly returned access to the client so that it could see the extent of the damage. In total, the data of hundreds of systems had simply disappeared. At this precise moment, the possibility of a cyberattack seemed more and more clear," explains Arnaud Rosette, Security Engineer at NRB who supervised the entire intervention.
Our client immediately took security measures and decided, among others, to cut off the external internet connections to the company.
Step 2: analysis of the attack
NRB proactively offered its assistance to the client and made its SecOps team available. At the same time, a meeting room at NRB was made available to our client, allowing it to continue urgent activities in complete security.
Our employees on the SecOps team conducted a forensic analysis, investigating potentially dangerous media. "To find answers, we needed data, but the data from the attacked machines had mostly disappeared. Fortunately, we were still able to recover some of the data and found malware that had allowed the hackers to take control of part of the computer fleet."
Then began the study of the clues identified. At this stage, every piece of information was crucial because our teams needed to understand when and how these machines had been penetrated. "We detected connections from unusual countries or from several countries. Conclusion: a user's account had been hacked," continued Arnaud Rosette.
Step 3: restarting machines and production
Three logins and six hours of work: that's how long it took the hackers to break into the system, steal the data and stop the company's entire productivity with the LockBit 3.0 ransomware. Miraculously, the hackers did not demand any ransom and did not publish the data on the dark web. "It's as if gangsters stole money from a bank vault and then burned all the banknotes," says Arnaud Rosette.
With the threat averted, our teams worked for two months to enable our client to restart all of its machines and production. The stolen data could (partly) be recovered thanks to a daily backup of the systems. "We still had to identify when the malware had been introduced to make sure we did not re-inject it," continues Arnaud Rosette. "Our client was aware that its security system was not optimal. Management took prompt action to remedy the problem."
This example illustrates how a company can be attacked without even realising it. Cybersecurity is everyone's business!
CONTACT OUR CYBERSECURITY TEAM