Pulling the plug during a cyber security incident

by Benjamin Svensson 2022-12-06

Background: cyber attack on Swedish unemployment benefit services

The Swedish unemployment benefit services (Sveriges A-kassor) have been down for almost a week after a cyber attack against their supplier Softronic. Softronic mainly offers services towards Swedish society, providing services within development, cloud, e-commerce, SaaS products, and more. Most of their services seem to be Microsoft related or solutions based on Microsoft products.

The impact of the current downtime in unemployment benefit services is that benefit payments are on hold and online services are unavailable.

Without an official report from Softronic we still don't know that much about the incident more than speculation, although:

  • We know there was a cyber attack against Softronic, and Sveriges A-kassor organizations were affected.
  • We know that Softronic pulled the network plug on their environment.

This got us thinking: what drives a company that large to actually pull the plug? Halting their entire online operation like that will be a very costly action. Kudos to Softronic though, this was a very hard decision to make and they likely made it to protect their customers and their operations.

Which reasons would motivate making this decision?

First of all, the threat actor here is probably not an insider or a script kiddie. It's more likely to be some ransomware group or other resourceful actor. Let's set the scene of the initial access of a possible incident (not saying this is what happened in the abovementioned incident):

  • Threat actor gains initial access to the environment (Windows Domain, Azure AAD)
  • They execute some program in the environment to establish C2 (command and control) communications
  • They establish persistence by some means

Let's stop here briefly. They have access, they have a command and control link, they have persistence. There are a lot of IOCs (Indicators of Compromise) to detect these intial phases, but they can be hard to identify since the IOCs can be made to look a lot like legitimate traffic. If the threat actor would be detected here we probably wouldn't pull the plug for our entire operation. We would start IR (Incident Response) and stop this attack before it even started.

Continuing our hypothetical scenario: next step for a threat actor would be to discover how and where to do lateral movement, probably trying to identify systems or services holding sensitive data and aim for those. Now we're in a situation where we're getting closer to start thinking about pulling the plug, as the threat actor may get hold of sensitive information. But it's probably not neccessary yet. With some simple methods it's possible to detect a lot of techniques the threat actor uses. Threat hunting helps here to identify systems to which they have access.

Let's say the threat actor has access to several systems in the network. They have established persistence on a couple of these and we still haven't detected them. Now they try to elevate their privileges in the domain. We are notified that a new Domain Admin has been added to the domain, or that a Domain Admin account has been used to access something. On further investigation we find that it's not only the on-premise domain that's been compromised, it's also our Azure AAD.

Time to pull the plug

The decision to pull the plug is here. We need to stop the attack immediately to reduce impact. We need to start Incident Response and find every affected system and device in the network, reset our on-premise Active Directory to remove access to all issued Kerberos tickets and kick out the threat actor. This is not a simple task, and requires high expertise and around the clock activites.

Softronic made a tough decision to disconnect their online services and we have no doubt they have been working extremely hard to handle this incident and reduce impact.

Are you prepared?

Are you confident enough to make the decision to pull the plug on your services? There are several organizations that can't because their systems are critical to society. What happened to Softronic reminds me about the importance to have a well thought out and tested plan for when indicent occurs, and at the same time have the means to detect the incident to begin with.

Does your organization feel overwhelmed regarding threat hunting, detection, risk- or incident management and would like some expert help with your reactive and proactive security? Maybe you want to test your detection capabilities through Red/Purple team or get up to speed on threat modeling and risk analysis? Contact us and let us guide you.