Osprey Cyber Corporation (OCC) is a cyber security company that provide both offensive and defensive capabilities to customers including but not limited to private organisations, educational institutions, and government.
Recently OCC has been engaged by RavenCorp; an organisation who develop drones and has seen some suspicious outbound traffic on their firewall.
RavenCorp are headquartered in Sydney, Australia and also have presence in Munich, Germany. Their environment comprises of both on-premise and cloud infrastructure.
Upon conducting the incident response engagement, the following high-level findings were identified:
• On January 16, 2022 a phishing e-mail had arrived where a user was tricked into disclosing their credentials to a website at microsoft-account-validation.fakedomain.com
• The next day, the user’s credentials were used to access a remote desktop server
• The threat actor was able to run some software that allowed them to elevate their privileges to administrator and created several additional accounts in their corporate Active Directory with administrator rights
• Over the next 6 months, the threat actor exfiltrated several terabytes of data. This included:
o Customer information including names, addresses, e-mail addresses, phone numbers, and credit card numbers
o Personal information about employees of the organisation
o Technical drawings for a prototype drone that has potential military applications
• The threat actor remained in the environment for around 330 days
Using the information above answer the questions below. Ensure you justify your response and including any supporting information:
• What type of an attack has likely occurred?
• What type of threat actor has likely conducted the attack?
• Are there any legal or regulatory considerations that need to be considered?
• What policies, controls, or procedures could be implemented to prevent such an attack from occurring?
Rationale
