The Challenge

A technology company approached Nisos after it appeared some of their source code and intellectual property was leaked. The client discovered the issue after identifying a series of emails that had been sent to one of their engineers from a foreign competitor. The client was understandably alarmed and wanted to understand if competitors or nation-states were targeting their employees in an attempt to access and exploit proprietary intellectual property.

Why Nisos

The client needed a partner with capabilities that extended beyond traditional incident response. They needed a partner with the ability to help them monitor employee devices, establish placement and access in web forums, and use technical internet data to help them determine the severity of any exfiltration of intellectual property.

Preparation

Nisos was provided with access necessary to connect internal forensic data to the external threat hunting we needed to conduct.

Execution

After conducting the forensic device analysis and merging the findings with our external internet data, we uncovered a significant coordinated effort to infiltrate our client’s engineering department. Indications were the attack was being conducted by a competitor backed by a foreign nation-state.

This nation-state recruited engineers and sent them to the United States on student and work visas. They were directed to secure employment in the client’s engineering department. The nation-state provided financial backing to intermediaries connected to one of the client’s competitors. Upon a short period of employment, the intermediaries would approach their targets and make an offer on behalf of the competitor to hire the engineers for substantially more money. Prior to leaving our client’s employ, the engineers would secure proprietary source code on removable media and transfer it to the competitor.

As part of our investigation, we developed custom technology that allowed us to ingest, translate, and categorize hundreds of thousands of foreign language messages. These messages provided the necessary intelligence in close to real time. During the associated forensic examination process of chat logs and browser history, it was clear the engineers had limited skill sets and were unqualified to be conducting the work for which they were hired. Their sole purpose was to exfiltrate information.

Outcome

Our actions helped the client stop the infiltration and limit losses. In coordination with the client’s legal team, our research was provided to the Federal Bureau of Investigation. After law enforcement became involved, the client continued to monitor the attempted espionage for an ongoing period of time and was able to take action, including termination of the employees as well as filing civil suits against the individuals involved.

The Challenge

A multinational energy company (the client) operating in a volatile, foreign nation was faced with threats of violence directed at its personnel and infrastructure. In the interest of safety, the client arranged for many of its personnel to depart the country. Complicating this situation, these threats occurred during the COVID-19 pandemic when manpower and operations were already severely impacted. The client engaged Nisos to ensure the protection of the remaining manpower and facilities. Specifically, Nisos was asked to monitor online geopolitical sentiment from nation states directed towards the client’s operations and personnel and provide insight and guidance as necessary.

Why Nisos

The client’s need to reduce manpower during COVID-19 adversely impacted physical security operations and community engagement resources. Due to a high volume of threats being directed at the client, they needed Nisos to access closed forums and monitor the local population’s sentiment. Nisos was asked to identify and differentiate between real threats, sophisticated threats, and random, less impactful “noise.” This adversary insight was deemed highly important and delivered more insight than commercially available tools and social media monitoring technologies were able to provide. In addition, nation states and state-owned enterprises were gaining influence with local police and political personnel. The client was worried about these influences derailing ongoing community engagement projects critical to the local population.

The Challenge

A job recruiting platform approached Nisos to determine the severity and authenticity of an affiliate recruiting company that appeared to be involved with disinformation and foreign nation state espionage efforts. The foreign nation state was suspected of targeted recruiting of individuals in sensitive US government positions using sockpuppet accounts.

Why Nisos

After receiving an allegation that the affiliate was using their platform to advance these efforts, the client asked Nisos to perform a digital investigation and use high operational security tradecraft to determine the extent of the operation and make recommendations on how to address the issue. Options included:

1. Removing the recruiting company from the platform,
2. Continuing to monitor, and/or
3. Informing law enforcement.

Preparation

Nisos was provided with minimal information consisting only of the name of the recruiting company. Nisos was not provided with any data regarding the details of the client’s organization or internal telemetry.

The Challenge

A technology company tasked Nisos to conduct a threat evaluation assessment on one of their executives after multiple internet forum users posted inflammatory, threatening, and racially derogatory content. More concerning, some forum users posted the executive’s residential address, social media accounts, public records information, speaking engagements and locations, and other sensitive personal information.

Why Nisos

The company approached Nisos to conduct a threat evaluation and digital identity reduction (PII removal). Prior to engaging Nisos, they had approached other vendors who could conduct a threat evaluation but had no ability to action and remove the problematic PII data.

Preparation

Nisos used a variety of available external data sources that did not require access to internal company information.

The Challenge

A technology company noticed a disturbing increase in malicious activity across their platform. Unknown individuals were selling bots that claimed to automate interactions with their platform and provide those that purchased the app an advantage over other users. This use of the app was a clear violation of the client’s Terms of Service. In other words - the bots would “game the system” to the financial disadvantage of normal conforming users - leading to frustration and anger directed at the client. To make matters worse, the bots mirrored the legitimate client application, presenting additional security threats.

The client enlisted Nisos with three primary objectives:

1. Determine how the bots were able to subvert client controls and take advantage of the platform.
2. Provide recommendations on how the client could improve their security posture and counter the illegitimate activity of the bots. 
3. Identify the actors making the bots, enabling the client to properly attribute the crime and take legal action.

Why Nisos

Nisos’ ability to help the client was rooted in our ability to deliver high-quality technical application analysis combined with open source research and attribution.

Preparation

The Client started by providing Nisos with a detailed history of bots that they had previously uncovered. They requested Nisos identify additional bots that may be present and undiscovered. In order to accomplish this task, Nisos did not need to access the Client’s network or sensitive data.

Execution

Nisos acquired the bot of most concern to the client through a common App store. We confirmed that it operated as claimed and provided an analysis of how the bot functioned at the code level. We also determined that several methods could be used to create a functional bot targeting the client’s platform, and we provided recommendations to the client to remediate this risk.

Our assessment concluded that the creator of the bot took the official client application, acquired the binary from a device, and altered it with their own additional code. This additional code pulled the necessary information from the client and automated user responses.


Attribution

Nisos found that previous application bot domains were associated with truncated email addresses. In one case, Google cache inspection of application .vip revealed a telegram account associated with a partially named online persona. We acquired a license for the application and extracted the Intelligent Process Automation (IPA). We then identified that the back end server for downloading the app bot was associated with an IP address that served as a Virtual Private Server (VPS). The infrastructure was hosted in a Japanese hosting facility.

In another case, we were able to track back “old” versions of the application bots that revealed selectors. Using these selectors and cross referencing them in Nisos proprietary credential databases and other external telemetry, we attributed them to named individuals. We also determined that these selectors were being used for additional, identifiable fraudulent activity.

The Challenge

Nisos was contracted to conduct cybersecurity diligence and an assessment of external network hygiene for a cybersecurity company’s acquisition target

Why Nisos

Although the client, a cybersecurity company, leverages many of the same services as Nisos, they understood that Nisos’ analytical rigor and access to external data collection would allow them to gain greater insight and optimize the evaluation of their acquisition target. Utilizing publicly available information, third party datasets, and partner relationships, Nisos was able to discover and assess the target of acquisition’s cyber assets and provide the client with a comprehensive understanding of areas of concern and indicators of compromise.

Preparation

Nisos began the investigation knowing eight registered domain names of the acquisition target. Nisos had no existing insight into the company’s overall cyber posture. The investigation revealed extensive information about the acquisition’s cyber-security maturity and the breadth of their cyber assets.

Execution

Nisos identified several ties to entities that were not publicly affiliated with the acquisition target. The investigation, conducted on the public internet, uncovered IP addresses directly associated with the target’s office. This led to the identification of specific infrastructure which would likely be targeted by an advanced attacker. , Nisos also identified a server providing remote access to the target’s office network and users of a Docker instance created by the target, one of which was running default credentials. Although the instance did not appear to belong to the target, an attacker could leverage it to gain control over a customer. It could also be used as an access vector in a breach of someone using the target’s software. A compromise of this sort could negatively impact the target’s brand reputation and ability to generate new clients. The investigation ultimately determined that the organization's cyber-security maturity was high, which is uncommon for organizations of similar size, but consistent with the target’s cybersecurity background.

Impact

Based on Nisos findings and recommendations, the acquiring company immediately and transparently began remediation. Recommended remediation actions included removing public permissions, enforcing two factor authentication for console access, and limiting access to Kubernetes ingress controller only via whitelisting IP addresses. Throughout the process, Nisos shared best practices and additional guidance with the client and the acquisition target.

The Challenge

A retail client requested our assistance to identify an individual, who was also a paying customer, who wrote a python script that scraped a backend server. The customer had also previously published a WiFi vulnerability present at the company’s offices in the US. The client was aware of closed forums where this customer and other potential threat actors exchanged ideas about denigrating the client’s reputation, and asked Nisos to help understand the nature of the threat.

The Challenge

Malicious foreign actors were creating automated tools to abuse an e-commerce client’s platform. Using that automated process the threat actors were able to mass create and bulk manage accounts, run advertisements, and use credit cards. With those credit cards, they were able to make purchases through the client’s site, and the client’s customers and third party service providers.

The CEO of a multinational manufacturer (Client) identified an urgent need to remove a key executive, along with several accomplices, from the operations of the company, based on concerns that these insiders were intent on sabotaging the company. Given the known IT expertise and access of the executive and his associates, the Client needed to prevent these persons of interest (POI) from stealing sensitive data or disrupting the network prior to being fired. The Client also intended to pursue legal action against the POI and needed digital evidence preserved.

Nisos   was   tasked to   acquire   additional  information on a threat actor making violent threats against a big tech company's executive leadership.