The Challenge

A technology company approached Nisos after it appeared some of their source code and intellectual property was leaked. The client discovered the issue after identifying a series of emails that had been sent to one of their engineers from a foreign competitor. The client was understandably alarmed and wanted to understand if competitors or nation-states were targeting their employees in an attempt to access and exploit proprietary intellectual property.

Why Nisos

The client needed a partner with capabilities that extended beyond traditional incident response. They needed a partner with the ability to help them monitor employee devices, establish placement and access in web forums, and use technical internet data to help them determine the severity of any exfiltration of intellectual property.

Preparation

Nisos was provided with access necessary to connect internal forensic data to the external threat hunting we needed to conduct.

Execution

After conducting the forensic device analysis and merging the findings with our external internet data, we uncovered a significant coordinated effort to infiltrate our client’s engineering department. Indications were the attack was being conducted by a competitor backed by a foreign nation-state.

This nation-state recruited engineers and sent them to the United States on student and work visas. They were directed to secure employment in the client’s engineering department. The nation-state provided financial backing to intermediaries connected to one of the client’s competitors. Upon a short period of employment, the intermediaries would approach their targets and make an offer on behalf of the competitor to hire the engineers for substantially more money. Prior to leaving our client’s employ, the engineers would secure proprietary source code on removable media and transfer it to the competitor.

As part of our investigation, we developed custom technology that allowed us to ingest, translate, and categorize hundreds of thousands of foreign language messages. These messages provided the necessary intelligence in close to real time. During the associated forensic examination process of chat logs and browser history, it was clear the engineers had limited skill sets and were unqualified to be conducting the work for which they were hired. Their sole purpose was to exfiltrate information.

Outcome

Our actions helped the client stop the infiltration and limit losses. In coordination with the client’s legal team, our research was provided to the Federal Bureau of Investigation. After law enforcement became involved, the client continued to monitor the attempted espionage for an ongoing period of time and was able to take action, including termination of the employees as well as filing civil suits against the individuals involved.

The Challenge

A multinational energy company (the client) operating in a volatile, foreign nation was faced with threats of violence directed at its personnel and infrastructure. In the interest of safety, the client arranged for many of its personnel to depart the country. Complicating this situation, these threats occurred during the COVID-19 pandemic when manpower and operations were already severely impacted. The client engaged Nisos to ensure the protection of the remaining manpower and facilities. Specifically, Nisos was asked to monitor online geopolitical sentiment from nation states directed towards the client’s operations and personnel and provide insight and guidance as necessary.

Why Nisos

The client’s need to reduce manpower during COVID-19 adversely impacted physical security operations and community engagement resources. Due to a high volume of threats being directed at the client, they needed Nisos to access closed forums and monitor the local population’s sentiment. Nisos was asked to identify and differentiate between real threats, sophisticated threats, and random, less impactful “noise.” This adversary insight was deemed highly important and delivered more insight than commercially available tools and social media monitoring technologies were able to provide. In addition, nation states and state-owned enterprises were gaining influence with local police and political personnel. The client was worried about these influences derailing ongoing community engagement projects critical to the local population.

The Challenge

A job recruiting platform approached Nisos to determine the severity and authenticity of an affiliate recruiting company that appeared to be involved with disinformation and foreign nation state espionage efforts. The foreign nation state was suspected of targeted recruiting of individuals in sensitive US government positions using sockpuppet accounts.

Why Nisos

After receiving an allegation that the affiliate was using their platform to advance these efforts, the client asked Nisos to perform a digital investigation and use high operational security tradecraft to determine the extent of the operation and make recommendations on how to address the issue. Options included:

1. Removing the recruiting company from the platform,
2. Continuing to monitor, and/or
3. Informing law enforcement.

Preparation

Nisos was provided with minimal information consisting only of the name of the recruiting company. Nisos was not provided with any data regarding the details of the client’s organization or internal telemetry.

The Challenge

A technology company tasked Nisos to conduct a threat evaluation assessment on one of their executives after multiple internet forum users posted inflammatory, threatening, and racially derogatory content. More concerning, some forum users posted the executive’s residential address, social media accounts, public records information, speaking engagements and locations, and other sensitive personal information.

Why Nisos

The company approached Nisos to conduct a threat evaluation and digital identity reduction (PII removal). Prior to engaging Nisos, they had approached other vendors who could conduct a threat evaluation but had no ability to action and remove the problematic PII data.

Preparation

Nisos used a variety of available external data sources that did not require access to internal company information.

The Challenge

A technology company noticed a disturbing increase in malicious activity across their platform. Unknown individuals were selling bots that claimed to automate interactions with their platform and provide those that purchased the app an advantage over other users. This use of the app was a clear violation of the client’s Terms of Service. In other words - the bots would “game the system” to the financial disadvantage of normal conforming users - leading to frustration and anger directed at the client. To make matters worse, the bots mirrored the legitimate client application, presenting additional security threats.

The client enlisted Nisos with three primary objectives:

1. Determine how the bots were able to subvert client controls and take advantage of the platform.
2. Provide recommendations on how the client could improve their security posture and counter the illegitimate activity of the bots. 
3. Identify the actors making the bots, enabling the client to properly attribute the crime and take legal action.

Why Nisos

Nisos’ ability to help the client was rooted in our ability to deliver high-quality technical application analysis combined with open source research and attribution.

Preparation

The Client started by providing Nisos with a detailed history of bots that they had previously uncovered. They requested Nisos identify additional bots that may be present and undiscovered. In order to accomplish this task, Nisos did not need to access the Client’s network or sensitive data.

Execution

Nisos acquired the bot of most concern to the client through a common App store. We confirmed that it operated as claimed and provided an analysis of how the bot functioned at the code level. We also determined that several methods could be used to create a functional bot targeting the client’s platform, and we provided recommendations to the client to remediate this risk.

Our assessment concluded that the creator of the bot took the official client application, acquired the binary from a device, and altered it with their own additional code. This additional code pulled the necessary information from the client and automated user responses.


Attribution

Nisos found that previous application bot domains were associated with truncated email addresses. In one case, Google cache inspection of application .vip revealed a telegram account associated with a partially named online persona. We acquired a license for the application and extracted the Intelligent Process Automation (IPA). We then identified that the back end server for downloading the app bot was associated with an IP address that served as a Virtual Private Server (VPS). The infrastructure was hosted in a Japanese hosting facility.

In another case, we were able to track back “old” versions of the application bots that revealed selectors. Using these selectors and cross referencing them in Nisos proprietary credential databases and other external telemetry, we attributed them to named individuals. We also determined that these selectors were being used for additional, identifiable fraudulent activity.

The Challenge

Nisos was contracted to conduct cybersecurity diligence and an assessment of external network hygiene for a cybersecurity company’s acquisition target

Why Nisos

Although the client, a cybersecurity company, leverages many of the same services as Nisos, they understood that Nisos’ analytical rigor and access to external data collection would allow them to gain greater insight and optimize the evaluation of their acquisition target. Utilizing publicly available information, third party datasets, and partner relationships, Nisos was able to discover and assess the target of acquisition’s cyber assets and provide the client with a comprehensive understanding of areas of concern and indicators of compromise.

Preparation

Nisos began the investigation knowing eight registered domain names of the acquisition target. Nisos had no existing insight into the company’s overall cyber posture. The investigation revealed extensive information about the acquisition’s cyber-security maturity and the breadth of their cyber assets.

Execution

Nisos identified several ties to entities that were not publicly affiliated with the acquisition target. The investigation, conducted on the public internet, uncovered IP addresses directly associated with the target’s office. This led to the identification of specific infrastructure which would likely be targeted by an advanced attacker. , Nisos also identified a server providing remote access to the target’s office network and users of a Docker instance created by the target, one of which was running default credentials. Although the instance did not appear to belong to the target, an attacker could leverage it to gain control over a customer. It could also be used as an access vector in a breach of someone using the target’s software. A compromise of this sort could negatively impact the target’s brand reputation and ability to generate new clients. The investigation ultimately determined that the organization's cyber-security maturity was high, which is uncommon for organizations of similar size, but consistent with the target’s cybersecurity background.

Impact

Based on Nisos findings and recommendations, the acquiring company immediately and transparently began remediation. Recommended remediation actions included removing public permissions, enforcing two factor authentication for console access, and limiting access to Kubernetes ingress controller only via whitelisting IP addresses. Throughout the process, Nisos shared best practices and additional guidance with the client and the acquisition target.

The Challenge

A retail client requested our assistance to identify an individual, who was also a paying customer, who wrote a python script that scraped a backend server. The customer had also previously published a WiFi vulnerability present at the company’s offices in the US. The client was aware of closed forums where this customer and other potential threat actors exchanged ideas about denigrating the client’s reputation, and asked Nisos to help understand the nature of the threat.

The Challenge

Malicious foreign actors were creating automated tools to abuse an e-commerce client’s platform. Using that automated process the threat actors were able to mass create and bulk manage accounts, run advertisements, and use credit cards. With those credit cards, they were able to make purchases through the client’s site, and the client’s customers and third party service providers.

The CEO of a multinational manufacturer (Client) identified an urgent need to remove a key executive, along with several accomplices, from the operations of the company, based on concerns that these insiders were intent on sabotaging the company. Given the known IT expertise and access of the executive and his associates, the Client needed to prevent these persons of interest (POI) from stealing sensitive data or disrupting the network prior to being fired. The Client also intended to pursue legal action against the POI and needed digital evidence preserved.

Nisos   was   tasked to   acquire   additional  information on a threat actor making violent threats against a big tech company's executive leadership.

A technology company’s proprietary information was leaked to unauthorized third parties presumably from an identified disgruntled employee. The Client required assistance in determining with certainty whether such actions could be directly attributed to a specific employee within its organization and whether mitigation controls could be put in place to prevent further leaks.

A global consumer service provider was exploring different foreign cities to launch their new service, using security and safety as a critical metric.

A major pharmaceutical company made the decision to terminate an administrator and was concerned about the malicious exfiltration of personally identifiable information (PII) before his termination.

A global manufacturing company experienced a corporate-wide outage due to being locked out of their router devices between corporate headquarters and their branch offices across the globe. After internal investigation and significant downtime resulting in major losses in revenue, it was suspected this outage was likely caused by malicious insider activity involving a recent acquisition

Huddled around keyboards half a world away, a shadowy group of technically-savvy criminals devised techniques to hide from system administrators and run internet scams that defrauded a client out of hundreds of thousands of dollars in revenue every month.

A healthcare technology company suffered a wide-scale destructive compromise after an attacker targeted the Client’s backend point of sale technology and deleted all customer data.

A multinational manufacturer needed assistance investigating a large-scale distributed denial of service (DDOS) attack against several publicly accessible websites and applications. In the course of the attribution investigation, we detected indicators of wide-spread compromise on the Client’s network using external telemetry not available to the Client.

A pharmaceutical company was facing a sophisticated “short and distort” stock market manipulation campaign, costing the company billions in market cap.   A variety of virtual anonymous personas were publishing false information on the company’s leadership on social media and investing platforms - apparently in a coordinated fashion. These activities negatively influenced public perception about the company’s overall corporate governance and  damaged the stock price thereby allowing those holding short positions to profit.

A multinational energy company operating in a volatile nation had recently faced serious threats to its personnel and infrastructure as threat actors had begun resorting to violence. The company needed in-depth social media sentiment analysis and timely indications and warnings across social media and closed online forums in order to achieve a more stable risk posture and protect its people and assets.

A global retailer’s peers were attacked with customized ransomware and the retailer’s subsidiaries were being targeted with customized phishing attempts. Out of concern that a subsidiary could be targeted by a similar ransomware attack, Nisos was contacted to assist. 

 

A global consultancy experienced network outages resulting from a large-scale Distributed Denial of Service (DDOS) attack against their Domain Name Service (DNS) servers. Nisos was engaged to leverage access to external telemetry and analytic expertise in order to determine if the consultancy was specifically targeted by the DDOS attack and to perform potential attribution of the threat actors and attack sources.

A global data and infrastructure provider determined a very tightly controlled database was for sale on the dark web. The Client discovered this database was being sold on criminal forums and needed to attribute the seller and the source of the leak.

A global technology company was in the process of divesting a previous acquisition. Upon learning of the divestiture plan , the key executives at the acquisition company threatened to destroy corporate infrastructure if the company was not sold back to the original founders at a lower price.

A publicly traded technology company with thousands of global employees maintains a premier business unit application platform regularly abused by eCrime and cyber espionage actors.

A technology company with thousands of employees across the globe was under attack by a nation-state level adversary. They requested Nisos’ assistance to provide critical intelligence to detect indicators and respond to the attack.

A private equity company focusing on mid-size businesses acquired an e-commerce platform, and during the post-acquisition period learned of a breach affecting the company’s public-facing application server.

A multinational manufacturer (The Client) came to Nisos for help responding to an unusual incident. An unauthorized user opened a trouble ticket in the Client’s internal IT ticketing system. In the ticket, the actor demonstrated access to sensitive client resources and associated the ticket with a senior IT security executive.

Executing a successful merger or acquisition is a major undertaking. There are countless details to be managed by a multitude of stakeholders against fast-approaching deadlines. Strategic issues including financials, employment, tax, and technology must all be considered within the scope of regulatory and integration considerations to ensure the smooth unification of distinct entities.