So, Is Someone Getting Fired, Or…?
This story reminded me of something very similar happening around here some years ago.
I work for a very security-conscious company. “Paranoid” would probably be a more appropriate term. At least every other month, a “phishing test” is conducted by our security team (i.e., my department); we send out some too-good-to-be-true emails from various external email addresses trying to get people to click on something. The usual chewing out follows if someone actually does click on them. Okay, it’s not that bad, nothing job-threatening, but it’s not exactly promotion-helping to get the lecture every other month, either. So, our staff is already pretty good at not clicking the test emails, and they’re also good about reporting them to security.
One such email is a daily matter, and a few are something to be concerned about, but a company-wide mass email hitting everyone at once would be terrible.
Two weeks before Christmas, exactly that happened. It was pandemonium in security. Someone apparently tried really hard to break into our high-sec company by sending out a “gift certificate” to every single person in the company. Nobody clicked it (or at least nobody admitted it), but over 2,000 emails hit our CERT (Computer Emergency Response Team) inbox with warnings of someone trying to phish, and the phone calls just didn’t stop.
This was the big one — the one we had trained and practiced for. It wasn’t some spearphishing attack where a select few mailboxes in Human Resources were hit. Apparently, someone didn’t care that they were loud as all h***; every email address got one such “gift”. They even had the audacity to send it to the whole security team, even the CISO (Chief Information Security Officer). Someone apparently had every email address of our company. (That alone was already a nontrivial matter that should be concerning.)
All of our senior malware and phishing experts were dragged out of their projects and shoved into this to find out — fast — what this beast was about. The immediate no-details-just-what-matters result we came up with: whoever was the attacker must be incredibly good. There was nothing obvious there; no contact to a control server, no immediate triggers, and most of all, they were genuine gift cards. Someone must have pulled out the big guns and spent quite the dough to make it look perfectly genuine. There wasn’t an immediate payload, and we couldn’t identify anything as a direct link to something.
Someone must have been trying to plant a time bomb that went off weeks or even months after planting it, maybe trying to slowly exfil data to evade our Intrusion Detection Systems and Intrusion Prevention Systems.
I can’t give more details here or share who we thought was the source, but the going theory was that a state actor was nearly certainly the source. This was no simple industrial espionage; this must be something way, way bigger if they had unloaded something on us that we’d never had before. We pondered that it must be some new attack scheme that hadn’t already been tried, something big.
This must be bigger than us, so we reached out to other CERTs we were connected to, including government ones, to ask whether anyone else had seen something like that. No luck. Nobody knew anything. Vacations were canceled and people were put on all-hands alerts for the holidays, which is when such things usually strike, with most people on vacation and a skeleton crew handling tasks.
We were prepared. Bring it on!
About five hours into the whole mess, a call arrived in the H***-on-earth task force room from our CISO. He told us to cancel it all. The head of Human Resources had just called him and explained pretty sheepishly that top management wanted to hand out a surprise gift to everyone, and apparently, they somehow must have forgotten that this might trigger a few reactions.
As a token of appreciation for the work we had poured into the whole mess, our CISO forwarded the email he sent to the HR top dog, with a copy to the CEO (who in turn paid for every cancellation and made sure everyone got their holidays back in order as planned, to his credit).
But it was worth it. At least I now know very well how to call someone higher up the chain of command a f****** moron without using those two words per se but leaving very little leeway for guessing wrong.
Related:
Plenty Of Phishing From The CEO
