This article is an extract from The Privacy, Data Protection and Cybersecurity Law Review, 9th Edition. Click here for the full guide.
As organisations are embracing remote work culture and formulating their strategies based on data-driven analytics to drive productivity, efficiency and revenue growth, so are the cyber threat actors using ‘data as a weapon’ to increase the impact of cyberattacks and to gain leverage to fulfil their financial motives. Historically, cyber breaches were a matter of discussion for the information security teams working at the heart of the organisations to run and manage digital assets enabling users to perform their duties, but because of the increasing breaches and harsh implications and the several strict government regulations, the subject has also now made its way to board level in majority of organisations.
As the governments mandate stricter data regulations and reporting timelines it becomes essentially important for the organisations to not only know their regulatory obligations but to also prepare for them and it is equally important for the forensic professionals assisting in the investigation to be able to collect and analyse data enabling the organisations to make informed decisions while responding to regulators and their customers.
In this publication we present an overview of the data exfiltration aspects seen in the top cyberattacks faced by organisations and the common challenges faced during such investigations.
II Overview of regulations related to cyber breaches in China, including Hong Kong
Before we begin with taking a deep dive into the cyberattacks and analysing the data exfiltration aspect, let us examine briefly the prevailing data-related regulations in China.
i The China Cyber Security Law
This law is formulated to (1) ensure cybersecurity; (2) safeguard cyberspace sovereignty and national security, and social and public interests; (3) protect the lawful rights and interests of citizens, legal persons and other organisations; and (4) promote the healthy development of the informatisation of the economy and society. According to the Cyber Security Law (CSL), the organisations impacted by the breach are required to report and notify relevant authorities and affected data subjects of actual or suspected personal information breaches in a timely manner.
ii China’s Personal Information Protection Law (PIPL)
Personal information processors are required to ‘promptly’ notify relevant personal information protection authorities and data subjects in the event a data incident has occurred or is likely to occur. Administrative fine up to 50 million yuan or 5 per cent of the turnover in the last year may apply.
iii China’s Data Security Law (DSL)
Applicable to data processing activities carried out within the territory of China and data processing activities conducted outside China that harm China’s national security or the public interest, or the legal interests of citizens and organisations in China. Requires organisations to have incident planning. Organisation needs to immediately remediate incidents, promptly notify relevant individuals, and report such data security incidents to the regulator.
iii Personal Data Privacy Ordinance (PDPO), Hong Kong
The Personal Data (Privacy) Ordinance (Cap. 486) (the PDPO) is a set of laws that is technology-neutral and provides a set of data protection principles outlining how data users should collect, handle and use personal data. Data users are required to take steps to ensure that personal data is protected against unauthorised or accidental access, processing, erasure, loss or use, if data breaches or leaks were to occur.
iv Privacy Commissioner for Personal Data, Hong Kong
The Privacy Commissioner for Personal Data (PCPD) recommends the filling in of a data breach notification as the recommended practice for proper handling of such incidents.
III Analysing data exfiltration aspects of common cyber incidents faced by organisations
Multiple regulations focused on data privacy and breach notification are in place to mandate reporting and motivating organisations to improve their cybersecurity position, which allow for understanding of the various aspects of data exfiltrations during typical cyberattacks faced by organisations and the key challenges faced during investigations.
i Data compromise in a business email compromise breach
Email-based attacks have been on a constant rise, with a steeper rise seen during the pandemic. As the situation evolved, the threat actors changed their lures to more relatable pandemic-related themes to bank on the uncertainty and changing anti-pandemic measures increasing their chances of baiting their victims. Business email compromise is a cyberattack that involves threat actors gaining access to victims’ mailboxes and carrying out a financial transaction by hijacking or creating an existing email chain and tricking the victim into making a fund transfer to a bank controlled by the threat actors. In the process of executing the attack, to reach a final motive of making financial gains, the threat actors modify the bank account details on a legitimate pending invoice and trick the victim into transferring funds to the threat actors’ bank account.
While it is clear how the threat actors target and execute the attack, the attack also encompasses several other information discovery steps taken by the threat actors. From our analysis and information collected from public threat reports of multiple similar breaches, we have noted that threat actors prior to carrying out the final impact of the attack – that is, the financial transaction – gathered and reviewed emails and files that may have contained financial information such as pending bills, customer details, etc. In addition to data review to understand the language, terminology or writing style used within the organisation, they also gathered and replicated the user mailboxes to offline access and accessed global address lists (GAL) containing contact cards of all employees of the organisation. The details captured by the threat actors from GAL or from the files and emails accessed may contain details of customers, personal information, sensitive information and may give the threat actors the ability to carry out further cyberattacks based on information collected.
The key challenges in the investigations related to business email compromise cases are as follows:
- Lack of storage of log files which lead to gaps in visibility in actions performed by the threat actors: system-generated audit logs contain the trail of activities performed by a user account. Often during our investigation we have noted that some of the logs were not enabled, resulting in less visibility into the threat actors’ actions and thus impacting the overall root cause analysis in the investigation.
- Lack of visibility in the logs in traditional on-premises email systems as compared to advanced version of Microsoft Office365, Google Mail, etc., which led to gaps in identifying actions performed by the threat actor: traditional email systems hosted on the premises are customised versions configured as per the needs of the organisation and provide more control to the administrator while the cloud-hosted systems offer more logging features and integrated security controls. The common challenge faced during analysis of logs for on-premises systems are the lack of different log sources such as actions performed in the mailbox after user login, limited period of log storage, etc., which can lead to gaps in visibility during a forensic review.
- Delayed detection of fraudulent transactions and jurisdictional issues within banking systems leading to delayed or no action in the target bank account or funds seizure.
- Lack of web filter logs creates a gap in identifying and validating the users targeted and establishing access to the phishing or scam website used as part of the attack to lure the user to submit the credentials or redirect for malware execution. Because the lack of such log activity pertaining to access is limited, this leads to a gap in analysing and identifying the number of employees targeted, data transfer, previous and other similar campaigns targeting the organisation and employees falling victim to such attacks.
Case study: business email compromise scam causing a financial impact of over US$5 million
We were engaged by one of our clients in mainland China to investigate a business email compromise attack which resulted in payments of over US$5 million in fraudulent transactions. During our investigation, we noted that the threat actors were able to gain access to the mailbox of several finance team members over a period of four months prior to the initiation of the fraudulent transaction. A common technique used by the threat actors during this campaign for maintaining access to information was forwarding a copy of incoming emails to the email controlled by the threat actors by using an email forwarding rule as a method of data exfiltration. During our review, we noted multiple simultaneous ongoing conversation chains hijacked by the threat actors and were nearing agreements on payments which were then stopped by our team, mitigating a cumulative loss of about US$8 million. On the advice of the clients’ legal counsel, potential data exfiltrated was reviewed to determine the nature of information exfiltrated and accordingly impacted customers were notified about the information (such as proforma invoices, letter heads with declarations, etc.) that may have been exfiltrated and stored by the threat actors.
ii Data compromise in a ransomware breach
Threat actors have been increasingly targeting organisations with ransomware and part of the attack locks the files in the system and exfiltrates data from the organisation with a threat to make it public or force organisations to pay and avoid leak. According to Verizon’s data breach report 2022,2 ransomware has increased on an upward trend of 13 per cent. The threat actors before exfiltrating data try to identify valuable data in the organisation network to encrypt and exfiltrate the data. In a typical ransomware investigation done by our team, we have noted the use of public file storage websites and cloud servers as one of the file storage methods used by the threat actors.
The key challenges faced during investigations of ransomware cases are outlined below.
Inadequate or absence of network and endpoint visibility leading to gaps in timeline analysis
Systems event logs are available in all operating systems and capture system activity and actions based on the level of verbosity configured. The system logs are used for gathering and determining operating system level activity such as exploitation or malicious activities during a forensic review and provide details of when the activity occurred but the lack of in-depth visibility such as the amount of data transferred over the network, files transferred over USB, etc. leads to gaps in answering questions around files transferred over network or USBs, etc., and can be mitigated by using external software to collect and monitor such logs because of a lack of availability of such logs within the commonly used operating systems.
Unreliable timestamps and file metadata because of encryption
Typically, in a ransomware incident, threat actors exfiltrate data and execute ransomware to encrypt the files, which leads to an update in the file metadata such as ‘file modified date’. Due to this filesystem activity, the file metadata becomes unusable for the forensic reviewer and questions such as number of files accessed by threat actors before encryption or files modified before encryption to identify potential malicious activity may not be answered accurately.
Loss of system artifacts because of anti-forensic techniques used by threat actors
Threat actors frequently use anti-forensic techniques to evade leaving footprints of the actions carried out by them to delay creation of counter measures by security companies, evade detection of malware and actions performed by the threat actors. From our experience of investigation, sophisticated attacks and information gained from analysis of various reputed threat reports, it was noted that commonly employed anti-forensic measures include clearing of system logs, deletion of malicious files post execution, high obfuscation of the malicious code and malware capability of self-destruction on receiving commands from the threat actors. These anti-forensic techniques lead to loss in the system artifacts and files impacting the root cause analysis resulting in gaps establishing the timeline of events that may have occurred.
The use of the outdated GeoIP database (GeoIP data contains mapping of IP addresses with their allocated country IP range and autonomous system numbers mapping the IP addresses to the organisations controlling the IP blocks) on firewalls leading to enrichment of connecting IP addresses with inaccurate geolocation, ASN organisation, ISP details, etc. Information leading to miscalculation during statical analysis based on these factors, for example: an outdated entry in the GeoIP database for a malicious IP address allocated to a highly reputed ASN org or internet service provider can lead to exclusion of connection from further scrutiny by the forensic analyst because of the reputation of the ASN organisation controlling the IP address block.
The lack of internal network telemetry and NetFlow data leads to gaps in visibility of lateral movement across devices in the network. One of the tactics used by the threat actors after gaining access to the compromised endpoint is to carry out several discovery steps to identify potential data of importance to the organisation within the network and in some cases dump the collected data to exfiltrate. Limited details of such connection events are stored in operating system logs for connections that are made using an operating system’s inbuilt functions and services but lack overall visibility in the amount of data transferred, the method used for connections and may lack any information at all if a custom tool is deployed by the threat actors for data movement and accessing computer systems within the network.
There are jurisdictional issues faced by the law enforcement agencies in securing access to cloud servers used by threat actors. Usage of cloud-based systems has been noted by the threat actors for hosting command and control infrastructure, data exfiltration destination, etc. from our experience in such investigations. In an event where a law enforcement action is involved to cease and desist the servers (based on the server IP address) used by the threat actors, the law enforcement agencies often face challenges because of jurisdictional issues and the inherent nature of the cloud server provisioning which enables the cloud service subscription holder to deploy servers at or for a short duration and the cloud service provider may provide the same IP address to another customer who may not be related to the incident.
Case study: A ransomware incident impacting a client in the mainland China office and Hong Kong
In a recent case investigated by our team, one of our clients in mainland China was impacted by a ransomware incident leading to encryption of systems across several Mainland China offices and Hong Kong region because of the interconnectivity of the networks. We were engaged as first responders to identify the root cause of the incident, gaps exploited by the threat actors and identify data exfiltration activity. During our review, we identified the initial access was carried out by the threat actors using an exposed remote desktop application which was followed by data exfiltration and encryption of files as final impact. During this review our team carried out digital forensics and identified the threat actors’ actions but could not determine the exact number of files accessed by the threat actors as the metadata was updated as a result of file encryption and a fallback method was used after discussion with the clients’ legal counsel to determine the activity by relying upon the fact that if a system was accessed by the threat actor, the data was considered as exfiltrated. In other instances where our clients had more network visibility and endpoint logs, the data exfiltration has been very accurate as the logs provide more details of the various processes executed by the threat actors and contain details of the volume of data transferred in terms of packets during execution of the attack.
iii Data compromise because of cloud misconfigurations
As more and more organisations are shifting towards adaptation of cloud infrastructure to expand to scalable operations, utilising cutting-edge interactive web applications functioning on the user behaviour matrix, it was noted in various threat reports that some of the aspects of cloud security have been challenging for the IT professionals working in traditional on-premises infrastructure that gave more control. In the recent IBM Cost of a Data Breach Report 2022,3 the cost of breaches as a result of cloud misconfigurations to totalled US$4.14 million. Some of the impacts because of cloud misconfiguration result in data loss, access to sensitive or personal information, credentials or API keys, which can in turn be used to further access computer systems in the IT environment.
Key challenges faced during investigation are outlined below.
Lack of application logs
Application logs for a web application capture details of system events and actions performed by the users depending upon the configuration. The details captured in the logs can be a useful source to determine the impact of the malicious actions performed in addition to the logs from the webserver or load balancer, which capture limited details of interaction with the application based on the web requests and not the details of the events themselves in the web application.
Lack of cloud server logs for extensive periods
As organisations are moving towards more digitalisation and usage of cloud systems to reduce overheads and automate workflows, this leads to an increase in the usage of cloud systems. The cloud systems are natively designed on optimising performance and tend to provide limited storage space to manage the cost factor. The limited storage on cloud servers and gaps in the technical understanding of the administrators and the logs of such systems are in general kept for short durations on the systems for the best utilisation of storage as other types of data such as databases or code are also stored, leading to availability of a limited period of logs.
Difficulties in forensic image creation of the storage as compared with traditional hard drives
Cloud system (server) file storage is different in architecture than the traditional hard drives obtained in computer systems. The forensic preservation of cloud server storage poses a variety of challenges for the forensic analysts to efficiently collect images without compromising the integrity of the evidence files. Some of the cloud infrastructure providers may offer methods to download the existing operating system image as a virtual machine as part of the backup functionality, which can be used by the forensic analyst as an image because it is system-generated, indicating no possibility to tamper with it during creation and it contains the image hashes but in some cloud infrastructure providers may not provide such backup methods, posing a challenge for forensic collection and limiting the possibility of retrieving deleted evidence, which may in turn impact the investigation.
Case study: Investigation of a compromised web application
We investigated an incident related to an exposed vulnerable web application which was exploited by the attackers to gain initial access. The breach was identified because of security alerts to the storage by the IT security team. During our root-cause analysis, it was noted that the application was vulnerable for at least eight months before exploitation but as a result of the limitation of logs, previous instances of other security breaches resulting from the vulnerability were not discovered, leading to gaps in the investigation and stronger mitigation measures.
iv Data compromise as a result of insider data theft
Insider data thefts have been on a constant rise. With organisations working remotely, instances of such cases are increasing. Analysis of a recent news story4 also indicates potential advertisements by ransomware-related threat actors for rewarding insiders willing to enable the groups in introducing malware to internal systems.
The key challenges are as follows:
- weak internal network controls leading to poor access control to sensitive data leading to failure to attribute the unauthorised access activity to the employees in review;
- improper or lack of web content filtering, which allows typical file share websites to be unblocked and allowed in the network, leaving an exposed risk area. In such situations, it becomes difficult for the forensic analyst to identify file transfer activity as it increases the number of people visiting because of general user activity to such services, making it difficult to identify the exact source of data exfil;
- a lack of storage of printer logs, which lead to gaps in analysing the print history of the user and in turn leading to gaps in conclusions; and
- the absence of data leak prevention solutions. The commonly used operating systems such as Windows and Macintosh operating systems in the organisations provide certain details such as connection of a USB drive but lack the ability to log the data transferred over a USB channel, leading to gaps in establishing the files that were transferred by the user of the machine, leading to gaps in visibility. Data leak prevention solutions provide a layer of security in bridging the gaps for visibility in data transfers and preventing transfer of data containing confidential information based on the configuration of such tools.
v Good practice to utilise to mitigate challenges during forensic investigations
To investigate a cyber incident and gain visibility of actions performed by the threat actors, digital evidence from computer systems and log files serves as a vital source to understand the activities of the threat actor and to determine data exfiltration activity. We list below some of the best practices for maintaining and preserving the critical digital evidence:
- maintaining a strict chain of custody and secure handling of digital evidence during investigations to protect from tampering and maintain integrity of the evidence. Actions such as accessing the device under review directly without write protection, reboot of systems, etc., can lead to tampering with the timestamps or creation of additional files in systems resulting from actions performed and will impact the integrity of the evidence;
- establishing procedures and protocols for digital evidence handling, planning and preparations for being future-ready can be a strong avenue for organisations to plan and ensure critical evidence is secured in a timely manner such as system-generated log files, which tend to get overwritten quickly;
- forensic readiness assessment: with their increasing sophistication, cyberattacks are a matter more of ‘when’ than ‘if’. Forensic readiness assessments can help organisations to identify and test the aspects of data retention, data availability, data formats, log levels, etc., to secure availability of data in case an incident occurs;
- cyber drills like tabletop exercises in partnership with breach responders and legal teams can help in preparing the management teams in understanding their roles, responsibilities, regulatory obligations and challenges that they may come across while responding to a cyber incident; and
- periodic threat hunting exercises to identify potential compromised assets in the IT environment may be carried out to identify indicators of compromise such as operating system commands being used for lateral movement or gather information etc. that are hard to detect by IT security tools.
1 Paul Pu and Dakai Liu are partners and Mohit Kumar is a director at KPMG China.
2 Verizon’s Data Breach Report 2022 https://www.verizon.com/business/resources/reports/dbir/.
3 IBM Cost of a Data Breach Report 2022 https://www.ibm.com/resources/cost-data-breach-report-2022.
4 A Tesla Employee Thwarted an Alleged Ransomware Plot, https://www.wired.com/story/tesla-ransomware-insider-hack-attempt/.