QinetiQ Forensic Findings and Analysis Report
- 28 pages
- Confidential
- July 21, 2010
- 5.59 MB
Beginning in March 2010, HBGary, Inc. was contracted to assist in the identification, analysis, and removal of malware from QinetiQ North America (QNA) internal systems. This was in response to what QNA believed to be an organized and sophisticated cyber attack involving the potential theft of ITAR controlled data. HBGary was given background on the attack, which included information on targeted attacks on digital data systems that have occurred in the past.
HBGary deployed the ‘Active Defense’ platform to scan endpoints for malicious software and indicators of compromise. Over the course of the total engagement, agents were deployed to 1,948 endpoints. In total, seven different malicious tools were discovered in association with the cyber-attack. Over the entire network, 71 hosts were discovered to be affected by the cyber attack. These systems were subsequently cleaned using HBGary’s inoculation technology, or mitigated directly by the QNA network staff.
The work was carried out in two phases. The first phase focused on an initial set of 1,400 hosts, of which 746 were scanned. The results of the phase-1 scans were published in the HBGary “Forensic Findings and Analysis Report,” dated May 12, 2010. This comprehensive report details the findings, threat assessment, and advanced methodologies used to identify attacker tools and techniques.
The second phase was to complete the tasks required to scan additional QNA systems, and a second Statement of Work (SOW) was signed on May 24, 2010. This second SOW contained two tasks:
– Task one involved completion of deployment and scans of the original 1,400 hosts described in the original SOW. This task was performed at no cost to QNA.
– Task two involved the deployment of ‘Active Defense’ agents to the remaining systems within the QNA environment, scanning those systems for IOC’s, and analyzing identified malware. Task two also included the creation of Intrusion Detection System (IDS) signatures as required and the use of HBGary’s ‘inoculator’ to remediate infected systems.This report details the work completed by HBGary security consultants for the second SOW. It includes findings, recommendations, and a detailed description of the tasks performed. It is a supplement to the previous QNA report published by HBGary.
For additional information regarding the overall QNA threat assessment including threat history and attribution, open source intelligence, general structure of malware found, details of secondary command and control channel operation, and indicators of compromise, refer to the HBGary “Forensic Findings and Analysis Report.”