How we discovered a cyber-attack before it was too late

When our security analysts discovered suspicious traffic patterns in one of our networks, they took a closer look. Had this customer not have had the protection through us that they do, the outcome could have been much worse.

In early September 2019, our security analysts discovered suspicious traffic patterns in one of our customers networks. On closer examination, unencrypted web traffic was observed against an external IP with a negative reputation, where one of the customer’s PCs downloaded both exe files and an abnormal amount of text documents.

By putting this into a larger context and expanding the search area for the surveys, deviations from normal usage patterns around mail traffic from the internal PC emerged. You can read more about this hacker campaign in Checkpoint´s research paper published October 16th 2019.

With these findings, our team of security analysts initiated further investigations to identify what had happened.

By examining customer logs in our SIEM tool, our analysts were able to quickly determine that this was a machine that was a member of a bot network. A further spread within the customer’s system could not be detected. Based on threat information and own surveys, the analysts found that the text files that were downloaded were full of account details that most likely originated from known email and password leaks on the Internet.

Further investigations revealed that the infected PC had an abnormally high number of DNS requests, as well as a very high number of connections to external mail servers. The team formed a suspicion that this was a “sextortion” campaign, where one of the customer’s PCs was used as a tool to send out blackmail emails to thousands of email addresses. See example of a extortion email below:

Source: Checkpoint


Our Security Operation Center classified this as a risk of reputational and financial loss. The case was thus notified to the customer and the analysts assisted them with action points to rectify the situation and take future security measures.

Over 90% of leaders are not prepared to deal with a cyber-attack, but attacks occur regularly. This time around our security analysts were able to detect abnormal traffic at an early stage before others knew about the hacker campaign. This illustrates the importance of having good analysts, who can keep track of the traffic. It is not enough to have a firewall or antivirus if no one has an overview of the situation, or the ability to interpret what emerges.

Business photo created by pressfoto –