Client Local subsidiary of a western European consultancy
Situation The supplier instructed our client to make payment to a different overseas bank account after supplying documents confirming the account signed by the head of the department. The compromise was not detected until a few days later, but by then the funds had already been transferred. The supplier had cyber insurance but question arose as to where the compromise occurred.
Action CNS Risk conducted a detailed log analsyis of MS/Office 365's rules, log files, alerts; MS/Azures log files and then set up end point monitoring for a month to see if there was any unexpected traffic. Working with the client and some of its partners, CNS was able to piece together the correspondence to determine the genesis of the scheme and deduce that source of the compromise.
CNS also provided evidence and guidance for filing police reports in 2 countries. It also determined questions to be put both the banking supervising authority and bar association relative to the weak controls exercised by both the bank and the law firm that set up the business front that absconded with the funds.
Results CNS' Cyber Team determined that while some of the correspondence flowed through a spoofed domain, sufficient evidence pointed to the supplier's email being compromised and ultimately as the source of the social engineering.
The partner was asked to forego the outstanding invoice and instead claim back on its Cyber insurance; as well as being a party to police complaint filed overseas.
Further Action The client, now aware of the risks, and that they are now known in the Dark Web community to have fallen prey, are actively scanning for compromises, monitoring their endpoints and doing awareness training.
Duration 4 weeks
One lead investigator, the Cyber Monitoring Team, one overseas resource in the market where the funds were transferred.