P2021-ND-310

On January 5, 2021, the Organization discovered unauthorized access to its computer systems in the form of a ransomware attack. An investigation determined that the threat actor opened/viewed seven (7) documents on the Organization?s systems, but these documents did not contain any personally identifiable information. The investigation also determined that the threat actor obtained domain administrator credentials and employed a number of “anti-forensic” measures such as deleting event logs. The Organization reported it is possible that the threat actor could have accessed other areas of its computer environment, of which it is not aware. The earliest evidence of unauthorized activity was January 4, 2021. The threat actor provided the Organization with four (4) files from its network as proof that some data was exfiltrated, but the Organization?s forensic investigation did not independently confirm that any data exfiltration had occurred. The Organization reported that the four files provided by the threat actor as proof of exfiltration did not contain any personally identifiable information. The forensic investigation concluded that the cause of the breach was likely exposed RDP (Remote Desktop Protocol) services exposed to the internet.

File Type: pdf
File Size: 619 KB
Categories: 2021