A report from computer security firm Mandiant provides a timeline of the cyber-attack on South Carolina’s Revenue agency:
Aug. 13: A phishing email went to multiple Revenue employees, and at least one clicked on the embedded link, executing malware that likely stole the user’s username and password.
Aug. 27: The attacker logged into Revenue’s remote access service using legitimate credentials. The attacker logged into the employee’s workstation and leveraged his or her credentials to access other Revenue systems and databases.
Aug. 29: The attacker executed utilities designed to obtain user account passwords on six servers.
Sept. 1: The attacker executed a utility to obtain user account passwords for all Windows user accounts, plus installed malicious software on one server.
Sept. 2: The attacker interacted with 21 servers using a compromised account and performed reconnaissance activities.
Sept. 3: The attacker interacted with eight servers using a compromised account.
Sept. 4: The attacker interacted with six systems.
Sept. 11: The attacker interacted with three systems.
Sept. 12: The attacker copied database backup files to a staging directory.
Sept. 13-14: The attacker compressed the database backup files into 14 encrypted archives, then moved those from the database server to another server and sent the data to an Internet system. The backup files and archives were then deleted.
Sept. 15: The attacker interacted with 10 systems using a compromised account.
Oct. 10: The U.S. Secret Service notifies state officials of the breach.
Oct. 12: The state contracts with Mandiant.
Oct. 17: The attacker checked connectivity to a server using the back door previously installed on Sept. 1, but there’s no evidence of additional activity.
Oct. 19-20: Revenue puts in place Mandiant’s short-term recommendations to remove the attacker’s access. No evidence of malicious activity has been discovered since.
Mandiant and the office of Gov. Nikki Haley