Timeline of the cyber attack

  • Posted: Wednesday, November 21, 2012 12:12 a.m.

A report from computer security firm Mandiant provides a timeline of the cyber-attack on South Carolina’s Revenue agency:

Aug. 13: A phishing email went to multiple Revenue employees, and at least one clicked on the embedded link, executing malware that likely stole the user’s username and password.

Aug. 27: The attacker logged into Revenue’s remote access service using legitimate credentials. The attacker logged into the employee’s workstation and leveraged his or her credentials to access other Revenue systems and databases.

Aug. 29: The attacker executed utilities designed to obtain user account passwords on six servers.

Sept. 1: The attacker executed a utility to obtain user account passwords for all Windows user accounts, plus installed malicious software on one server.

Sept. 2: The attacker interacted with 21 servers using a compromised account and performed reconnaissance activities.

Sept. 3: The attacker interacted with eight servers using a compromised account.

Sept. 4: The attacker interacted with six systems.

Sept. 11: The attacker interacted with three systems.

Sept. 12: The attacker copied database backup files to a staging directory.

Sept. 13-14: The attacker compressed the database backup files into 14 encrypted archives, then moved those from the database server to another server and sent the data to an Internet system. The backup files and archives were then deleted.

Sept. 15: The attacker interacted with 10 systems using a compromised account.

Oct. 10: The U.S. Secret Service notifies state officials of the breach.

Oct. 12: The state contracts with Mandiant.

Oct. 17: The attacker checked connectivity to a server using the back door previously installed on Sept. 1, but there’s no evidence of additional activity.

Oct. 19-20: Revenue puts in place Mandiant’s short-term recommendations to remove the attacker’s access. No evidence of malicious activity has been discovered since.

Mandiant and the office of Gov. Nikki Haley

Comments { }

Postandcourier.com is pleased to offer readers the enhanced ability to comment on stories. We expect our readers to engage in lively, yet civil discourse. Postandcourier.com does not edit user submitted statements and we cannot promise that readers will not occasionally find offensive or inaccurate comments posted in the comments area. Responsibility for the statements posted lies with the person submitting the comment, not postandcourier.com. If you find a comment that is objectionable, please click "report abuse" and we will review it for possible removal. Please be reminded, however, that in accordance with our Terms of Use and federal law, we are under no obligation to remove any third party comments posted on our website. Read our full Terms and Conditions.