Case study: How a cyber attacker was outwitted by an innovative social media strategy

Published on Tue, 05/02/2019 - 17:17

Last year, Kroll was nominated for an FT Intelligent Business award in recognition of its creative approach to countering a serious data breach. Kroll's James Barker explains how they used an army of fake Twitter accounts to neutralize a vicious attack.

Kroll recently worked for a listed company that suffered a serious data breach. Large amounts of data had been stolen and they were being held to ransom. The client received emails from the attacker requesting millions of pounds in bitcoin not to release the data.

Kroll was engaged to assist the company in their investigation of how the breach occurred, but also to see if we could identify the attacker and locate the stolen data.

The attacker had placed all the stolen data on a server and given our client the password to log in - to show they were serious. Our client was given two weeks to pull the bitcoin together. If they failed to do so, the attacker would release the stolen data onto the internet - potentially compromising the personal data of thousands of employees and clients. We worked around the clock and identified the internal weakness that had allowed the attacker into the network.

The client - somewhat to the surprise of the insurer - decided against paying the ransom. We therefore devised a new strategy of "cluttering" to mitigate the attacker's threats.

Cluttering strategy

In this cluttering strategy, should the attacker fulfill their promise to release the stolen data we would counter punch with our servers and Twitter bot army - a series of fake Twitter accounts - to spread a fake dataset far more effectively than the attacker could. We would essentially "clutter out" the attacker by emulating them.

Additionally, embedded in the clutter data were digital traps to alert us to any sign of third parties looking at our fake data. From this, we would then be able to approach third parties and - through the client's legal counsel - tell them to stop looking for our client's data. We also placed warning messages in the fake data, warning any curious third parties that they should not be seeking to view our client's stolen data.

The attacker strikes

The deadline set by the attacker came and went without incident. Our client informed their local regulator of the issue - and then silence. For a week we monitored the internet for any sign of the attacker fulfilling their promise. Behind the scenes, Kroll had found the physical location of the attacker's server and was working to have it taken down.

Then the attacker struck, dumping links to their server and the real stolen data across Reddit, Twitter, Facebook, various blogs, and pastebins. However, we were ready with a takedown team who worked with outside counsel to remove the links from the internet within hours.

Simultaneously, we also launched our "cluttering" response and within a day if anyone looked for our client's stolen data, they would only find the fake data. By this point, the attacker's server had been taken down, and we recovered our client's data - with no sign that it had been replicated elsewhere.

Social media during a cyber-incident can be one of your most significant risks, but through creativity, it can also become part of an antidote.

James Barker is senior director, business intelligence & investigations, at Kroll, a division of Duff & Phelps