Illusive Blog June 7, 2017

Cyber Attack on Telecom: A Deception Technology Case Study.

By Beth Ruck

Attackers targeted a large telecom company with thousands of IT devices in its international network and data centers. They managed to compromise a field technician’s laptop through a malicious email attachment, but illusive networks’ Deceptions Everywhere® technology detected it.

The field technician mistakenly downloaded a PDF email attachment to his laptop. Unbeknownst to the technician, the file was really an executable disguised as a PDF file, and it evaded detection by the up-to-date antivirus solution running on the laptop. Once the file was downloaded, a malicious process established a connection to its command-and-control server and began running using the logged-in user’s privileges. The stage was set for laterally moving through the network—a method used by an Advanced Persistent Threat (APT) attacker to identify his next target.


illusive networks’ Deceptions Everywhere technology detected the malicious process and alerted the telecom’s security team. With the laptop now in their hands, they identified the initial infecting vector (the fake PDF file) and discovered the malicious process with its persistency modules. The attack was detected early, which enabled the team to gain valuable information about the attack and stop it before it could download the second-stage payload. The security team reimaged the laptop.

“We believe this action was part of a targeted attack on our company,” said the telecom company’s security team member. “illusive detected malicious activity on the endpoint and was the first—and only—solution to alert us.”

illusive’s automated forensic modules collected evidence from the actual breached machine in real time, giving the telecom security team the data they needed to understand the entire attack lifecycle:

1. The user received an email claiming that he had received a package.

2. The email also contained a malicious file attachment, with the classic move of two file extensions (exe.pdf) and an Adobe Reader icon.

3. The user fell for it, downloading the “invoice” and trying to open it.

If the adversary had been successful, he could have exfiltrated sensitive information, including customer network credentials, network device logs, and internal procedural documents. He then could have used that data against the telecom company’s customers, as well as gained valuable data about the company’s internal network,  later using it for lateral movement within the network.

Learn how you can use illusives’ Deception Everywhere solution to protect your network against the next attack. Request a demo and begin turning the tables on attackers in your network.