Nixu Files: Hot town, phishing in the city

April 15, 2019 at 17:08

Gunnar had no idea of the consequences of clicking a seductive bookkeeping system ad. A busy day at the office turned into a defensive battle at the headquarters of a Swedish manufacturing company. An advanced spear phishing attack in several stages didn’t hurt only the company but their partner as well.


A lovely evening with coffee and inbox

A cloudy afternoon was transforming to an evening as Gunnar sat down in a quiet corner at the headquarters of a manufacturing company. The whole day had been all about partner meetings, workshops and presentations. For the first time for the entire day he got the chance to go through his Inbox: 214 unread messages. Gunnar sighed.

“Want to save 50 % of your IT costs?” an email asked. This sounds too good to be true, Gunnar thought and clicked a link that directed him to a well-known site advertising bookkeeping systems. Suddenly the screen started to flicker. Is this me having a headache or is there something wrong with the site, Gunnar pondered. He started a virus scan and decided to get coffee. When he came back, the virus scan didn’t show anything, so Gunnar thought everything was fine. Back to scrolling down the Inbox. Only 200 messages to go.

What no-one yet knew was that a malicious application was downloaded to Gunnar’s computer. The application now started a reconnaissance within the company network with the intent to find ways to escalate its privileges. The code spread slowly and under the radar to infect other hosts and to create different users as a backup plan.

Malicious application breaking in

It was an unusually hot summer as Nixu's cybersecurity consultant Mathias was traveling from Stockholm to Southern Sweden for a quick visit to a client. At a stop at a coffee house, Mathias noticed that he’d forgotten his wallet home. Well, he thought, I guess the client has to offer me lunch today.

Meanwhile, back in Gunnar’s office, a server in the demilitarized zone (DMZ) was started by the attacker from inside. The attacker who planted the malicious application now had access to their goal, an Internet Service Provider (ISP), through an integration meant for connecting logistics systems. Other criminals also found the now opened vulnerability on the DMZ and started mining cryptocurrency on the servers.

Gunnar was spending the heatwave in the busy headquarters, but he was in a good mood. He had finally finished up a project with the company ISP and was writing his final report. Soon it would be time for a holiday.

Need for cooling it off

Lars, IT service support at Gunnar’s company, was eating refreshing ice cream at the end of his shift as he noticed that a server in the DMZ was heavily loaded. Additionally, the network pattern looked strange. Lars didn’t understand how the crypto mining had started or why. It certainly didn’t fit into standard usage patterns for a manufacturing company.

Cybersecurity consultant Mathias was about to start the engine to hit back home to Stockholm when his phone rang. On the line Lars quickly introduced himself and explained the situation: “There is some crypto mining traffic in our network, and I’m not quite sure why.“ Mathias drove off, not to Stockholm but to meet Lars.

At the manufacturing company headquarters, Mathias noticed small and strange connections and network traffic on other DMZ servers and, what was even more concerning, connections reached out to the company’s partner, the ISP. IT service support guy Lars decided to call Gunnar. At the end of the day, Mathias checked in to a local hotel.

Panic at the headquarters

“What do we do now,” Lars and Gunnar were panicking the next day. “If our ISP’s files are encrypted, we are the ones who are held accountable!” “Calm down my friend,” Mathias said as he got in touch with his colleagues back in Stockholm. “It looks bad but let’s have a look.”

It sure was not an easy fix. Customer was pushing Mathias to solve the problem but wasn’t interested in the details. “Just fix it,” they said and tried to continue as if nothing had happened. Mathias and Nixu's team worked in 24-hour shifts with only Lars supporting him in the company. Mathias had to buy new underwear and shirts with Lars’s credit card since he had forgotten his own at home. What was supposed to be a quick one-day meeting turned into a week of a full-on cybersecurity investigation.

They isolated three servers from the network for an in-depth analysis. After two days, Mathias could see that other servers and PCs were showing the same communication pattern as the one that was isolated and being analyzed.

Finally, Gunnar had to admit that they had to treat this as a major incident and more resources were given to Mathias to work with. Also, the ISP was informed, and they became involved in resolving the event. Mathias had the chance to go home for the weekend.

The long aftermath

After the first aid, Mathias and Nixu's team began the long process of going through the network traffic and looking for previously unknown and hidden files throughout the environment. It took over a month before they could say with some certainty that all system had been checked and cleaned.

The damage was overwhelming. Personal data of the ISP’s customers and their asset inventory were leaked. The manufacturing company lost the ISP partnership and had to pay a symbolic sum for the incident. GDPR wasn’t yet in place at that time. The company understood that to avoid similar incidents in the future, it needed to start doing things right. First order of business – get some security monitoring for the network.

What about Gunnar then? He said he thought that Service Desk didn’t have time for small questions and was afraid that his PC should be reinstalled. He didn’t have time for that and wasn’t sure of if there where backups of his work.

“Why did I believe that stupid IT vendor scam”! Gunnar cursed.

“It’s not your fault,” Mathias said. “It’s a system failure, and you can never blame a user. Your company had made some mistakes, but you’re now on the right path. There’s still a lot of work to be done. So, shall we get to it?”

“Sure thing, but not before I buy you a beer – you definitely deserve it!”

“You still owe me for the hotel and the clothes,” Lars said to Mathias, but he was already walking to the sunny terrace with Gunnar.

Mathias’s quick guide to network security

How could this all have been avoided? Few ideas:

  1. Ensure that end-points, like Gunnar’s laptop, have adequate security protection in place. One wrong click like this should not result in a total disaster.
  2. Have 24/7 security monitoring in place to detect similar issues before they become major incidents. And, if you want to enjoy your sunny days instead of spending them inside watching the screens, consider one provided as a service.
  3. While on the subject of monitoring, ensure that it covers your e-mail services. Over 90% of attacks start from an e-mail sent to an employee. In addition, make sure your e-mail service filters out potentially malicious e-mails.

    +1 As an added bonus, consider interactive awareness campaigns that focus on safe and secure use of e-mail. Although we don’t want to pass the responsibility to the user, it’s good to know what the most common scams are so that everyone can avoid them. Here's a downloadable PDF about phishing tips for your office to share.


Nixu Files is a series of modern-day detective tales where we dive deep into some of our most thrilling client cases. The stories read like a nail-biting mystery novel, but we swear they’re far from fiction. Welcome to the world of cyber noir.


Related blogs