Thieves in the Night: The Anatomy of a Cyber Attack

Keith Wojciech
Keith Wojciech
December 16, 2020 • 4 min read

On the evening of Friday, August 6, 2005, residents walking the streets of downtown Fortaleza, Brazil, had no idea one of the biggest heists in history was taking place just four meters below.

By the end of the weekend, a gang of robbers walked off with almost 8,000 pounds of Brazilian currency (worth over USD 70 million) from the Brazilian Central Bank branch – with nary a scratch or alarm bell ringing.  The bank had no idea they had been robbed until they opened for business Monday morning.

It was the combination of masterful planning, elaborate deception, and flawless execution (not to mention immense hubris) that allowed these thieves to perpetrate the crime so effectively.

Several months of meticulous engineering resulted in a tunnel running under two city blocks, complete with scaffolding, lighting, and an air circulation system, while a fake landscaping company storefront provided the perfect cover to exploit weaknesses of a seemingly impenetrable bank vault.

Unfortunately, insidious tactics such as these employed in the physical world translate almost seamlessly into the cyber world.  Stealth, weakness exploitation, and yes, even tunneling are hallmarks of an effective cyberattack.

Recently, a major U.S. federal agency found this out the hard way.


On September 24, 2020 the Cybersecurity & Infrastructure Security Agency (CISA) released an analysis report detailing a recent cyberattack on a federal agency’s enterprise network.

The postmortem report showed that the successful attack included elaborate methods of disguising activities, sophisticated malware, and multiple exploitations of various infrastructure weaknesses.  It is a sobering yet effective example for cybersecurity personnel everywhere to study.

The report employs the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework – a comprehensive model for describing the actions an adversary may take to compromise and operate within an enterprise network.

Wolf in Sheep’s Clothing

Like many crippling cyberattacks, the threat actor initially accessed the agency’s network using valid access credentials.  This allowed them to exploit common public-facing applications and external remote services to gain access through innocuous means without raising eyebrows.

With a foothold acquired, the threat actor began feeling around to discover additional weaknesses and deeper access, positioning themselves to do some real damage in the infiltrated system.

Eventually they were able to manipulate a victimized endpoint’s directory services and network to elevate their access privileges. They used these privileges to:

  • Set up an encrypted network tunnel between the attacker-controlled remote servers and the agency’s servers;
  • Deploy a unique, multi-stage file-dropping malware that evaded anti-malware detection; and
  • Set up a locally mounted remote file share, allowing them to freely move around the victim network while leaving few artifacts for forensic analysis.

Source: CISA Analysis Report (AR20-268A)


With all the pieces in place and still undetected, the threat actor began the carefully measured exfiltration of data from account directories, file servers, and who knows what else from the victim organization.

CISA did not reveal details on the data stolen, in part because the actor adeptly masked their activity, nor did they say how long the attacker set up shop clandestinely.  IBM’s “Cost of a Data Breach Report 2020” estimates 280 days as the average time it takes an organization to identify and contain a breach.  Regardless, it is painfully clear that they got away with it, just like the bank robbers in Brazil.

The nefarious interloper was only identified after the DHS’s EINSTEIN cybersecurity platform detected the potential compromise, and CISA conducted an incident response engagement, confirming the destructive behavior.

House in Order

Though analysts were unable to determine how the threat actor initially obtained active credentials, the report speculates they exploited a known vulnerability in an unpatched agency VPN server.

An enterprise can have the most powerful equipment, top security controls, and comprehensive defense plan, but something as simple as an unpatched server can bring the best security crashing down.

Despite the embarrassment, cost, and harm a breach like this can cause, CISA’s thorough incident response analysis of the threat actor’s tactics, techniques, procedures, and indicators of compromise is an invaluable teaching tool for organizations and cybersecurity professionals in the perpetual fight with the digital bad guys.

Keith Wojciech
Keith Wojciech
Director of Identity Services
Keith has 20 years of experience managing and delivering IT solutions for federal and commercial customers.
Read full bio

Subscribe to Our Newsletter

Email Address
Select a Country

Although we may use your information for targeted marketing and advertising, as described in the Privacy Policy, we will never sell your information to any third party.