Posted by: Dan O'Connor
This is a good highlight on if someone gets in to your network and has a specific target it can be infuriatingly difficult to remove them.
With the amount of access that was gained significant damage could have been done to their internal infrastructure. Instead they had specific targets in mind. The information in the article is very good, but I can give the executive version.
1) Access was gained to the network through a suspected phishing attack.
2) A foothold was gained on at least three computers.
3) Hashes were stolen from the domain controller. (The way that this is worded it sounds like they stole every single hash, and that it very possible)
4) A rainbow table was most likely used to crack the hashes and gain access to those accounts.
5) Routines were setup to search for documents and mail associated with specific users.
6) 45 pieces of custom Malware was installed during the time on the network. Of these only a single sample was detected by their AV vendor Symantec. I don’t think you should take this as a total negative against Symantec. The attackers would have know that it was the AV being used and would have crafted their tools to avoid detection by it.