Some very interesting information in this report.
What really sticks out to me is;
1) This appears to have been targeted, the phishing attack. I wish it would say but I would think that what ever malware was executed by the email was modified to help avoid detection.
2) The account used to start the attack was gathered using the initial pish (they think). They were then used to login to remote services. If you are running remote access like Citrix or RDP, it would be best to try and place these behind another set of logins such as VPN. Then add on something like RSA’s SecureID. This way even if the name and password is stolen the still cannot be used with out the token.
3) The speed of the attack is fairly impressive. There was some recon as the attacker looked around the networking then about 10 days later they appear to dump anything they felt had value and ex-filtrated it out of the network.
4) The encrypted database dumps that were removed from the network also had their encryption key’s stolen. But those keys where encrypted, so it appears that it’s protected. The encryption was 256-AES, while not totally impossible, it should be beyond reach with a strong key.
Isn’t it neat the information you can collect from digital forensics?