In cybersecurity, social engineering is typically seen as a tool for attackers. But during critical incident response engagements, security teams are also forced to get creative with their approach.
In a recent case involving a large client in the energy sector, we leveraged social engineering to engage with a cybercriminal who had infiltrated their systems. By posing as a potential buyer of the stolen data, we were able to uncover critical details about how the attacker gained access and what they intended to do with it.
This post will walk you through the details of how we executed this operation and why having expert defenders mixed with offensive specialists on your side in these situations is essential.
The breach: A brief overview
This engagement started when the CFO of a large U.S. energy provider contacted us in a panic after discovering unauthorized access to their system, with sensitive data being sold on the dark web.
The attackers had gained access to a production database and were actively attempting to sell the compromised access token. The database included sensitive customer-related data and additional operational information. The data breach presented a significant risk to our client, and we needed to quickly determine how the attacker had infiltrated the system to stop any further damage.
Like any case we’re involved in, backtracing the attacker’s steps is a challenging effort, particularly since logs are often incomplete, especially in cases where the attacker uses legitimate access.
Outsmarting the attacker with social engineering
Since we had limited information on the attacker and little time to waste attempting to trace their actions, we opted for a more proactive approach: engaging the attacker directly via text message in the hope of extracting meaningful information that could aid our investigation.
So, we set up dark web profiles and contacted the hacker under the guise of potential buyers. It went a lot better than we could have hoped for.
In this first exchange, the attacker shows signs of hesitation, revealing a potential weak spot in their operational security. This gave us an opening to further engage. As we continued to engage with the attacker, they began to disclose more critical details about their access.
The breakthrough occured when the attacker casually mentioned an “_admin@xxxx.com” account, a key credential they had used to access the client’s system. This was the breadcrumb we needed to pinpoint their entry in the logs and map their activities.
Recognizing an opportunity to uncover even more details, we displayed empathy and even offered to “help” them overcome some of the dilemmas and challenges they were facing. This consultative approach quickly built rapport, and, without realizing it, the attacker began to divulge more important details about how they had infiltrated the system.
These small pieces of information were enough to help us pinpoint the attacker’s exact steps in the logs, allowing us to determine root cause.
In a separate conversation, the attacker went straight to business, asking us if we had an offer for the database. Their asking price was surprisingly low for such a breach, especially considering the sensitive nature of the data involved.
Here is a redacted snippet from that conversation:
OP Innovate:
“Hey there, I would like to buy the database.”
Hacker:
“Do you have an offer? I’m looking for 130$.”
OP Innovate:
“That’s it? Just 130$?”
Hacker:
“I got told 500$ would fit, but I said I just got information access, so I will lowball it myself.”
The attacker’s eagerness to sell the stolen data at a surprisingly low price was an immediate red flag, signaling inexperience. Typically, data of this sensitivity—customer information, operational data, and more—would be sold for a much higher price on dark web forums. This gave us valuable insight into the level of threat we were dealing with: likely a script kiddie or an inexperienced hacker.
Further investigation into the attacker’s profile confirmed this. The account used to facilitate the sale wasn’t a dedicated one for this breach but was also active in other forums discussing offensive security certifications. The attacker had even recommended training paths for becoming a hacker, clearly positioning themselves as a beginner in the field. This background information gave us additional confidence that we were dealing with a low-level threat, someone who didn’t fully grasp the value of the data they had breached.
Gaining the attacker’s trust
As we continued the conversations using three different aliases posing as interested buyers, we expressed interest in acquiring more than just the database—specifically, the developer account that was used to access the system. By promising a higher payout for this access, we were able to coax the attacker into revealing more information about their method of entry.
At that point, the attacker mentioned that the developer account is what allowed them to gain the master key to the production databases.
Here is the main part of that exchange:
OP Innovate:
“If you give me the developer account, I would pay much more.”
Hacker:
“I know that is probably worth more, since that is the way I got access to the production database’s master key, but I can’t sell it yet because of opsec. But I probably will later on.”
Root cause discovery: What the attacker revealed
Through our conversations with the cybercriminal, we discovered several important details about the attack:
- They had accessed the system through a developer account, which provided them with the keys to the production database.
- The attacker was hesitant to access the system again due to increased security measures, including password resets and enhanced security configurations.
These findings allowed us to trace their infiltration path, giving us the exact breadcrumb we needed to search the logs and pinpoint the steps they took to access the system.
During the conversation, the attacker admitted that their original access point had likely been disabled due to the client’s security efforts. However, they were still eager to sell the data they had already collected, suggesting that some risks remained.
This confirmed that while the client had taken important steps to mitigate the attack, further action was necessary to fully secure the environment and prevent future breaches.
Next Steps
After gathering this information, we worked with the client to:
- Strengthen their identity and access management (IAM) systems.
- Apply additional security measures to their cloud environment, specifically around developer accounts.
- Introduce them to our innovative continuous threat exposure management platform – WASP to continuously monitor and assess their attack surface.
This proactive approach ensured that the client’s systems were secured and fortified against future attacks of a similar nature.
The importance of expertise in Incident Response
This case demonstrates how critical expertise is when dealing with cybersecurity incidents. Even though the attacker in this case wasn’t highly sophisticated, without the right knowledge and techniques, the breach could have easily persisted or worsened. OP Innovate was able to turn the tables on the attacker and quickly gather the necessary information to remediate the situation.
At OP Innovate, we pride ourselves on being the friendly hackers by your side. We don’t just defend against attacks; we speak the same language as the attackers because we think and act like them when operating as white-hat hackers.
This unique approach allows us to get inside the minds of malicious actors, using their own techniques against them. It’s this mindset that helps us gather critical information quickly and contain threats before they escalate.
OP Innovate’s hands-on approach to Incident Response
At OP Innovate, we combine deep technical expertise with innovative strategies to ensure our clients are protected from even the most sophisticated threats. Our incident response service helps organizations quickly contain the threat and identify the root cause, whether it’s a ransomware attack, business email compromise, or a web application breach.
Leveraging tools like our ANT rapid response system, we ensure a fast, efficient response, while our experts—ranging from incident response managers to threat hunters and negotiators—work together to resolve incidents and minimize damage.
With over 10,000 hours of incident response under our belt, we’ve handled a wide variety of cyber incidents, delivering peace of mind to our clients every step of the way.
