Tomi Tuominen, Global Technical Director
15 mins read
To protect the identities of those involved, all stories in our True Forensics series are a dramatization of events using a mixture of cases to form the basis of the narrative.
This particular story begins at the headquarters of one of Finland's largest companies. The building was a monumental block, with some 7 floors including those underground. The land around the site was owned by the organization (our client) and had been for some years.
In the early hours of November 3, security guards at an outpost were alerted to a silent alarm triggered at the headquarters. Shortly after, another alarm went off at secondary site in a nearby neighborhood, also owned by the client. The guards set off in their patrol car, initially to the location of the second alarm—which was closer to their outpost—then the first. Nothing was found at the remote site. At the HQ building, they followed their established route for security checks. This route was carefully designed to enclose any trespassers so they might not retrace their steps. The sweep of the building took the guards 23 minutes to complete, just like it always did, with no signs of a break-in. None of the external, timed locks had been broken to enter the building (they were set to lock automatically between the hours of 06:00-21:00). Nothing at all seemed awry. A false alarm perhaps...
Only when the guards checked the CCTV footage could they see what—or in fact who—was the cause. . At 04:00, the time the first alarm was triggered, a man entered the building. He held something up to the lock on the outer entrance door and it opened. Even with a valid pass, this should not have been possible in any case because of the lock’s timer. The guards chose wisely and notified the site security manager and the company CISO of the security breach, who immediately called our IR team.
Getting out of my car at the client’s site later that same day, I stood for some time out in the rain and took in my surroundings: a single two-way road down to the central facility; some storage buildings; one main entrance at the front; a car park also at the front and one at the back. I then circled the building, counting 26 CCTV cameras, with one directly above the front entrance.
This reconnaissance is part of my routine wherever I go. I'm always trying to work out how I would get access whilst evading detection if I was an attacker. I look for the the features and flaws that make an easy route in. Potential break-in scenarios will go round in my head until I find one that makes the most sense. It's a trait of my red teaming background, absolutely, and it helps me as an incident responder. I see it this way: if you wanted to find out how to break into a building, would you ask a police officer or a burglar?
Sitting with the guards in their office, we looked back over the CCTV footage. It was blurry. But sure enough, we saw the attacker take something small from his pocket, subtly move it across the electronic lock, and the door unfastened. What did he have in his hand? That afternoon, I acquired a batch of the same electromechanical locks the client was using. Then, I headed to the lab. I began to disassemble each lock and observe its functionality by performing various tests there at my desk. It wasn’t long until I came across a critical design flaw. When I held 4 super magnets to the lock, the relay would break, unlocking the bolt. This happened regardless of how it was programmed to function. (These “super magnets” I had in my toolkit were nothing special, by the way. They’re the type kids buy for fun online.) Needless to say, the CISO was somewhat perturbed when I returned on site and demonstrated the simple flaw in action. Every door using this lock design was now a known vulnerability.
The next mystery to solve was how the attacker managed to appear from nowhere. We could see from the CCTV footage his car, parked out front. Then, him entering the building. Nowhere was there visual evidence of his route from the car to the entrance. I scoured footage for what felt like hours, until it hit me. I was only looking at 25 camera feeds, but I’d counted 26 on my first visit. The camera above the entrance was dead. And from what the guard could tell me, it had been non-operational for some time. Did the attacker take the camera offline while he was there or was it a coincidence that had simply gone unnoticed?
Using a ladder, I retrieved the camera. It was full of liquid, which isn’t altogether surprising in a place that gets almost 200 days of rain a year—but this wasn’t rainwater, it was sabotage. The attacker had come in advance and killed the camera with water from a faucet, creating a blind spot at the point of entry.
We’d made a big step forward. We now knew how the attacker had evaded security to enter the building and how he had bypassed the electronic locks. This guy wasn’t an opportunist. He clearly knew where he was going, how to bypass the guards’ set route, and how to make an exit. Never once did he hesitate or retrace his steps; he was always walking away from them and entered rooms only once. When he left the building, he did so through a door to the rear carpark and drove away.
I followed his path step-by-step to see how long it took from start to finish. Again, and again, I tried, but was at least 5 minutes quicker than him every time. I mimicked his detours and stopping points, yet something was missing. There was a step we couldn’t see. I left, got in my car, and drove around the site to scout out the immediate area. There was an ATM but a 2-minute walk away. Surely not. Surely the attacker wasn’t bold enough to use this before making his escape. It was a possibility enough, so we contacted the police and explained the situation, making the case that we suspected the attacker had visited the ATM. The machine had cameras installed as we’d hoped, giving us a perfect shot of his face, up close and personal.
The police recognized the attacker as a professional criminal based in the Baltics. There was a warrant in his name, and he'd been “wanted” some 15 years. He was well-known, notorious for stealthily breaking into buildings to carry out targeted jobs. This proved our initial theory: the attack wasn’t a random operation from a group of troublemakers breaking locks. It was planned. But what was his motive?
Though we could trace the attacker’s walking route, there were some blind spots where CCTV cameras were pointing the wrong way or didn’t exist at all. This left us wondering what he had been up to whilst in the building—where could he have easily gone without being seen? Nothing struck us. The CCTV evidence had been exhausted. It was time to look at some computers...
First, I scoured through the logs on the card-operated physical access control system, which ran separately to the system controlling the external electromagnetic locks. We found out which rooms the attacker had accessed, but this raised a glaring question—where had he got his access card from? The events couldn’t be tied to any existing user access card, so he’d been moving freely with a card that was never officially issued to someone. For and by whom it was created we couldn’t tell, but it had been activated 4 years prior, with privileges to go anywhere in the building. The attacker had his very own skeleton key.
The logs led us to rooms familiar to the team, then, one that wasn’t. Side by side with the CISO and one of the guards, I ventured into what was assumed to be a cleaning closet. What we found was a small hosting room, full of servers. And not just any servers; it was a junction point for devices owned by telecommunications organizations and internet service providers (ISPs). The client was housing a co-operative hosting facility for tenants dealing in critical national infrastructure (CNI) and not one person I’d spoken to knew about it.
Naturally, the CISO contacted each tenant immediately and worked with them to investigate for any unexpected changes and indicators of compromise. Everything looked normal—no outages or device reboots. This was a good sign, as telco devices must usually be rebooted to enable malicious use. I then performed forensic investigations on each device and still found nothing. The CCTV showed that the attacker didn’t take anything substantial into the room, nor leave with it. No smoking gun.
The attacker was out of our reach, so we turned quickly to remediation. As with any network breach, especially a domain compromise, you must eliminate the route the attacker took in. The client had been well-prepared for an attack in many respects. Even at the leadership level, there was a candid awareness that the organization would be (and probably was being) targeted. Still, the attack had highlighted weaknesses that made it susceptible to risk.
I conducted a physical attack path mapping (APM) exercise across the facility. That is, identifying all possible routes to the hosting room, other sensitive areas, and the vulnerabilities within these. CCTV cameras were fixed, readjusted, and added. The organization invested in a smarter alarm system. All the locks were changed. The security team reviewed each access card and invalidated those without an existing employee ID.
Finally, we recommended the client perform an open source intelligence (OSINT) gathering exercise. The attacker—and whoever he was working for—had significant prior knowledge of the HQ building and its systems. His ability to navigate so shrewdly was evidence he had acquired a map or blueprint, for example. And seeing as the hosting room wasn’t common knowledge, even within the business, he’d done his research well. (It turned out that the previous CISO had simply forgotten to tell their successor of the room’s existence. As they say: the best laid plans of mice and men often go awry.)
1 month later, following the implementation of our recommendations, the attacker returned. He tried to enter through a door at the side of the building this time, much closer to the hosting room. However, with the physical perimeter hardened, he wasn’t successful. He returned to the car and drove away, likely to the ferry port and no doubt vexed. That was the last the client saw of him.
We still don’t know what happened in that hosting room. Whether the attacker came back to finish the job or retrieve something he left behind remains unanswered, so this story ends with an air of mystery. And yet, both we and the client learnt so much from that his first attempt. What happened, happened, providing us with actionable threat intelligence on the attacker and the motivated adversary that hired him. The remediations the client took in response protected them from a second assault that would have in all likelihood resulted in greater harm.
Whatever the nature of your workplace, its physical and digital environments are interconnected. This means the same techniques we use to catch an attacker in their tracks on a network can be applied to bricks-and-mortar. In both cases, it’s the ability to see those environments exactly how attackers do that will give you the edge as a defender.