In May the public became aware of cybersecurity attack on a major Swiss military contractor. RUAG denied at first any allegations of sensitive data leak. Today Swiss CERT published a detailed report of the attack, explaining how it happened and when.
The report is available here, everyone can download and read it.
According to findings provided by the researchers, the security breach took place in September 2014, but was only discovered in January 2016. The attackers had access to RUAG’s network for over 1 year, and they surely stole a lot of confidential information.
The report summary says: "The attackers showed great patience during the infiltration and lateral movement. They only attacked victims they were interested in by implementing various measures, such as a target IP list and extensive fingerprinting before and after the initial infection. After they got into the network, they moved laterally by infecting other devices and by gaining higher privileges".
It was impossible for the researchers to determine the way attackers breached the network, because log files from the time of intrusion were long deleted and a lot of computers were reinstalled or replaced.
The attackers were careful when stealing information. They masked data exfiltration under HTTP traffic and used port 80/TCP to connect to C&C servers.