People responsible for safety on a multinational company of the financial sector, detect, by means of their Security Operation Center (SOC) some suspicious connections on their system and request from Winterman an advanced support level to analyse them.

We quickly began an analysis which confirmed, after a few hours, that we were before an intrusion. Our response to Safety Incidents provided a quick and effective support, as an early response was vital to minimise the damages.

After carrying out the pertinent contingency measures to deactivate that intrusion, we proceeded to the exhaustive analysis of the scope of the same. On the following days, multiple aspects were analysed on a forensic level, and it was thus possible to reconstruct the activity carried out by the intruders.

The results clarified what had happened. Intruders have infected some computers of the company by e-mails containing malicious attached documents.

Infection had allowed the attackers to increase their privileges and gain access to the servers of the organisation. By means of another malicious software, especially designed for their activities, they had obtained confidential information, but not of the highest level.

Intrusion could be stopped on an early stage, keeping out of reach of the attack the most sensitive information of the company. Besides, the forensic analysis of the malicious software allowed locating part of the infrastructure of the attackers and it was possible to estimate who was behind that attack, or Advanced Persistent Threat (APT).