Main Successful Malware Incident Investigation for a Major Ukrainian Public Agency by FS Group

Successful Malware Incident Investigation for a Major Ukrainian Public Agency by FS Group

A leading Ukrainian government agency with a critical national function and over 100,000 employees reached out to FS Group to investigate the case of a major DDoS attack that couldn’t be solved with the agency’s own resources. FS Group successfully located the source of infected files, identified the vulnerability, and solved the incident.

The Challenge

A malware-infected file was identified on an employee’s PC. Although the file was automatically deleted, the cybersecurity department should have ensured that the infected file was completely removed and that the file system was threat-free.

Tasks to be completed:

Locate the remaining infected files
Understand the causes of the incident
Prevent further damage.

However, the agency lacked the relevant expertise and tools needed to investigate the incident promptly.

With sensitive public data and critical system operations at risk, the stakes were high.

For this reason, the agency requested FS Group’s incident response services.

The Solution

FS group used the digital forensic platform Autopsy Digital Forensics to examine the provided SSD with the infected file system.
By searching with keywords from the infected document, the FS Group specialist found the folder where the infected file was likely located. Then, using keywords from this folder, FS Group found antivirus logs with information about the malware.
The antivirus scan results indicated that the Word files were infected through the file “vbaProject.bin”. “Microsoft Visual Basic for Applications (VBA)” is a binary file that contains code for VBA programs, enabling process automation in Microsoft Office products such as Excel, Word, PowerPoint, and others. It may include macros that perform specific tasks within programs supporting VBA.

Using this information, the FS group assumed that the documents were infected via malicious Office macros. When a user downloads the Office document and is convinced by fake warnings to enable macros, the malicious code executes and infects the user’s system.

Result

As a result, FS Group

Located the source of infected files in the system.
Identified the vulnerability: the way malware infected the employees’s PC.
Prepared a detailed 20-page report with screenshots, references, and links.
Optimized investigation time and took less than 1 week to conduct a detailed incident investigation and prepare the report.
Supported the agency’s cybersecurity team and took timely and appropriate steps to ensure the safety of the critical organization

malware attacks happened in 2023.

The average cost of a data breach in the public sector in 2023.

of IT security decision-makers feel they need to respond to incidents more quickly.

Key takeaways

The successful result of this case was possible thanks to the FS Group’s Incident Response Team services.

FS IRT is one of the solutions FS group provides to the government agency. An annual subscription includes the following services:

Consultations and training on how to improve the client’s cybersecurity posture;
A monthly newsletter that highlights emerging vulnerabilities and threats, along with recommendations to address them;
Information security incident investigation;
Annual penetration testing.

What clients say

“Having worked with FS Group previously, I trusted them to handle crises effectively. They acted quickly and collaborated seamlessly with my team. Their communication was clear and transparent throughout the investigation, which gave me confidence that the situation was under control.”

Deputy CISO, client’s cybersecurity department

Products that were used

FS IRT

Considering the limitations of generic cybersecurity tools.

Secure Your Business Now

FS Group will protect you from evolving cybersecurity threats around the world.

First name Provide your First name Last name Provide your Last name

Company name Provide your Company name Job Title Provide your Job Title

Company sector

IT Sector Finance Health Public Sector Telecommunications Retail Education Other

Business email Invalid Business email Phone number Invalid Phone number

Check where your cyber security gap is This site is protected by reCAPTCHA and the Google Privacy Policy.

I need help right away