Weekly Threat Report 23rd February 2018

Created:  23 Feb 2018
Updated:  23 Feb 2018
NCSC Threat Report
This report is drawn from recent open source reporting.

Cloud security - FedEx data leak from AW

Adoption of cloud computing (the process of providing applications, processing power and storage through remote servers over the internet) is increasing amongst medium and large organisations. However, as cloud is adopted, the securing of services in the cloud as well as the security claims of the cloud provider become mission critical priorities for both private and public-sector enterprises.

Media reports that scanned documents containing the identity details of up to 120,000 people have been freely available on a misconfigured Amazon Web Services, Simple Storage Service (AWS S3) server used by the shipping company FedEx. Cloud storage providers have previously been associated with a large scale data breach at Verizon.

Where cloud storage services are breached the ultimate reason almost always appears to be poor security configuration. Ensuring that good security practices are followed by all users and providers of cloud services would, therefore, prevent most breaches. The NCSC has published guidance available here.

Former employee jailed for intentionally damaging computer network

A disgruntled former Canadian Pacific Railway (CPR) employee was sentenced last week to a year in prison for intentionally causing damage to CPR’s computer network. It is unclear whether train services were affected, but the incident is reported to have cost the organisation approximately $30,000.

In December 2015, the employee resigned from CPR after being informed that he would be fired for insubordinate behaviour. However, before returning his laptop and remote access authentication token to the organisation, the disgruntled individual accessed CPR’s core computer network switches, through which critical data flows. He strategically deleted files, removed admin accounts or changed their passwords, returning the laptop after wiping its hard drive of any evidence of his actions. This meant IT staff were unable to access the switches, forcing them to reboot the network, causing a system outage. Forensic investigations of systems allowed the damage to be traced back to the individual concerned.

This case is a good example of how disgruntled, former employees can pose a cyber threat to organisations. Such insider threats are not unique to the rail sector. Public and private organisations in every sector need to be vigilant to such threats. It highlights the importance of ensuring IT privileges and account access is suspended when a staff member’s employment is due to be terminated, preventing malicious cyber activity from being conducted.

India City Union Bank SWIFT Related Attack

In the last week, the Russian Central Bank reported that an undisclosed Russian bank was targeted in late 2017 in a SWIFT related cyber attack. Since then, India City Union Bank reported that they had suffered a SWIFT fraud style incident over the weekend. Some local reporting suggested that insider activity led to the heist, however this has been denied by India City Union Bank. They stated that they had been attacked by “international cyber-criminals and there is no evidence of internal staff involvement”.

In these types of attacks the local infrastructure is targeted and compromised, with local valid operator credentials being used to access the SWIFT system. The attackers then submit fraudulent payment messages. The SWIFT system itself is not breached. SWIFT increased its security measures in 2017, but this particular attack methodology remains lucrative.

In the case of India City Union Bank, $2 million dollars were fraudulently taken, and funds transferred to Dubai, Turkey and China. India City Union Bank were able to block some payments but are said to be working to recoup a missing $1 million. It is notable that some recent victims may have a better security posture than previous victims of SWIFT fraud. It is possible that increasing sophistication by threat actors is enabling them to target a broader range of organisations, and or, they are exploiting the possibility of the insider threat.


The Cyber Security Information Sharing Partnership (CiSP) is a great way of learning more about threat information as well as engaging with industry and government counterparts. Follow the link below for more information.

Join CiSP

Was this report helpful?

We need your feedback to improve this content.

Yes No