Detection and cleanup of a 14-month APT intrusion at a metropolitan municipality
An APT group that had stayed active for 14 months in the systems of a metropolitan municipality was detected by the DSET threat hunting team. Finance · archive · waste management data had been exfiltrated. A comprehensive cleanup in coordination with USOM.
01 The Challenge
The municipality's SIEM system was issuing anomalous C2 traffic alerts but they had been dismissed as "probably internal IT." When DSET threat hunting stepped in, it became clear the APT group had been inside for 14 months. The start: the waste collection management system (a user with a weak password). Then: finance · personnel records · the archive. A total of ~340 GB of data had been exfiltrated.
02 DSET's Approach
MITRE ATT&CK mapping
The C2 traffic patterns aligned with APT28 (Fancy Bear) TTPs. The custom backdoor used was identified as an 'X-Agent' derivative.
Threat hunting
Through memory forensics + endpoint trace analysis, a persistent presence was detected on 47 different hosts. Processes disguised as system services.
Choke point
To avoid losing the connection to the C2 server, the attacker was exfiltrating data slowly. A DNS tunnel + an exfiltration channel hidden inside images were detected.
USOM coordination
IoC sharing with USOM · blocking of the C2 IPs across Turkey · a proactive warning to the relevant public institutions.