DNS tunneling exfiltration at an upscale law firm · 8 GB of client files leaked in 3 months
An anomalous DNS query pattern was detected at the firewall of an upscale law firm: a single endpoint making 12,000 TXT record queries per day, a subdomain pattern of 60-char base64-like text (a DNS tunnel signature). 8 GB of client files had leaked in 3 months. With a DNS firewall + a forensic investigation + KVKK compliance, DSET achieved a 50% insurance reimbursement and 18 months of clean operation.
01 The Challenge
Firewall DNS query log: a single endpoint juristic-asst.lawfirm.local making 12K TXT record queries per day. The subdomain pattern 60-char base64-like (an iodine/dnscat2 signature). Endpoint hijack: a phishing "CV.zip" 3 months earlier → an Excel macro → a reverse shell. The C2 server a Chinese VPN, an APT41 (Wicked Panda) TTP match. 680 clients affected; 3 case files leaked before being submitted to court.
02 DSET's Approach
T+0 · Cut the tunnel
The endpoint was isolated + a DNS firewall (RPZ) set up; the DSET forensic investigation + the KVKK notification counter started. The tunnel was cut within 22 minutes.
T+72h · Forensic investigation
DNS log carving: 8 GB of data base64-decoded, 14 large client files. The C2 server a Chinese VPN, an APT41 TTP match.
T+1 week · KVKK + client communication
The KVKK 72-hour breach notification was filed, no penalty. An official notification to 680 clients, a warning to opposing parties for 3 major cases.