COLUMBIA, S.C. (AP) — A report from computer security firm Mandiant provides a timeline of the cyber-attack on South Carolina's Revenue agency:
—Aug. 13: A phishing email went to multiple Revenue employees, and at least one clicked on the embedded link, executing malware that likely stole the user's username and password.
—Aug. 27: The attacker logged into Revenue's remote access service using legitimate credentials. The attacker logged into the employee's workstation and leveraged his or her credentials to access other Revenue systems and databases.
—Aug. 29: The attacker executed utilities designed to obtain user account passwords on six servers.
—Sept. 1: The attacker executed a utility to obtain user account passwords for all Windows user accounts, plus installed malicious software on one server.
—Sept. 2: The attacker interacted with 21 servers using a compromised account and performed reconnaissance activities.
—Sept. 3: The attacker interacted with eight servers using a compromised account.
—Sept. 4: The attacker interacted with six systems.
—Sept. 11: The attacker interacted with three systems.
—Sept. 12: The attacker copied database backup files to a staging directory.
—Sept. 13-14: The attacker compressed the database backup files into 14 encrypted archives, then moved those from the database server to another server and sent the data to an Internet system. The backup files and archives were then deleted.
—Sept. 15: The attacker interacted with 10 systems using a compromised account.
—Oct. 10: The U.S. Secret Service notifies state officials of the breach.
—Oct. 12: The state contracts with Mandiant.
—Oct. 17: The attacker checked connectivity to a server using the backdoor previously installed on Sept. 1, but there's no evidence of additional activity.
—Oct. 19-20: Revenue puts in place Mandiant's short-term recommendations to remove the attacker's access. No evidence of malicious activity has been discovered since.
A summary of the attack's scope:
—The attacker compromised 44 systems: One had malicious software or backdoor installed, three had database backups or files stolen, one was used to send data out to the attacker, 39 were accessed.
—The attacker used at least 33 unique pieces of malicious software and utilities: A backdoor, as well as multiple password dumping tools, administrative utilities, Windows batch scripts, and generic utilities to execute commands against databases
—The attacker remotely accessed Revenue's systems using at least four IP addresses.
—At least four valid Revenue user accounts were used during the attack.
Sources: Mandiant and the office of Gov. Nikki Haley