Incident Score: Analysis & Impact (HIGLEG1780417591)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with moderate confidence (60%), supported by evidence indicating deliberate focus on US telecom infrastructure rather than opportunistic attacks and Valid Accounts (T1078) with moderate to high confidence (70%), supported by evidence indicating attackers maintaining access for weeks before public disclosure. Under the Persistence tactic, the analysis identified Valid Accounts (T1078) with moderate to high confidence (80%), supported by evidence indicating attackers maintaining access for weeks before public disclosure and External Remote Services (T1133) with moderate confidence (50%), supported by evidence indicating telecom infrastructure likely exposed to remote access vectors. Under the Credential Access tactic, the analysis identified Unsecured Credentials (T1552) with moderate confidence (60%), supported by evidence indicating highly sensitive data including subscriber identity records compromised and OS Credential Dumping (T1003) with moderate confidence (50%), supported by evidence indicating attackers maintained access for weeks, implying credential harvesting. Under the Discovery tactic, the analysis identified Account Discovery (T1087) with moderate to high confidence (70%), supported by evidence indicating subscriber identity records, CDRs, and billing records targeted and Network Service Discovery (T1046) with moderate confidence (60%), supported by evidence indicating network routing configurations and E911 data compromised. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), supported by evidence indicating subscriber identity records, CDRs, SMS metadata, billing records compromised and Data from Information Repositories (T1213) with moderate to high confidence (80%), supported by evidence indicating network routing configurations and law enforcement intercept data accessed. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating data exfiltration confirmed; Play ransomware added victim to dark web leak site and Exfiltration Over Web Service (T1567) with moderate confidence (60%), supported by evidence indicating telecom sector targeting suggests use of web-based exfiltration. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with moderate to high confidence (80%), supported by evidence indicating play ransomware strain involved; ransomware typically encrypts data and Defacement (T1491) with moderate to high confidence (70%), supported by evidence indicating victim added to dark web leak site as part of ransomware extortion. Under the Command and Control tactic, the analysis identified Application Layer Protocol (T1071) with moderate to high confidence (70%), supported by evidence indicating attackers maintained access for weeks, implying C2 communication and Ingress Tool Transfer (T1105) with moderate confidence (60%), supported by evidence indicating ransomware deployment suggests tool transfer for execution. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.