Incident Score: Analysis & Impact (HIGLEG1780417591)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with moderate confidence (60%), supported by evidence indicating deliberate focus on US telecom infrastructure rather than opportunistic attacks and Valid Accounts (T1078) with moderate to high confidence (70%), supported by evidence indicating attackers maintaining access for weeks before public disclosure. Under the Persistence tactic, the analysis identified Valid Accounts (T1078) with moderate to high confidence (80%), supported by evidence indicating attackers maintaining access for weeks before public disclosure and External Remote Services (T1133) with moderate confidence (50%), supported by evidence indicating telecom sector targeting suggests remote access to internal systems. Under the Privilege Escalation tactic, the analysis identified Valid Accounts (T1078) with moderate to high confidence (70%), supported by evidence indicating access to E911 emergency services data and law enforcement intercept infrastructure. Under the Defense Evasion tactic, the analysis identified Valid Accounts (T1078) with moderate to high confidence (70%), supported by evidence indicating attackers maintaining access for weeks before detection and Hide Artifacts (T1564) with moderate confidence (60%), supported by evidence indicating play ransomwares track record of following through on leak site threats. Under the Credential Access tactic, the analysis identified OS Credential Dumping (T1003) with moderate to high confidence (70%), supported by evidence indicating access to subscriber identity records, billing records, and network routing configurations and Unsecured Credentials (T1552) with moderate confidence (60%), supported by evidence indicating telecom infrastructure likely contains unsecured credentials for critical systems. Under the Discovery tactic, the analysis identified Account Discovery (T1087) with moderate to high confidence (70%), supported by evidence indicating exposure of subscriber identity records and call detail records (CDRs) and Network Service Discovery (T1046) with moderate confidence (60%), supported by evidence indicating access to network routing configurations and E911 emergency services data. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), supported by evidence indicating subscriber identity records, CDRs, SMS metadata, billing records compromised and Data from Information Repositories (T1213) with moderate to high confidence (80%), supported by evidence indicating access to network routing configurations and law enforcement intercept infrastructure. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating data exfiltration confirmed; Play ransomware added Hightower to dark web leak site and Transfer Data to Cloud Account (T1537) with moderate confidence (50%), supported by evidence indicating ransomware groups often exfiltrate data to cloud storage before leaking. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with moderate to high confidence (80%), supported by evidence indicating play ransomware is known for encrypting victim data and Defacement (T1491) with moderate to high confidence (70%), supported by evidence indicating added to dark web leak site as a form of public defacement. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.