Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
Analyze » SELEC (Southeast European Law Enforcement Center) » SOUSOU1778164084

Incident Score: Analysis & Impact (SOUSOU1778164084)

The details regarding individual company incidents & reports gives you full view from every side.

Rankiteo Score Impact Analysis

Rankiteo Incident Impact-27
Company Score Before Incident757 / 1000
Company Score After Incident730 / 1000
INCIDENT NUMBERSOUSOU1778164084
Type of Cyber IncidentCyber Attack
ATTACK VECTORPhishing, DLL side-loading, Proxy tunneling, Legitimate cloud services abuse
DATA EXPOSEDGovernment intelligence, sensitive communications
INCIDENT DATE31/12/2024
STATUSOngoing

Key Highlights From The Incident Analysis

  • Timeline of SELEC (Southeast European Law Enforcement Center)'s Cyber Attack and lateral movement inside company's environment.
  • Overview of affected data sets, including SSNs and PHI, and why they materially increase incident severity.
  • How Rankiteo’s incident engine converts technical details into a normalized incident score.
  • How this cyber incident impacts SELEC (Southeast European Law Enforcement Center) Rankiteo cyber scoring and cyber rating.
  • Rankiteo’s MITRE ATT&CK correlation analysis for this incident, with associated confidence level.

Full Incident Analysis Transcript

In this Rankiteo incident briefing, we review the SELEC (Southeast European Law Enforcement Center) breach identified under incident ID SOUSOU1778164084.

The analysis begins with a detailed overview of SELEC (Southeast European Law Enforcement Center)'s information like the linkedin page: https://www.linkedin.com/company/southeast-european-law-enforcement-center-selec, the number of followers: 1673, the industry type: Law Enforcement and the number of employees: 7 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 757 and after the incident was 730 with a difference of -27 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on SELEC (Southeast European Law Enforcement Center) and their customers.

A newly reported cybersecurity incident, "China-Linked UAT-8302 Hackers Target Government Agencies in South America and Southeastern Europe", has drawn attention.

A sophisticated China-linked advanced persistent threat (APT) group, tracked as UAT-8302, has been conducting covert cyberespionage campaigns against government agencies in South America and southeastern Europe since at least late 2024, with operations intensifying through 2025.

The disruption is felt across the environment, affecting Government agency endpoints, cloud services (OneDrive, GitHub), and exposing Government intelligence, sensitive communications.

Formal response steps have not been shared publicly yet.

The case underscores how Ongoing, teams are taking away lessons such as State-backed APT groups are increasingly leveraging legitimate cloud services and open-source tools to evade detection, necessitating enhanced monitoring of unusual activity in trusted platforms, and recommending next steps like Implement multi-factor authentication (MFA) for all government systems, Monitor and restrict access to legitimate cloud services (e.g., OneDrive, GitHub) for unusual activity and Deploy advanced threat detection for DLL side-loading and proxy tunneling techniques, with advisories going out to stakeholders covering Government agencies in South America and Southeastern Europe should review their cybersecurity posture and monitor for indicators of compromise (IoCs) associated with UAT-8302.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

MITRE ATT&CK® Correlation Analysis

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing (T1566) with moderate to high confidence (80%), supported by evidence indicating attack vector such as Phishing and Supply Chain Compromise: Compromise Software Dependencies and Development Tools (T1195.002) with moderate confidence (50%), supported by evidence indicating dLL side-loading to deploy malware. Under the Execution tactic, the analysis identified User Execution: Malicious File (T1204.002) with moderate to high confidence (70%), supported by evidence indicating custom malware (NetDraft, CloudSorcerer v3) deployed and Command and Scripting Interpreter: PowerShell (T1059.001) with moderate confidence (60%), supported by evidence indicating open-source tools (gogo, naabu, httpx) used. Under the Persistence tactic, the analysis identified Create or Modify System Process: Windows Service (T1543.003) with moderate to high confidence (70%), supported by evidence indicating malware alters behavior based on host process (spoolsv.exe), Hijack Execution Flow: DLL Side-Loading (T1574.002) with high confidence (90%), supported by evidence indicating dLL side-loading to deploy malware while avoiding detection, and External Remote Services (T1133) with moderate to high confidence (80%), supported by evidence indicating proxy tunneling (Stowaway, SoftEther VPN) for persistent access. Under the Privilege Escalation tactic, the analysis identified Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002) with moderate confidence (60%), supported by evidence indicating credential harvesting via adconnectdump.py, SharpGetUserLoginRDP and Hijack Execution Flow: DLL Side-Loading (T1574.002) with moderate to high confidence (80%), supported by evidence indicating dLL side-loading to deploy malware. Under the Defense Evasion tactic, the analysis identified Masquerading: Match Legitimate Name or Location (T1036.005) with high confidence (90%), supported by evidence indicating malware alters behavior based on host process (dnapimg.exe, spoolsv.exe), Hijack Execution Flow: DLL Side-Loading (T1574.002) with high confidence (90%), supported by evidence indicating dLL side-loading to avoid detection, Valid Accounts (T1078) with moderate to high confidence (80%), supported by evidence indicating credential harvesting via adconnectdump.py, SharpGetUserLoginRDP, and Hide Artifacts: Email Hiding Rules (T1564.008) with moderate confidence (50%), supported by evidence indicating legitimate cloud services (OneDrive, GitHub) abused. Under the Credential Access tactic, the analysis identified OS Credential Dumping: LSASS Memory (T1003.001) with moderate to high confidence (80%), supported by evidence indicating credential harvesting via adconnectdump.py, Credentials from Password Stores (T1555) with moderate to high confidence (70%), supported by evidence indicating sharpGetUserLoginRDP tool used for credential harvesting, and Brute Force: Password Guessing (T1110.001) with moderate confidence (60%), supported by evidence indicating deep reconnaissance before lateral movement. Under the Discovery tactic, the analysis identified Account Discovery: Domain Account (T1087.002) with moderate to high confidence (80%), supported by evidence indicating deep reconnaissance of compromised endpoints, Network Service Discovery (T1046) with high confidence (90%), supported by evidence indicating open-source tools (naabu, httpx, PortQry) used for reconnaissance, and File and Directory Discovery (T1083) with moderate to high confidence (70%), supported by evidence indicating system profiling via dnapimg.exe. Under the Lateral Movement tactic, the analysis identified Remote Services: Remote Desktop Protocol (T1021.001) with moderate to high confidence (70%), supported by evidence indicating sharpGetUserLoginRDP tool used for credential harvesting and Lateral Tool Transfer (T1570) with moderate to high confidence (80%), supported by evidence indicating deep reconnaissance before lateral movement. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), supported by evidence indicating government intelligence, sensitive communications compromised and Automated Collection (T1119) with moderate to high confidence (80%), supported by evidence indicating custom malware (NetDraft, CloudSorcerer v3) for data exfiltration. Under the Command and Control tactic, the analysis identified Web Service: Bidirectional Communication (T1102.002) with high confidence (90%), supported by evidence indicating oneDrive, GitHub used for C2 communication, Proxy: Multi-hop Proxy (T1090.003) with moderate to high confidence (80%), supported by evidence indicating proxy tunneling (Stowaway, SoftEther VPN) for persistent access, and Encrypted Channel: Symmetric Cryptography (T1573.001) with moderate to high confidence (70%), supported by evidence indicating malware uses legitimate cloud services to blend traffic. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating data exfiltration via OneDrive, GitHub and Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) with high confidence (90%), supported by evidence indicating oneDrive used for C2 and exfiltration. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.

Initial Access
Phishing (80%)
Supply Chain Compromise: Compromise Software Dependencies and Development Tools (50%)
Execution
User Execution: Malicious File (70%)
Command and Scripting Interpreter: PowerShell (60%)
Persistence
Create or Modify System Process: Windows Service (70%)
Hijack Execution Flow: DLL Side-Loading (90%)
External Remote Services (80%)
Privilege Escalation
Abuse Elevation Control Mechanism: Bypass User Account Control (60%)
Hijack Execution Flow: DLL Side-Loading (80%)
Defense Evasion
Masquerading: Match Legitimate Name or Location (90%)
Hijack Execution Flow: DLL Side-Loading (90%)
Valid Accounts (80%)
Hide Artifacts: Email Hiding Rules (50%)
Credential Access
OS Credential Dumping: LSASS Memory (80%)
Credentials from Password Stores (70%)
Brute Force: Password Guessing (60%)
Discovery
Account Discovery: Domain Account (80%)
Network Service Discovery (90%)
File and Directory Discovery (70%)
Lateral Movement
Remote Services: Remote Desktop Protocol (70%)
Lateral Tool Transfer (80%)
Collection
Data from Local System (90%)
Automated Collection (80%)
Command and Control
Web Service: Bidirectional Communication (90%)
Proxy: Multi-hop Proxy (80%)
Encrypted Channel: Symmetric Cryptography (70%)
Exfiltration
Exfiltration Over C2 Channel (90%)
Exfiltration Over Web Service: Exfiltration to Cloud Storage (90%)

Sources & References