UK Ministry of Defence Breach Incident Score: Analysis & Impact (UK-4762947111425)

In this Rankiteo incident briefing, we review the UK Ministry of Defence breach identified under incident ID UK-4762947111425.

The analysis begins with a detailed overview of UK Ministry of Defence's information like the linkedin page: https://www.linkedin.com/company/uk-ministry-of-defence, the number of followers: 676008, the industry type: Defense and Space Manufacturing and the number of employees: 29703 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 790 and after the incident was 513 with a difference of -277 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on UK Ministry of Defence and their customers.

UK Ministry of Defence (MoD) recently reported "UK Ministry of Defence (MoD) Afghan Relocation Data Breach (2022-2023)", a noteworthy cybersecurity incident.

The UK Ministry of Defence (MoD) suffered a major data breach in 2022 where personal details of nearly 19,000 Afghans applying for the Afghan Relocations and Assistance Policy (ARAP) scheme were leaked.

The disruption is felt across the environment, affecting Excel spreadsheets and MoD internal data handling systems, and exposing Personal details of ~19,000 ARAP applicants and Names, contact information, and other sensitive data, with nearly ~19,000 records at risk, plus an estimated financial loss of £850 million (estimated cost of ARR scheme, excluding legal/compensation costs).

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like Super injunction imposed (Sept 2023, lifted July 2024) and Removal of leaked data from Facebook, and began remediation that includes Introduction of a dedicated, secure casework system for Afghan resettlement and Improvements in data handling processes across MoD, while recovery efforts such as Establishment of Afghanistan Response Route (ARR) for resettlement and Public apology by Defence Secretary John Healey continue, and stakeholders are being briefed through Public disclosure after lifting of super injunction (July 2024), Parliamentary scrutiny and PAC report and Media statements.

The case underscores how Ongoing (PAC oversight, MoD internal improvements), teams are taking away lessons such as Inadequate data handling processes and culture within MoD, Failure to act on prior warnings and breaches (e.g., 2021 incidents reported to ICO) and Risks of using inappropriate systems (e.g., Excel) for sensitive data, and recommending next steps like Implement and enforce secure data handling systems (e.g., dedicated casework platforms), Conduct regular audits and risk assessments for sensitive data and Enhance employee training on data protection and cybersecurity, with advisories going out to stakeholders covering Parliamentary scrutiny, Public Accounts Committee recommendations and Information Commissioner's Office (ICO) involvement.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing: Spearphishing Link (T1566.002) with lower confidence (20%), supported by evidence indicating social Media Leak (Facebook) listed under attack_vector (possible unintentional exposure via phishing/social engineering) and Valid Accounts: Cloud Accounts (T1078.004) with lower confidence (30%), supported by evidence indicating facebook group leak implies potential abuse of legitimate platform accounts for data exposure. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (95%), supported by evidence indicating use of inappropriate systems (Excel) for sensitive data and Excel spreadsheets as affected systems and Data from Information Repositories (T1039) with high confidence (90%), supported by evidence indicating personal details of ~19,000 ARAP applicants collected from MoD internal repositories. Under the Exfiltration tactic, the analysis identified Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol: Exfiltration Over Alternative Protocol (T1048.003) with high confidence (90%), supported by evidence indicating excerpts from spreadsheets posted on Facebook (unencrypted public platform) and Exfiltration to Cloud Storage: Exfiltration to Web Services (T1567.002) with high confidence (95%), supported by evidence indicating social Media Leak (Facebook) and data exfiltration such as Excerpts from spreadsheets posted on Facebook. Under the Impact tactic, the analysis identified Data Destruction (T1485) with lower confidence (10%), supported by evidence indicating removal of leaked data from Facebook (post-exfiltration mitigation, not primary technique), Data Encrypted for Impact (T1486) with lower confidence (5%), supported by evidence indicating no (data stored in unsecured Excel spreadsheets) (lack of encryption contributed to impact, but not active encryption by attacker), Inter-Process Communication: Component Object Model Hijacking (T1659) with lower confidence (0%), Network Denial of Service: Reflection Amplification (T1498.002) with lower confidence (0%), Defacement: Internal Defacement (T1491.001) with lower confidence (0%), Inhibit System Recovery (T1490) with lower confidence (0%), Firmware Corruption (T1495) with lower confidence (0%), Service Stop (T1489) with lower confidence (0%), Endpoint Denial of Service: Application Exhaustion Flood (T1499.004) with lower confidence (0%), Resource Hijacking (T1496) with lower confidence (0%), Network Denial of Service: Direct Network Flood (T1498.001) with lower confidence (0%), and Defacement: External Defacement (T1491.002) with moderate to high confidence (70%), supported by evidence indicating excerpts from spreadsheets posted on Facebook (public defacement of sensitive data). Under the Defense Evasion tactic, the analysis identified Indicator Removal: File Deletion (T1070.004) with lower confidence (30%), supported by evidence indicating removal of leaked data from Facebook (post-incident, not attacker-driven evasion), Impair Defenses: Disable or Modify Tools (T1562.001) with lower confidence (0%), and Indicator Removal (T1070) with lower confidence (10%), supported by evidence indicating super injunction imposed (Sept 2023) (legal suppression, not technical evasion). Under the Credential Access tactic, the analysis identified Unsecured Credentials: Credentials In Files (T1552.001) with moderate to high confidence (80%), supported by evidence indicating use of inappropriate systems (Excel) for sensitive data and Lack of data encryption. Under the Lateral Movement tactic, the analysis identified Account Discovery: Domain Account (T1087.002) with lower confidence (10%), supported by evidence indicating personal details of ~19,000 ARAP applicants (possible account enumeration, but no direct evidence). Under the Persistence tactic, the analysis identified Account Manipulation: Additional Cloud Credentials (T1098.003) with lower confidence (5%), supported by evidence indicating facebook group leak (hypothetical persistence via cloud account abuse, no direct evidence). Under the Privilege Escalation tactic, the analysis identified Valid Accounts: Default Accounts (T1078.001) with lower confidence (0%) and Valid Accounts: Local Accounts (T1078.003) with lower confidence (0%). Under the Discovery tactic, the analysis identified System Information Discovery (T1082) with lower confidence (0%) and File and Directory Discovery (T1083) with moderate to high confidence (70%), supported by evidence indicating excel spreadsheets accessed and exfiltrated (implies file discovery). Under the Command and Control tactic, the analysis identified Ingress Tool Transfer (T1105) with lower confidence (0%) and Application Layer Protocol: Web Protocols (T1071.001) with moderate to high confidence (80%), supported by evidence indicating excerpts from spreadsheets posted on Facebook (abuse of web protocols for C2-like exfiltration). These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.