An active intrusion left an attacker roaming a network, collecting data, and establishing a command-and-control node. Security teams faced a choice between monitoring the attacker for intelligence, waiting for forensic support, or taking systems offline to stop activity. The Co-op restricted VPN and remote access and paused communications within a specific zone to block malicious connections while maintaining segregation. The organisation described the action as targeted containment rather than a full shutdown. Attackers claimed the organisation pulled its own plug rather than suffering ransomware. Focused isolation helped protect data access and allowed most online services to continue operating.
"There's a cyber attack under way. An intruder is inside your network: moving freely, collecting data, and setting up a command-and-control (C&C) node for future communication. Except this time, you're watching them - you can see what they're doing. The dilemma remains: what do you do? Allow them to continue traversing the network while you operate, wait for forensic specialists to arrive or find a way to stop them?"
"Earlier this year, a BBC news report on the Co-op incident claimed that the IT team at the UK retailer "made the decision to take computer services offline, preventing the criminals from continuing their hack". The criminals sent a message to the BBC, stating: "Co-op's network never ever suffered ransomware. They yanked their own plug - tanking sales, burning logistics and torching shareholder value.""
"In its statement, Co-op said it "took early and decisive action to protect our Co-op, including restricting access to some systems", which helped to contain the issue, prevent further data being accessed and protect the wider organisation. When questioned at the Business and Trade Sub-Committee in July, Co-op representatives did not use the phrase "pulling the plug" directly. But Rob Elsey, group chief digital information officer at Co-op, said VPN and remote access were restricted "as a way of ensuring that we were able to keep the criminals out of our systems"."
"Elsey explained that software within its network was "effectively trying to communicate with a threat actor's website", and after identifying the source, the team took the proactive measure of pausing all communication within that zone. This, he stressed, was not "pulling the plug". Co-op's systems "are heavily segregated, which means this was very much focused on one specific zone". He told the committee: "Throughout this, all our online business continued to operate normally,"
Read at ComputerWeekly.com
Unable to calculate read time
Collection
[
|
...
]