0 оценок0% нашли этот документ полезным (0 голосов)
6K просмотров3 страницы
This document from the NASA Office of Inspector General details two cases where NASA computers got infected with CryptoLocker, a virus that encrypts a victim's files and holds the data for ransom.
Оригинальное название
NASA Office of Inspector General Document on CryptoLocker
This document from the NASA Office of Inspector General details two cases where NASA computers got infected with CryptoLocker, a virus that encrypts a victim's files and holds the data for ransom.
This document from the NASA Office of Inspector General details two cases where NASA computers got infected with CryptoLocker, a virus that encrypts a victim's files and holds the data for ransom.
National Aaronautes and
Space Administration
Office of inspector General
Gis of Investigations
C-AR-14-0052-P January 24,2014
Cryptolocker
‘Ames Research Ceater
‘Moffett Field, CA
CASE CLOSING: On October 24,2013, the RA was notified by
MERRDIIR 17 Secority Group (1186), Ames Research Caner (ARC), tara BA
‘Computer system at ARC was infected by malware known as "Cryptolocke,” resulting inthe
loss of acooss to NASA data, This incident was documented ia NASA Security Operations
Center (SOC) Incident Management Systom (IMS) Tickot# SOC-20131024-312665,
‘Investigation by incident responders determined the svstem assed I as
infoeted at 1013, October 23,2013. Further, |.
TTSG-ARC, located the following file (and spawned process) running on tie rece system and
identified it as the cause of the beaconing detected by the intusion detection system (DS):
¢: \Users\sjovic\appbata\ Loca!
Son ec
(on Decent 22015, te coortinted vit
pac ecco
Narre rrr vom cryolcerincaeas ASA (ert be iden
av ARC currently under investigation)
stated that there was one addtional Cryptolocker incident at NASA, which occurred
at Kennedy Space Center (KSC), FL, and was documented in SOC incident Management System
(IMS) Ticket# SOC-20131028-312298.
3st
APPR: mm,
‘cassmcaTiOn. WARN
‘his acre te prey ft NASA Off aspera and i on
toon yan. Cons my tsb coset any pat eon
FOR OFFICIAL USE CN!)The review of SOC-20131028-313299 revealed it was a closed Category 3 (Malware) incident
with the following description:
Scr TI soning eA
‘malwareftependif dotcom), The beaconing Depan 1025-2013 21:09:20,
$0C-20131028-313299 report tht the computer assigned EET nse
hundreds of tousands of ntuson Detection System (DS) let ie cay se bps
Deseo, ed hal man a te sletswers“ELTROJAN Cpl okt Ramm dekh
Mowoter po in-ephinvestiatin nas conducted andthe vcum oem wen simp pul off
tensor andre imagod to sinate ay possible fection
‘The reporting person on the incident wos I KSC 11 Security
(TS6-KSO),
On December 3, 2013, the RA interviewed IRIE regarding SOC IMS Ticket? SOC-
20131028-313299,
AIR tyson in NII cso oma KC pve,
vss canter managed and owed by Detiware Nort Companies Pars and Ress
CONCERN tn te ome ine nt pan on tage dca
Jed w DNCPiebemg elven a single NASA IP addres behind which they bave set upa NAC
prory. Assueh, when an incident ocours with one of ie DNCPR computers bohind the NASA
Te adres, ITSG-KSC cannot svexenteinstend, DNCPR personnel simply take the ated
system offine and remediate ia provided the following contact information for
NCPR personnel that may be sOTe to ast:
(On December 3, 2013, the RA interviewed
Delaware North Companies Parks and Resorts (UNCFR), Covoa Beach, Fr, eBAIGINg aly
further information in his possession pertinent to this investigation,
IIBIBY sta ha erected to incident, but tat standard DNCPR action incase ke ths
{oremove the affected system fom te network, wipe -inage and et tt sence, No
images ofthe affected system or ther information were availble for review.
eee 2, TS