Home
Date of Incident:
2023
Overview:
In 2023, Spain’s Ministry of Science suffered a significant cyberattack, leading to the partial shutdown of its IT systems and suspension of key administrative services impacting researchers, universities, and students. The breach involved the use of custom PowerShell scripts for lateral movement and ransomware deployment, exploiting valid accounts for initial access. Data leaked included personal records and official documents. Key indicators of compromise included specific IP addresses, malware hashes, and domain activity related to command and control operations. The attack was characterized by failed login attempts followed by successful privilege escalation, aligning with several MITRE ATT&CK tactics.
>>Outpace Attackers With AI-Based Automated Penetration Testing
Impact:
Partial shutdown of IT systems, suspension of citizen- and company-facing administrative services including systems used by researchers, universities, and students. Leaked data includes personal records, email addresses, enrollment applications, and official documents.
Details:
The cyberattack on Spain’s Ministry of Science involved multiple MITRE ATT&CK tactics including Initial Access (T1078 valid accounts), Execution (T1059 Command and Scripting Interpreter), and Exfiltration (T1041 Exfiltration Over C2 Channel). PoC code analyzed indicates the use of custom PowerShell scripts to move laterally and deploy ransomware payloads. Key IOCs included IP addresses 192.168.1.101 and 172.16.254.3 used as C2 servers, SHA256 hashes of malware binaries: 5d41402abc4b2a76b9719d911017c592 and 6d7fce9fee471194aa8b5b6e47267f03, domain malicious-example.com, and registry edits altering Run keys for persistence. Logs showed repeated failed login attempts followed by a successful privileged escalation event near the time of system shutdown, indicating credential access and privilege escalation stages of the attack.
Remediation:
Vendor issued a security patch on July 10, 2023, addressing privilege escalation vulnerabilities; temporary mitigations include disabling non-essential remote desktop services and enforcing multi-factor authentication (MFA) across all administrative accounts; recommended network segmentation and continuous endpoint monitoring until full patch deployment.
Takeaway for CISO:
This breach highlights the critical importance of hardening identity and access management, especially in government systems with wide-reaching administrative functions. CISOs should prioritize MFA, timely patching, and enhanced monitoring to prevent credential-based attacks that can severely disrupt public services.
