Case study: When a hacker destroys your business

It’s been almost four years since business owners Carl Woerndle and his brother Alex were caught up in a cyber attack so damaging it destroyed their once prospering technology business, Distribute.IT.

Carl Woerndle has given a warts and all account of how he and other staff at his former company dealt with the crisis and the fallout of the malicious hack in a new cyber security guide, in conjunction with the CIO Executive Council.

“It was a perfect storm of events,” says Woerndle.

Background

Distribute.IT was founded in 2002 by brothers Carl and Alex Woerndle as a web-based start-up.

The business adopted a channel sales strategy, appointing resellers to on-sell its services. Over the next nine years, the firm branched into cloud-based web server hosting, distributing SSL certificates and SMS services.

By 2011, Distribute.IT had secured 10 per cent of the market for Australian domain names, held multiple international domain accreditations and had 30,000 hosting clients through 3,000 active resellers

However, later that year the business suffered a severe cyber attack, just as it was growing at 4 per cent a month and had recently expanded into Asia.

The initial breach – week 1

At 5pm on Friday June 3, 2011, Woerndle received a call from his CIO alerting him to a breach in the company’s network.

“We had about 30,000 clients and a minimum of two per day were targeted on our network, so we were used to managing security,” says Carl Woerndle.

DOS attacks and single targeted sites on servers are fairly common for hosting providers, but this attack was different. The hacker had managed to bypass the company’s entire security protocol, get behind its firewall and gain access to its master user access information.

This event was the catalyst for a three-week nightmare ride for all involved with the business and its clients. While Distribute.IT was proactive in its response and compliance obligations, re-building most of its network over the next week, these measures would not be enough to save the business.

“We put in two back-to-back, 72-hour shifts during the week so it was a massive effort by all,” says Woerndle.

The destructive attack – week 2

Although the company felt it had mitigated its issues, in the end the work completed the week before was for nothing. At 4:30pm on Saturday 11 June, Distribute.IT’s network monitoring system went crazy.

The IT team watched servers go offline every few seconds, as the hacker had regained access to the company’s network, before escalating into an extremely malicious attack.

The hackers targeted and destroyed servers inside Distribute.IT’s network, including back-ups, then locked the IT team out, meaning the only way to get control was to ‘pull the plug’ at the data centre.

This attack targeted Distribute.IT’s primary trading and hosting systems, shared web servers and backup systems, removing its ability to trade. The company had to rebuild its entire infrastructure from the ground up …again.

“We were into our third 72-hour block [working on the problem] and by this time, we were completely and utterly exhausted,” says Carl Woerndle.

The network was switched on again on the evening of Monday 13 June, but with its primary websites and VoIP systems down and client databases compromised. By Tuesday 14 June, Distribute.IT started to lose clients. The trust and brand equity that had been built up over nine years had eroded.

Knowledge of the hack became so widespread that the company had an email from hacking group Anonymous saying ‘it wasn’t us’.

By Monday June 20, time had run out. With resellers possibly losing their livelihoods and many websites unrecoverable, the company had no choice but to seek a quick alternative solution.

“My brother and I knew at this point that our business was gone,” Woerndle says.

The aftermath

The hacker’s main entry point was carefully targeted towards an individual company employee who was deemed vulnerable. The hacker was able to save key logging malware onto the staff member’s laptop. The malware built up a password database and used the laptop’s secure VPN connection to access the network.

“We focused our efforts on the network itself, rebuilding the network, putting the security around it. What we missed during this period was what came from outside.”

Woerndle says the way in which you manage the early stages of a hacking incident will have a big bearing on the outcome. Distribute.IT’s decision to take down its network after the first breach alerted the hacker.

“In retrospect, what I should have done was the complete opposite… That’s the point in time where you get forensics involved, have a look around the network, see where those entry points were and build up a real case against the perpetrator,” said Woerndle.

It took the brothers six to 12 months to get over the incident. Carl has recovered and still has an entrepreneurial spirit. He has a few “software plays in the background” that he is trying to develop. “It’s a long journey back,” he says.

Read about the full details of the attack, including wrong turns, the full effect on staff and the key takeaways and valuable advice that comes out of an experience like this by accessing a copy of Cyber security: Empowering the CIO.