In many cases of sabotage, Attingo can temporarily repair data carriers in order to restore lost data. Often data can be recovered from supposedly fatally damaged data carriers and storage media with professional data recovery, so that affected companies can quickly become operational again or important evidence can be provided for pending proceedings.
For example, from internal attacks (e.g. frustrated employees or IT administrators) or from outside (e.g. from black hat hackers, ransomware blackmailers, script kiddies or the competition)?
Sabotage cases occur if, among other things, employment relationships or external IT supervisor contracts are not renewed, layoffs take effect or employees are recruited from competitors. Anyone can be a culprit - employees, board members or managing directors. As revenge or out of sheer aversion, important data is deleted - sometimes stolen in the same course and taken away to the new employer or to self-employment.
It also happens that external service providers willfully damage systems and storage media or delete sensitive data. In order to be able to bill additional services in the course of the support contract or as revenge for the termination of the cooperation and the switch to the competition.
Due to the existing access to the IT infrastructure, perpetrators can wreak havoc. In the course of such acts of sabotage, damaged or destroyed hardware (hard drives, servers) and deleted or destroyed files usually occur.
In the following section you will find some case studies of acts of sabotage in recent years with successful data recovery from the Attingo laboratories:
Manipulated surveillance systems
In the production facility of a food technology company in Brazil, a dismissed employee used the remaining time of the employment relationship to destroy video surveillance systems. The aim was to conceal his misdeeds. The digital video recorders were thrown to the ground. The surveillance hard drives were then removed from the DVR systems and the contacts were all maltreated with a 220 volt cable.
The hard drives all had physical, mechanical and electronic defects. Nevertheless, a large number of the video files required for the transfer of the employee could be restored.
RAID server deleted via VPN
An IT supervisor felt wrongly dismissed and used his still active VPN access to penetrate the company's network to find out a perfect way to take revenge. His first step was to delete all server RAID configurations. In order to cause maximum damage, the hard disks were then reinitialized with a RAID array.
By calculating the original RAID parameters, the servers could be restored based on the remaining raw data and almost all data could be recovered.
Evidence Saved from the Floods
A criminal offender tried to destroy incriminating evidence in the course of his escape and subsequent arrest by throwing his PC into the torrential floods of a river. The criminal investigation department was only able to locate and recover the computer three months later.
After cleaning the installed hard drives in the laboratory, the raw data could be cloned and a 1: 1 dump for further prosecution was handed over to the police and prosecutors.
Bomb fragments destroy camera recordings
When shooting a film for a report from a crisis area, a fragmentary bomb detonated nearby, which terrorists had fired towards the camera team. The detonation and the shrapnel not only injured the camera team staff. The cameras as well as BluRay discs were also massively damaged.
Many of the damaged data carriers had been damaged too severely to save the entire material. Despite the considerable damage, a lot of usable video data could still be restored from some storage media.
Data theft and industrial espionage
When a senior employee quit, he spent the last moments of his job secretly downloading construction plans, extensive contact lists and other internals via co-worker user accounts from the encrypted servers to his company laptop, and then copying everything to an external data medium.
By recovering the data from the deleted laptop, the employer was able to prove that the dismissed person had gained unauthorized access to the access codes of other employees and thus sensitive data was stolen
A fateful affair
With the deletion of the last destinations on a navigation device, the husband wanted to cover up the trips to his supposedly secret affair. His ex-partner found out about her husband's goings-on.
The deleted data from the navigation system could be reconstructed and made available to the still-wife and her lawyer in order to accelerate the divorce process.
Attingo is receiving more and more requests from customers regarding infected servers and computers with ransomware Trojans. If our technicians are unable to decrypt the data, the only chance is to search for deleted or moved files or to perform raw data scans. Since processing with ransomware is much more complex and case-specific, please look here for more details and contact us for an individual assessment of the damage and the resulting Effort.