1. Forensics concluded (March 21st)

2. General statement; forensic findings (March 6th)

3. Post mortem (February 21st)

Forensics concluded (March 21st)

With the forensic analysis completed, the preliminary findings have been confirmed. Remote control software and network scanning software were installed, but no other type of malware was found. The analysis confirms that Axis contact information was exposed, but find no traces that any other data was affected. Without drawing any conclusion about the real intention of the attack, it is observed that most ransomware attacks begin with remote control and scanning software. Thereafter information is exfiltrated, sometimes followed by computers being encrypted. A feasible theory based on this scenario is that the attack was stopped in the setup phase and before it could complete.

General Statement; forensic findings (March 6th)

Forensic Findings

The forensic report about the cyber-attack against Axis’ internal systems on Feb 19 2022 is now mostly completed. We know the attack has caused concern from customers and partners and value the possibility to share our conclusions. This is a follow up, providing more details regarding forensic findings. A background and more detailed description of the initial events can be found in our original Post Mortem.

The really short version

Our forensic analysis confirms that Axis staff contact information was exposed in the attack. This includes names and phone numbers. Authorities have been notified according to GDPR. The forensic investigation finds no indications that any customer-, partner-, supplier-, product data or source code was affected. It is also worth noting that the attack targeted internal systems and not product- and customer installations.

The slightly longer version

Brief background

On the night between Saturday February 19 and Sunday February 20 (CET) , Axis was the subject of a cyber-attack, targeting internal systems. In order to protect customer-, partner- supplier- and Axis-internal data, a decision was made to completely disconnect all Internet facing services. This was done with priority Sunday February 20. As a result, intruders were blocked from access.

Starting in the morning of Sunday February 20, forensic work began in parallel with clearing activities to clean, restore and relaunch services. The current status is a stable baseline for all key business processes and most important systems. Remaining systems will be made available step by step as soon as systems are cleared. Until then, Axis operates in a restricted mode to ensure security while completing the final stages of the clean-up.

The incident management process and forensic analysis

External security and forensic experts were contacted as soon as the intrusion was detected. Acting in close collaboration, a joint team of external forensic experts and Axis senior staff have led the work, ensuring that decisions and steps taken meet highly set goals for security, forensic conclusions and business continuity. The forensic analysis is now mostly finished. The extensive analysis has gone through very large amounts of data from our technical environment. Some comes from machines that proved to be affected by the intrusion, but the majority of our infrastructure was cleared without any traces of illegitimate activity. The initial findings from the Post Mortem still hold true. No third party data (such as customer-, partner- and supplier information) has been found to be affected. No product related software has been found to be affected. The forensic analysis concluded that the only information verified to have been exposed is Axis contact information including employee names and phone numbers. Additionally, cross referencing log files of different systems at the time period of the intrusion further supports that conclusion. Authorities have been notified about the known loss of personal data according to the European legislation GDPR.

What is known about the purpose of the attack?

There has been speculation about the purpose of the attack. The investigation provides no conclusive evidence since the choice to block internet connectivity seems to efficiently have stopped the intrusion before completion, mid-attack. No encrypted servers or clients pointing to a ransomware attack have been found. Detected malware, providing intruders with remote control capabilities, has been reverse engineered, analyzed and eradicated. No traces of ransomware or other special purpose malware has been found. As a result, our conclusion is that the attack was stopped before its goal was reached.

Steps taken before relaunching services

Before being made available again, servers have undergone forensic analysis, cleared new heightened security requirements, been extensively scanned for malware and undergone threat detection monitoring for prolonged time. It is worth specially mentioning our software development. No trace of illegitimate activity has been found in any software development-related system. Despite that, before made available again all software provided by Axis has been thoroughly verified and cleared. In addition to forensic analysis, malware scanning and threat detection monitoring, we have reviewed source code commits from the relevant time frame, ensuring the integrity of our software. All checksums for distributed software have also been verified. No trace of illegitimate activity has been found.

Lessons learned and changes

A situation like this is humbling and a reason to change wherever needed. In the current climate of cyber threats, increased defenses are natural and necessary parts of business continuity. At Axis, we continuously reexamine the balance between efficient business processes and security. As a result of this incident, access methods have been redesigned to minimize human error and also provide a lower risk of technical exploitation in case of human error. The technical security mechanisms across the board have been raised in general to limit the risk of any similar future event. The effect is increased security at the cost of slightly less smooth workflows. Other additional measures have been taken but will not be outlined here for pure security reasons. We think this is as far as our forensic investigation will come. However, should any new information arise, we will provide additional updates.

Final words

For Axis, trust is what fuels our business and success. We believe that transparency is necessary to keep trust from our end customers, partners, suppliers and eventually societies. Even if this is a difficult situation for us, we sincerely hope all of you share our beliefs. Our intention with these reports is to help everyone make informed decisions about their current situations and business going forward.

Post Mortem (February 21st)

On the night between Saturday February 19 and Sunday February 20, Axis was the subject of a cyberattack. Using several combinations of social engineering, attackers were able to sign in as a user despite protective mechanisms such as multifactor authentication.Inside, the attackers used advanced methods to elevate their access and eventually gain access to directory services.

Axis threat detection systems alerted incident staff of unusual, suspicious behavior, and investigations began early Sunday morning. At approximately 9 am CET Sunday morning, IT management decided to bring in external security experts and at approximately 12:00 (noon), it was confirmed that hackers were active inside Axis networks. The decision was taken to disconnect all external connectivity immediately as a way of cutting the intruders off.

At 6 pm all network access had been shut off globally. The measure had the intended effect of shutting the intruders off from their access.

It also resulted in a loss of external services for Axis staff, such as in- and outbound email. Partner services were also affected with axis.com and extranets being unavailable.

Investigations rapidly showed that parts of the server infrastructure had been compromised while other parts remained intact.

Forensic work and projects to clean and restore the affected components began immediately with the intention of rapidly and gradually coming back to normal operational status.

Global production and supply chain remained largely unaffected through the entire period.

Our first customer facing services were made available Sunday evening, February 20.

Gradually in the days that followed, more and more external services were cleared and made available online again, including commercial services, main parts of axis.com and email services.

Status Sunday February 27 is that most external facing services have been restored with some still awaiting security clearance. Regarding internet facing services, Axis currently operates in a restricted mode. This will continue as long as the forensic investigation is ongoing and until the cleaning and restoration is completed. This mainly affects our internal work streams and has very limited effect on customers and partners. We expect the final parts of our customer facing services to be completely available within a few days.
 

Findings so far

No servers have been found to be encrypted but we found malware and indications that internal directory services were compromised. No customer information has been found to be affected in any way. In total, we find limited signs of damaging consequences aside of the general embarrassment and productivity loss as we clear services for production step by step.

The attackers used multiple methods of social engineering to gain access despite our security mechanisms. Improvements already undertaken are changes that reduce the risk of human error. The technical security mechanisms have been raised in general across the board to limit the risk of any similar future event. The effect is increased security at the cost of slightly less smooth workflows.

It is a regrettable fact that no company is entirely safe from the risk of cyber intrusions. Our strategy remains the same. We aim to provide real security through several different types of protection:

  • We prevent threats and attacks with automated and systematic monitoring
  • Intrusions are made difficult while keeping operational efficiency high
  • Potential intrusions must be detected early to stop further damage
  • And in case of severe problems, we provide rapid and reliable restoration of services.

Needless to say, we are humble in the face of and due to the gravity of the situation. We are also grateful that we were able to catch and stop an ongoing attack before it had much more lasting effects.

We will come back with more information if our ongoing investigation uncovers events of further relevance.