Blog
/
OT
/
December 16, 2024

Breaking Down Nation State Attacks on Supply Chains

Explore how nation-state supply chain attacks like 3CX, NotPetya, and SolarWinds exploited trusted providers to cause global disruption, highlighting the urgent need for robust security measures.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Benjamin Druttman
Cyber Security AI Technical Instructor
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
16
Dec 2024

Introduction: Nation state attacks on supply chains

In recent years, supply chain attacks have surged in both frequency and sophistication, evolving into one of the most severe threats to organizations across almost every industry. By exploiting third-party vendors and service providers, these attacks can inflict widespread disruption with a single breach. They have become a go-to choice for nation state actors and show no signs of slowing down. According to Gartner, the costs from these attacks will skyrocket “from $46 billion in 2023 to $138 billion by 2031” [1].  

But why are supply chains specifically such an irresistible target for threat actors? Dwight D. Eisenhower, the General of the US Army in World War II and former US President, once said, “you won’t find it difficult to prove that battles, campaigns, and even wars have been won or lost primarily because of logistics.”

The same is true in cyberspace and cyberwarfare. We live in an increasingly interconnected world. The provision of almost every service integral to our daily lives relies on a complex web of interdependent third parties.  

Naturally, threat actors gravitate towards these service providers. By compromising just one of them, they can spread through supply chains downstream to other organizations and raise the odds of winning their battle, campaign, or war.  

software supply chain sequence
Figure 1: Software supply chain attack cycle

A house built on open-source sand

Software developers face immense pressure to produce functional code quickly, often under tight deadlines. Adding to this challenge is the need to comply with stringent security requirements set by their DevSecOps counterparts, who aim to ensure that code is safe from vulnerabilities.  

Open-source repositories alleviate some of this pressure by providing pre-built packages of code and fully functioning tools that developers can freely access and integrate. These highly accessible resources enhance productivity and boost innovation. As a result, they have a huge, diverse user base spanning industries and geographies. However, given their extensive adoption, any security lapse can result in widespread compromise across businesses.

Cautionary tales for open-source dependencies

This is exactly what happened in December 2021 when a remote code execution vulnerability was discovered in Log4J’s software. In simple terms, it exposed an alarmingly straightforward way for attackers to take control of any system using Log4J.  

The scope for potential attack was unprecedented. Some estimates say up to 3 billion devices were affected worldwide, in what was quickly labelled the “single biggest, most critical vulnerability of the last decade” [2].

What ensued was a race between opportunistic nefarious actors and panicked security professionals. The astronomical number of vulnerable devices laid expansive groundwork for attackers, who quickly began probing potentially exploitable systems. 48% of corporate networks globally were scanned for the vulnerability, while security teams scrambled to apply the remediating patch [3].

The vulnerability attracted nation states like a moth to a flame, who, unsurprisingly, beat many security teams to it. According to the FBI and the US Cybersecurity and Infrastructure Agency (CISA), Iranian government-sponsored threat groups were found using the Log4J vulnerability to install cryptomining software, credential stealers and Ngrok reverse proxies onto no less than US Federal networks [4].  

Research from Microsoft and Mandiant revealed nation state groups from China, North Korea and Turkey also taking advantage of the Log4J vulnerability to deploy malware on target systems [5].  

If Log4j taught us anything, it’s that vulnerabilities in open-source technologies can be highly attractive target for nation states. When these technologies are universally adopted, geopolitical adversaries have a much wider net of opportunity to successfully weaponize them.  

It therefore comes as no surprise that nation states have ramped up their operations targeting the open-source link of the supply chain in recent years.  

Since 2020, there has been a 1300% increase in malicious threats circulating on open-source repositories. PyPI is the official open-source code repository for programming done in the Python language and used by over 800,000 developers worldwide. In the first 9 months of 2023 alone, 7,000 malicious packages were found on PyPI, some of which were linked to the North Korea state-sponsored threat group, Lazarus [6].  

Most of them were found using a technique called typosquatting, in which the malicious payloads are disguised with names that very closely resemble those of legitimate packages, ready for download by an unwitting software developer. This trickery of the eye is an example of social engineering in the supply chain.  

A hop, skip, and a jump into the most sensitive networks on earth

One of the most high-profile supply chain attacks in recent history occurred in 2023, targeting 3CX’s Desktop App – a widely used video communications by over 600,000 customers in various sectors such as aerospace, healthcare and hospitality.

The incident gained notoriety as a double supply chain attack. The initial breach originated from financial trading software called X_Trader, which had been infected with a backdoor.  A 3CX employee unknowingly downloaded the compromised X_Trader software onto a corporate device. This allowed attackers to steal the employee’s credentials and use them to gain access to 3CX’s network, spread laterally and compromising Windows and Mac systems.  

The attack moved along another link of the supply chain to several of 3CX’s customers, impacting critical national infrastructure like energy sector in US and Europe.  

For the average software provider, this attack shed more light on how a compromise of their technology could cause chaos for their customers.  

But nation states already knew this. The 3CX attack was attributed, yet again, to Lazarus, the same North Korean nation state blamed for implanting malicious packages in the Python repository.  

It’s also worth mentioning the astounding piece of evidence in a separate social engineering campaign which linked the 3CX hack to North Korea. It was an attack worthy of a Hollywood cyber block buster. The threat group, Lazarus, lured hopeful job candidates on LinkedIn into clicking on malicious ZIP file disguised as an attractive PDF offer for a position as a Developer at HSBC. The malware’s command and control infrastructure, journalide[.]org, was the same one discovered in the 3CX campaign.  

Though not strictly a supply chain attack, the LinkedIn campaign illustrates how nation states employ a diverse array of methods that span beyond the supply chain to achieve their goals. These sophisticated and well-resourced adversaries are adaptable and capable of repurposing their command-and-control infrastructure to orchestrate a range of attacks. This attack, along with the typosquatting attacks found in PyPI, serve as a critical reminder for security teams: supply chain attacks are often coupled with another powerful tactic – social engineering of human teams.

When the cure is worse than the disease

Updates to the software are a core pillar of cybersecurity, designed to patch vulnerabilities like Log4J and ensure it is safe. However, they have also proven to serve as alarmingly efficient delivery vessels for nation states to propagate their cyberattacks.  

Two of the most prolific supply chain breaches in recent history have been deployed through malicious updates, illustrating how they can be a double-edged sword when it comes to cyber defense.  

NotPetya (2017) and Solarwinds (2020)

The 2017 NotPetya ransomware attack exemplified the mass spread of ransomware via a single software update. A Russian military group injected malware on accounting software used by Ukrainian businesses for tax reporting. Via an automatic update, the ransomware was pushed out to thousands of customers within hours, crippled Ukrainian infrastructure including airports, financial institutions and government agencies.  

Some of the hardest hit victims were suppliers themselves. Maersk, the global shipping giant responsible for shipping one fifth of the world’s goods, had their entire global operations brought to a halt and their 76 ports temporarily shut down. The interruptions to global trade were then compounded when a FedEx subsidiary was hit by the same ransomware. Meanwhile, Merck, a pharmaceutical company, was unable to supply vaccines to the Center for Disease Control and Prevention due to the attack.  

In 2020, another devastating supply chain attack unfolded in a similar way. Threat actors tied to Russian intelligence embedded malicious code into Solarwinds’ Orion IT software, which was then distributed as an update to 18,000 organizations. Victims included at least eight U.S. government agencies, as well as several major tech companies.  

These two attacks highlighted two key lessons. First, in a hyperconnected digital world, nation states will exploit the trust organizations place in software updates to cause a ripple effect of devastation downstream. Secondly, the economies of scale for the threat actor themselves are staggering: a single malicious update provided the heavy lifting work of dissemination to the attacker. A colossal number of originations were infected, and they obtained the keys to the world’s most sensitive networks.

The conclusion is obvious, albeit challenging to implement; organizations must rigorously scrutinize the authenticity and security of updates to prevent far-reaching consequences.  

Some of the biggest supply chain attacks in recent history and the nation state actor they are attributed to
Figure 2: Some of the biggest supply chain attacks in recent history and the nation state actor they are attributed to

Geopolitics and nation States in 2024: Beyond the software supply chain

The threat to our increasingly complex web of global supply is real. But organizations must look beyond their software to successfully mitigate supply chain disruption. Securing hardware and logistics is crucial, as these supply chain links are also in the crosshairs of nation states.  

In July 2024, suspicious packages caused a warehouse fire at a depot belonging to courier giant DHL in Birmingham, UK. British counter-terrorism authorities investigated Russian involvement in this fire, which was linked to a very similar incident that same month at a DHL facility in Germany.  

In September 2024, camouflaged explosives were hidden in walkie talkies and pagers in Lebanon and Syria – a supply chain attack widely believed to be carried out by Israel.

While these attacks targeted hardware and logistics rather than software, the underlying rule of thumb remained the same: the compromise of a single distributor can provide the attackers with considerable economies of scale.

These attacks sparked growing concerns of coordinated efforts to sabotage the supply chain. This sentiment was reflected in a global survey carried out by HP in August 2024, in which many organisations reported “nation-state threat actors targeting physical supply chains and tampering with device hardware and firmware integrity” [7].

More recently, in November 2024, the Russian military unit 29155 vowed to “turn the lights out for millions” by threatening to launch cyberattacks on the blood supply of NATO countries, critical national infrastructure (CNI). Today, CNI encompasses more than the electric grid and water supply; it includes ICT services and IT infrastructure – the digital systems that underpin the foundations of modern society.    

This is nothing new. The supply and logistics-focused tactic has been central to warfare throughout history. What’s changed is that cyberspace has merely expanded the scale and efficiency of these tactics, turning single software compromises into attack multipliers. The supply chain threat is now more multi-faceted than ever before.  

Learnings from the supply chain threat landscape

Consider some of the most disastrous nation-state supply chain attacks in recent history – 3CX, NotPetya and Solarwinds. They share a remarkable commonality: the attackers only needed to compromise a single piece of software to cause rampant disruption. By targeting a technology provider whose products were deeply embedded across industries, threat actors leveraged the trust inherent in the supply chain to infiltrate networks at scale.

From a nation-state’s perspective, targeting a specific technology, device or service used by vast swathes of society amplifies operational efficiency. For software, hardware and critical service suppliers, these examples serve as an urgent wake-up call. Without rigorous security measures, they risk becoming conduits for global disruption. Sanity-checking code, implementing robust validation processes, and fostering a culture of security throughout the supply chain are no longer optional—they are essential.  

The stakes are clear: in the interconnected digital age, the safety of countless systems, industries and society at large depends on their vigilance.  

Screenshot of supply chain security whitepaper

Gain a deeper understanding of the evolving risks in supply chain security and explore actionable strategies to protect your organization against emerging threats. Download the white paper to empower your decision-making with expert insights tailored for CISOs

Download: Securing the Supply Chain White Paper

References

  1. https://www.gartner.com/en/documents/5524495
  1. CISA Insights “Remediate Vulnerabilities for Internet-Accessible Systems.”
  1. https://blog.checkpoint.com/security/the-numbers-behind-a-cyber-pandemic-detailed-dive/
  1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a  
  1. https://www.microsoft.com/en-us/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/  
  1. https://content.reversinglabs.com/state-of-sscs-report/the-state-of-sscs-report-24  
  1. https://www.hp.com/us-en/newsroom/press-releases/2024/hp-wolf-security-study-supply-chains.html
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Benjamin Druttman
Cyber Security AI Technical Instructor

More in this series

No items found.

Blog

/

Network

/

August 8, 2025

Ivanti Under Siege: Investigating the Ivanti Endpoint Manager Mobile Vulnerabilities (CVE-2025-4427 & CVE-2025-4428)

Default blog imageDefault blog image

Ivanti & Edge infrastructure exploitation

Edge infrastructure exploitations continue to prevail in today’s cyber threat landscape; therefore, it was no surprise that recent Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities CVE-2025-4427 and CVE-2025-4428 were exploited targeting organizations in critical sectors such as healthcare, telecommunications, and finance across the globe, including across the Darktrace customer base in May 2025.

Exploiting these types of vulnerabilities remains a popular choice for threat actors seeking to enter an organization’s network to perform malicious activity such as cyber espionage, data exfiltration and ransomware detonation.

Vulnerabilities in Ivanti EPMM

Ivanti EPMM allows organizations to manage and configure enterprise mobile devices. On May 13, 2025, Ivanti published a security advisory [1] for their Ivanti Endpoint Manager Mobile (EPMM) devices addressing a medium and high severity vulnerability:

  • CVE-2025-4427, CVSS: 5.6: An authentication bypass vulnerability
  • CVE-2025-4428, CVSS: 7.2: Remote code execution vulnerability

Successfully exploiting both vulnerabilities at the same time could lead to unauthenticated remote code execution from an unauthenticated threat actor, which could allow them to control, manipulate, and compromise managed devices on a network [2].

Shortly after the disclosure of these vulnerabilities, external researchers uncovered evidence that they were being actively exploited in the wild and identified multiple indicators of compromise (IoCs) related to post-exploitation activities for these vulnerabilities [2] [3]. Research drew particular attention to the infrastructure utilized in ongoing exploitation activity, such as leveraging the two vulnerabilities to eventually deliver malware contained within ELF files from Amazon Web Services (AWS) S3 bucket endpoints and to deliver KrustyLoader malware for persistence. KrustyLoader is a Rust based malware that was discovered being downloaded in compromised Ivanti Connect Secure systems back in January 2024 when the zero-day critical vulnerabilities; CVE-2024-21887 and CVE-2023-46805 [10].

This suggests the involvement of the threat actor UNC5221, a suspected China-nexus espionage actor [3].

In addition to exploring the post-exploit tactics, techniques, and procedures (TTPs) observed for these vulnerabilities across Darktrace’s customer base, this blog will also examine the subtle changes and similarities in the exploitation of earlier Ivanti vulnerabilities—specifically Ivanti Connect Secure (CS) and Policy Secure (PS) vulnerabilities CVE-2023-46805 and CVE-2024-21887 in early 2024, as well as CVE-2025-0282 and CVE-2025-0283, which affected CS, PS, and Zero Trust Access (ZTA) in January 2025.

Darktrace Coverage

In May 2025, shortly after Ivanti disclosed vulnerabilities in their EPMM product, Darktrace’s Threat Research team identified attack patterns potentially linked to the exploitation of these vulnerabilities across multiple customer environments. The most noteworthy attack chain activity observed included exploit validation, payload delivery via AWS S3 bucket endpoints, subsequent delivery of script-based payloads, and connections to dpaste[.]com, possibly for dynamic payload retrieval. In a limited number of cases, connections were also made to an IP address associated with infrastructure linked to SAP NetWeaver vulnerability CVE-2025-31324, which has been investigated by Darktrace in an earlier case.

Exploit Validation

Darktrace observed devices within multiple customer environments making connections related to Out-of-Band Application Security Testing (OAST). These included a range of DNS requests and connections, most of which featured a user agent associated with the command-line tool cURL, directed toward associated endpoints. The hostnames of these endpoints consisted of a string of randomly generated characters followed by an OAST domain, such as 'oast[.]live', 'oast[.]pro', 'oast[.]fun', 'oast[.]site', 'oast[.]online', or 'oast[.]me'. OAST endpoints can be leveraged by malicious actors to trigger callbacks from targeted systems, such as for exploit validation. This activity, likely representing the initial phase of the attack chain observed across multiple environments, was also seen in the early stages of previous investigations into the exploitation of Ivanti vulnerabilities [4]. Darktrace also observed similar exploit validation activity during investigations conducted in January 2024 into the Ivanti CS vulnerabilities CVE-2023-46805 and CVE-2024-21887.

Payload Delivery via AWS

Devices across multiple customer environments were subsequently observed downloading malicious ELF files—often with randomly generated filenames such as 'NVGAoZDmEe'—from AWS S3 bucket endpoints like 's3[.]amazonaws[.]com'. These downloads occurred over HTTP connections, typically using wget or cURL user agents. Some of the ELF files were later identified to be KrustyLoader payloads using open-source intelligence (OSINT). External researchers have reported that the KrustyLoader malware is executed in cases of Ivanti EPMM exploitation to gain and maintain a foothold in target networks [2].

In one customer environment, after connections were made to the endpoint fconnect[.]s3[.]amazonaws[.]com, Darktrace observed the target system downloading the ELF file mnQDqysNrlg via the user agent Wget/1.14 (linux-gnu). Further investigation of the file’s SHA1 hash (1dec9191606f8fc86e4ae4fdf07f09822f8a94f2) linked it to the KrustyLoader malware [5]. In another customer environment, connections were instead made to tnegadge[.]s3[.]amazonaws[.]com using the same user agent, from which the ELF file “/dfuJ8t1uhG” was downloaded. This file was also linked to KrustyLoader through its SHA1 hash (c47abdb1651f9f6d96d34313872e68fb132f39f5) [6].

The pattern of activity observed so far closely mirrors previous exploits associated with the Ivanti vulnerabilities CVE-2023-46805 and CVE-2024-21887 [4]. As in those cases, Darktrace observed exploit validation using OAST domains and services, along with the use of AWS endpoints to deliver ELF file payloads. However, in this instance, the delivered payload was identified as KrustyLoader malware.

Later-stage script file payload delivery

In addition to the ELF file downloads, Darktrace also detected other file downloads across several customer environments, potentially representing the delivery of later-stage payloads.

The downloaded files included script files with the .sh extension, featuring randomly generated alphanumeric filenames. One such example is “4l4md4r.sh”, which was retrieved during a connection to the IP address 15.188.246[.]198 using a cURL-associated user agent. This IP address was also linked to infrastructure associated with the SAP NetWeaver remote code execution vulnerability CVE-2025-31324, which enables remote code execution on NetWeaver Visual Composer. External reporting has attributed this infrastructure to a China-nexus state actor [7][8][9].

In addition to the script file downloads, devices on some customer networks were also observed making connections to pastebin[.]com and dpaste[.]com, two sites commonly used to host or share malicious payloads or exploitation instructions [2]. Exploits, including those targeting Ivanti EPMM vulnerabilities, can dynamically fetch malicious commands from sites like dpaste[.]com, enabling threat actors to update payloads. Unlike the previously detailed activity, this behavior was not identified in any prior Darktrace investigations into Ivanti-related vulnerabilities, suggesting a potential shift in the tactics used in post-exploitation stages of Ivanti attacks.

Conclusion

Edge infrastructure vulnerabilities, such as those found in Ivanti EPMM and investigated across customer environments with Darktrace / NETWORK, have become a key tool in the arsenal of attackers in today’s threat landscape. As highlighted in this investigation, while many of the tactics employed by threat actors following successful exploitation of vulnerabilities remain the same, subtle shifts in their methods can also be seen.

These subtle and often overlooked changes enable threat actors to remain undetected within networks, highlighting the critical need for organizations to maintain continuous extended visibility, leverage anomaly based behavioral analysis, and deploy machine speed intervention across their environments.

Credit to Nahisha Nobregas (Senior Cyber Analyst) and Anna Gilbertson (Senior Cyber Analyst)

Appendices

Mid-High Confidence IoCs

(IoC – Type - Description)

-       trkbucket.s3.amazonaws[.]com – Hostname – C2 endpoint

-       trkbucket.s3.amazonaws[.]com/NVGAoZDmEe – URL – Payload

-       tnegadge.s3.amazonaws[.]com – Hostname – C2 endpoint

-       tnegadge.s3.amazonaws[.]com/dfuJ8t1uhG – URL – Payload

-       c47abdb1651f9f6d96d34313872e68fb132f39f5 - SHA1 File Hash – Payload

-       4abfaeadcd5ab5f2c3acfac6454d1176 - MD5 File Hash - Payload

-       fconnect.s3.amazonaws[.]com – Hostname – C2 endpoint

-       fconnect.s3.amazonaws[.]com/mnQDqysNrlg – URL - Payload

-       15.188.246[.]198 – IP address – C2 endpoint

-       15.188.246[.]198/4l4md4r.sh?grep – URL – Payload

-       185.193.125[.]65 – IP address – C2 endpoint

-       185.193.125[.]65/c4qDsztEW6/TIGHT_UNIVERSITY – URL – C2 endpoint

-       d8d6fe1a268374088fb6a5dc7e5cbb54 – MD5 File Hash – Payload

-       64.52.80[.]21 – IP address – C2 endpoint

-       0d8da2d1.digimg[.]store – Hostname – C2 endpoint

-       134.209.107[.]209 – IP address – C2 endpoint

Darktrace Model Detections

-       Compromise / High Priority Tunnelling to Bin Services (Enhanced Monitoring Model)

-       Compromise / Possible Tunnelling to Bin Services

-       Anomalous Server Activity / New User Agent from Internet Facing System

-       Compliance / Pastebin

-       Device / Internet Facing Device with High Priority Alert

-       Anomalous Connection / Callback on Web Facing Device

-       Anomalous File / Script from Rare External Location

-       Anomalous File / Incoming ELF File

-       Device / Suspicious Domain

-       Device / New User Agent

-       Anomalous Connection / Multiple Connections to New External TCP Port

-       Anomalous Connection / New User Agent to IP Without Hostname

-       Anomalous File / EXE from Rare External Location

-       Anomalous File / Internet Facing System File Download

-       Anomalous File / Multiple EXE from Rare External Locations

-       Compromise / Suspicious HTTP and Anomalous Activity

-       Device / Attack and Recon Tools

-       Device / Initial Attack Chain Activity

-       Device / Large Number of Model Alerts

-       Device / Large Number of Model Alerts from Critical Network Device

References

1.     https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US

2.     https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability

3.     https://www.wiz.io/blog/ivanti-epmm-rce-vulnerability-chain-cve-2025-4427-cve-2025-4428

4.     https://www.darktrace.com/blog/the-unknown-unknowns-post-exploitation-activities-of-ivanti-cs-ps-appliances

5.     https://www.virustotal.com/gui/file/ac91c2c777c9e8638ec1628a199e396907fbb7dcf9c430ca712ec64a6f1fcbc9/community

6.     https://www.virustotal.com/gui/file/f3e0147d359f217e2aa0a3060d166f12e68314da84a4ecb5cb205bd711c71998/community

7.     https://www.virustotal.com/gui/ip-address/15.188.246.198

8.     https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures

9.     https://www.darktrace.com/blog/tracking-cve-2025-31324-darktraces-detection-of-sap-netweaver-exploitation-before-and-after-disclosure

10.  https://www.synacktiv.com/en/publications/krustyloader-rust-malware-linked-to-ivanti-connectsecure-compromises

The content provided in this blog is published by Darktrace for general informational purposes only and reflects our understanding of cybersecurity topics, trends, incidents, and developments at the time of publication. While we strive to ensure accuracy and relevance, the information is provided “as is” without any representations or warranties, express or implied. Darktrace makes no guarantees regarding the completeness, accuracy, reliability, or timeliness of any information presented and expressly disclaims all warranties.

Nothing in this blog constitutes legal, technical, or professional advice, and readers should consult qualified professionals before acting on any information contained herein.

Any references to third-party organizations, technologies, threat actors, or incidents are for informational purposes only and do not imply affiliation, endorsement, or recommendation.

Darktrace, its affiliates, employees, or agents shall not be held liable for any loss, damage, or harm arising from the use of or reliance on the information in this blog.

The cybersecurity landscape evolves rapidly, and blog content may become outdated or superseded. We reserve the right to update, modify, or remove any content without notice.

Continue reading
About the author
Nahisha Nobregas
SOC Analyst

Blog

/

/

August 7, 2025

How CDR & Automated Forensics Transform Cloud Incident Response

Default blog imageDefault blog image

Introduction: Cloud investigations

In cloud security, speed, automation and clarity are everything. However, for many SOC teams, responding to incidents in the cloud is often very difficult especially when attackers move fast, infrastructure is ephemeral, and forensic skills are scarce.

In this blog we will walk through an example that shows exactly how Darktrace Cloud Detection and Response (CDR) and automated cloud forensics together, solve these challenges, automating cloud detection, and deep forensic investigation in a way that’s fast, scalable, and deeply insightful.

The Problem: Cloud incidents are hard to investigate

Security teams often face three major hurdles when investigating cloud detections:

Lack of forensic expertise: Most SOCs and security teams aren’t natively staffed with forensics specialists.

Ephemeral infrastructure: Cloud assets spin up and down quickly, leaving little time to capture evidence.

Lack of existing automation: Gathering forensic-level data often requires manual effort and leaves teams scrambling around during incidents — accessing logs, snapshots, and system states before they disappear. This process is slow and often blocked by permissions, tooling gaps, or lack of visibility.

How Darktrace augments cloud investigations

1. Darktrace’s CDR finds anomalous activity in the cloud

An alert is generated for a large outbound data transfer from an externally facing EC2 instance to a rare external endpoint. It’s anomalous, unexpected, and potentially serious.

2. AI-led investigation stitches together the incident for a SOC analyst to look into

When a security incident unfolds, Darktrace’s Cyber AI Analyst TM is the first to surface it, automatically correlating behaviors, surfacing anomalies, and presenting a cohesive incident summary. It’s fast, detailed, and invaluable.

Once the incident is created, more questions are raised.

  • How were the impacted resources compromised?
  • How did the attack unfold over time – what tools and malware were used?
  • What data was accessed and exfiltrated?

What you’ll see as a SOC analyst: The incident begins in Darktrace’s Threat Visualizer, where a Cyber AI Analyst incident has been generated automatically highlighting large anomalous data transfer to a suspicious external IP. This isn’t just another alert, it’s a high-fidelity signal backed by Darktrace’s Self-Learning AI.

Cyber AI Analyst incident created for anomalous outbound data transfer
Figure 1: Cyber AI Analyst incident created for anomalous outbound data transfer

The analyst can then immediately pivot to Darktrace / CLOUD’s architecture view (see below), gaining context on the asset’s environment, ingress/egress points, connected systems, potential attack paths and whether there are any current misconfigurations detected on the asset.

Darktrace / CLOUD architecture view providing critical cloud context
Figure 2: Darktrace / CLOUD architecture view providing critical cloud context

3. Automated forensic capture — No expertise required

Then comes the game-changer, Darktrace’s recent acquisition of Cado enhances its cloud forensics capabilities. From the first alert triggered, Darktrace has already kicked in and automatically processed and analyzed a full volume capture of the EC2. Everything, past and present, is preserved. No need for manual snapshots, CLI commands, or specialist intervention.

Darktrace then provides a clear timeline highlighting the evidence and preserving it. In our example we identify:

  • A brute-force attempt on a file management app, followed by a successful login
  • A reverse shell used to gain unauthorized remote access to the EC2
  • A reverse TCP connection to the same suspicious IP flagged by Darktrace
  • Attacker commands showing how the data was split and prepared for exfiltration
  • A file (a.tar) created from two sensitive archives: product_plans.zip and research_data.zip

All of this is surfaced through the timeline view, ranked by significance using machine learning. The analyst can pivot through time, correlate events, and build a complete picture of the attack — without needing cloud forensics expertise.

Darktrace even gives the ability to:

  • Download and inspect gathered files in full detail, enabling teams to verify exactly what data was accessed or exfiltrated.
  • Interact with the file system as if it were live, allowing investigators to explore directories, uncover hidden artifacts, and understand attacker movement with precision.
Figure 3 Cado critical forensic investigation automated insights
Figure 3: Cado critical forensic investigation automated insights
Figure 4: Cado forensic file analysis of reverse shell and download option
Figure 5: a.tar created from two sensitive archives: product_plans.zip and research_data.zip
Figure 6: Traverse the full file system of the asset

Why this matters?

This workflow solves the hardest parts of cloud investigation:

  1. Capturing evidence before it disappears
  2. Understanding attacker behavior in detail - automatically
  3. Linking detections to impact with full incident visibility

This kind of insight is invaluable for organizations especially regulated industries, where knowing exactly what data was affected is critical for compliance and reporting. It’s also a powerful tool for detecting insider threats, not just external attackers.

Darktrace / CLOUD and Cado together acts as a force multiplier helping with:

  • Reducing investigation time from hours to minutes
  • Preserving ephemeral evidence automatically
  • Empowering analysts with forensic-level visibility

Cloud threats aren’t slowing down. Your response shouldn’t either. Darktrace / CLOUD + Cado gives your SOC the tools to detect, contain, and investigate cloud incidents — automatically, accurately, and at scale.

[related-resource]

Continue reading
About the author
Adam Stevens
Director of Product, Cloud Security
Your data. Our AI.
Elevate your network security with Darktrace AI