Difference between revisions of "Scenario 08: Certificate authority hack"

streamlining the Facts part
(implemented most comments and left some comments in the text and in the discussion page for further debate)
(streamlining the Facts part)
'''[F1]''' A company based in State A provides certificate authority services, including for government departments and agencies of State A. It has now been hacked by intruders, who assume control of the company’s certificate-issuing servers and, for several weeks, proceed to issue fraudulent certificates for private sector services, such as email or VoIP based telephony, but also for services related to the company register in State A (<b>incident 1</b>). Indicators of compromise (IoCs) point to the use of proxies (an unaffiliated group) in incident 1.
'''[F2]''' The fraudulent certificates are later used in a massive man-in-the-middle attack to intercept free email communication of several hundreds of thousands of individuals in State A (<b>incident 2</b>). IoCsAvailable showevidence shows that this mass surveillance operation was fully orchestrated by State B’s intelligence service, which had ordered and paid the above-mentioned group to issue some of the fraudulent certificates in incident 2, including to the company register in State A. State B's intelligence service then used the certificates in conducting its mass surveillance operation.
'''[F3]''' Eventually, all of the certificates issued by the company are blacklisted by the major internet browsers, the attack is contained, and the company files for bankruptcy.