On the night between Saturday February 19 and Sunday February 20 (CET) , Axis was the subject of a cyber-attack, targeting internal systems. In order to protect customer-, partner- supplier- and Axis-internal data, a decision was made to completely disconnect all Internet facing services. This was done with priority Sunday February 20. As a result, intruders were blocked from access.
Starting in the morning of Sunday February 20, forensic work began in parallel with clearing activities to clean, restore and relaunch services. The current status is a stable baseline for all key business processes and most important systems. Remaining systems will be made available step by step as soon as systems are cleared. Until then, Axis operates in a restricted mode to ensure security while completing the final stages of the clean-up.
The incident management process and forensic analysis
External security and forensic experts were contacted as soon as the intrusion was detected. Acting in close collaboration, a joint team of external forensic experts and Axis senior staff have led the work, ensuring that decisions and steps taken meet highly set goals for security, forensic conclusions and business continuity. The forensic analysis is now mostly finished. The extensive analysis has gone through very large amounts of data from our technical environment. Some comes from machines that proved to be affected by the intrusion, but the majority of our infrastructure was cleared without any traces of illegitimate activity. The initial findings from the Post Mortem still hold true. No third party data (such as customer-, partner- and supplier information) has been found to be affected. No product related software has been found to be affected. The forensic analysis concluded that the only information verified to have been exposed is Axis contact information including employee names and phone numbers. Additionally, cross referencing log files of different systems at the time period of the intrusion further supports that conclusion. Authorities have been notified about the known loss of personal data according to the European legislation GDPR.
What is known about the purpose of the attack?
There has been speculation about the purpose of the attack. The investigation provides no conclusive evidence since the choice to block internet connectivity seems to efficiently have stopped the intrusion before completion, mid-attack. No encrypted servers or clients pointing to a ransomware attack have been found. Detected malware, providing intruders with remote control capabilities, has been reverse engineered, analyzed and eradicated. No traces of ransomware or other special purpose malware has been found. As a result, our conclusion is that the attack was stopped before its goal was reached.
Steps taken before relaunching services
Before being made available again, servers have undergone forensic analysis, cleared new heightened security requirements, been extensively scanned for malware and undergone threat detection monitoring for prolonged time. It is worth specially mentioning our software development. No trace of illegitimate activity has been found in any software development-related system. Despite that, before made available again all software provided by Axis has been thoroughly verified and cleared. In addition to forensic analysis, malware scanning and threat detection monitoring, we have reviewed source code commits from the relevant time frame, ensuring the integrity of our software. All checksums for distributed software have also been verified. No trace of illegitimate activity has been found.
Lessons learned and changes
A situation like this is humbling and a reason to change wherever needed. In the current climate of cyber threats, increased defenses are natural and necessary parts of business continuity. At Axis, we continuously reexamine the balance between efficient business processes and security. As a result of this incident, access methods have been redesigned to minimize human error and also provide a lower risk of technical exploitation in case of human error. The technical security mechanisms across the board have been raised in general to limit the risk of any similar future event. The effect is increased security at the cost of slightly less smooth workflows. Other additional measures have been taken but will not be outlined here for pure security reasons. We think this is as far as our forensic investigation will come. However, should any new information arise, we will provide additional updates.
For Axis, trust is what fuels our business and success. We believe that transparency is necessary to keep trust from our end customers, partners, suppliers and eventually societies. Even if this is a difficult situation for us, we sincerely hope all of you share our beliefs. Our intention with these reports is to help everyone make informed decisions about their current situations and business going forward.