9. Destructive Attacks Are Easier Than Stealthy Espionage
Mandia: Disruption would have been easier than what they did. They had focused, disciplined data theft. It’s easier to just delete everything and [use] blunt-force trauma and see what happens, which is what other actors have done.
But what I’ve observed this group do—and I think this is an important detail—a lot of times when you break into a network, you get what’s called the ‘domain admin account,’ and you just use that to grab everything. It’s the keys to everything; it’s the master key in the hotel. But what this group actually did, if they wanted to break into Room 404, they got a room key that only worked for Room 404. Then they got the room key for 407.
They actually did more work than what it would have taken to go destructive. But obviously, they had the access required and the capability required—should they have wanted to be disruptive—to have done so.