I have an interesting story that I can only recently share due to the statute of limitations passing. I'll stay anonymous for this story.<p>A number of years ago, I worked on a security team "somewhere". When I joined the place, I was given some context by the other employees about advanced intrusions in the past. For years I spent late nights pouring over my laptop trying to find every imaginable way of breaching the network, and searching for indicators of compromise. Until it happened!<p>When it happened, it happened so quickly I was blindsided. The attack took place during a time when we would least expect it (not holidays or a certain hour, something else). I was the first to notice the indicators of compromise. They were so quick to work through our network, they identified paths that took me years of research to locate in mere weeks. We were able to stop them, thanks to our network monitoring. Many the techniques they used were cutting edge research, released within the past month. Very impressive and informative. However.. a they made a mistake.<p>In one of their reverse shells, they were using scp to copy our files to their backup servers. See the mistake? By dumping the packet data from the reverse shell connection, a plaintext password to their server was available. And this is where the statute of limitations comes in.<p>I connected back to their server with Tor. "Hacking back" is illegal, but I (personally) had to know who bested my efforts to secure the network -- and what they had. What I found was fascinating. They rented out a Linux VPS on a well known provider, but they rebooted the system into a live OS to run in memory. For persistent storage, they connected an SSHFS mountpoint. I thought about it and realized how clever it was to run the OS in memory. If the server is shut down for forensics, nothing would be found.<p>I explored their files. They were curiously organized. Every one of their targets were stored in a separate folder under a single parent data exfiltration folder. They also had an exploits folder, which had only public exploits. I thought about it and this also made sense, you can avoid profiling by using public exploits. They changed the shellcode in the exploits, however. Their targets surprised me (almost as much as the access they achieved in them). Hetzner, Huawei, and many others. One target was a national security/defense entity of another country, and they set up a SSL/TLS MITM on their ENTIRE network and extracted all of their repositories and credentials. Unbelievable skill. I wouldn't believe it if it was in a movie.<p>They used their own proxy network, and to the best of my knowledge they only made one mistake. Because of that mistake, I believe I know who was responsible. I feel like I've already said too much though, this is the first time I've made a comment about my experiences in security. On the fence about sharing but I thought you all might enjoy the story!