Case study: When a hacker destroys your business

Former Distribute.IT co-founder Carl Woerndle shares his experience of the cyber attack that destroyed this business.

It’s been almost four years since business owners Carl Woerndle and his brother Alex were caught up in a cyber attack so damaging it destroyed their once prospering technology business, Distribute.IT.

Carl Woerndle has given a warts and all account of how he and other staff at his former company dealt with the crisis and the fallout of the malicious hack in a new cyber security guide, in conjunction with the CIO Executive Council.

“It was a perfect storm of events,” says Woerndle.

Background

Distribute.IT was founded in 2002 by brothers Carl and Alex Woerndle as a web-based start-up.

The business adopted a channel sales strategy, appointing resellers to on-sell its services. Over the next nine years, the firm branched into cloud-based web server hosting, distributing SSL certificates and SMS services.

By 2011, Distribute.IT had secured 10 per cent of the market for Australian domain names, held multiple international domain accreditations and had 30,000 hosting clients through 3,000 active resellers

However, later that year the business suffered a severe cyber attack, just as it was growing at 4 per cent a month and had recently expanded into Asia.

The initial breach – week 1

At 5pm on Friday June 3, 2011, Woerndle received a call from his CIO alerting him to a breach in the company’s network.

“We had about 30,000 clients and a minimum of two per day were targeted on our network, so we were used to managing security,” says Carl Woerndle.

DOS attacks and single targeted sites on servers are fairly common for hosting providers, but this attack was different. The hacker had managed to bypass the company’s entire security protocol, get behind its firewall and gain access to its master user access information.

This event was the catalyst for a three-week nightmare ride for all involved with the business and its clients. While Distribute.IT was proactive in its response and compliance obligations, re-building most of its network over the next week, these measures would not be enough to save the business.

“We put in two back-to-back, 72-hour shifts during the week so it was a massive effort by all,” says Woerndle.

The destructive attack – week 2

Although the company felt it had mitigated its issues, in the end the work completed the week before was for nothing. At 4:30pm on Saturday 11 June, Distribute.IT’s network monitoring system went crazy.

The IT team watched servers go offline every few seconds, as the hacker had regained access to the company’s network, before escalating into an extremely malicious attack.

Read more: Tackling the human element of cyber security

The hackers targeted and destroyed servers inside Distribute.IT’s network, including back-ups, then locked the IT team out, meaning the only way to get control was to ‘pull the plug’ at the data centre.

This attack targeted Distribute.IT’s primary trading and hosting systems, shared web servers and backup systems, removing its ability to trade. The company had to rebuild its entire infrastructure from the ground up …again.

“We were into our third 72-hour block [working on the problem] and by this time, we were completely and utterly exhausted,” says Carl Woerndle.

The network was switched on again on the evening of Monday 13 June, but with its primary websites and VoIP systems down and client databases compromised. By Tuesday 14 June, Distribute.IT started to lose clients. The trust and brand equity that had been built up over nine years had eroded.

Knowledge of the hack became so widespread that the company had an email from hacking group Anonymous saying ‘it wasn’t us’.

By Monday June 20, time had run out. With resellers possibly losing their livelihoods and many websites unrecoverable, the company had no choice but to seek a quick alternative solution.

“My brother and I knew at this point that our business was gone,” Woerndle says.

The aftermath

The hacker’s main entry point was carefully targeted towards an individual company employee who was deemed vulnerable. The hacker was able to save key logging malware onto the staff member’s laptop. The malware built up a password database and used the laptop’s secure VPN connection to access the network.

“We focused our efforts on the network itself, rebuilding the network, putting the security around it. What we missed during this period was what came from outside.”

Woerndle says the way in which you manage the early stages of a hacking incident will have a big bearing on the outcome. Distribute.IT’s decision to take down its network after the first breach alerted the hacker.

“In retrospect, what I should have done was the complete opposite… That’s the point in time where you get forensics involved, have a look around the network, see where those entry points were and build up a real case against the perpetrator,” said Woerndle.

It took the brothers six to 12 months to get over the incident. Carl has recovered and still has an entrepreneurial spirit. He has a few “software plays in the background” that he is trying to develop. “It’s a long journey back,” he says.

Read about the full details of the attack, including wrong turns, the full effect on staff and the key takeaways and valuable advice that comes out of an experience like this by accessing a copy of Cyber security: Empowering the CIO.

Join the CSO newsletter!

Error: Please check your email address.

Tags breachdataexamplecompromisethreatCase Studycyber securitydestructionhackaftermathsecurityattackrebuildstrategy

More about CIO Executive CouncilVoIP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Byron Connolly and Bonnie Gardiner

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place