In this instance, the big password reset day was scheduled to coincide with the company's annual baseball game, which had been instituted to increase employee morale. Because of this, the project was dubbed "company baseball game," with the name of the company changed here to protect its identity. From that point forward, no one mentioned APT or password reset. Everything was about the baseball game.
The company's systems were completely compromised, so new laptops and wireless routers were purchased. All project-related work was to be performed on these laptops over a secured wireless network to prevent any accidental leakage of information about the project, regardless of code-word use.
One facet of the project was to tackle the overabundance of domain administrators at the company. There were far too many -- all told, more than 1,000. We set up camp in one of the many executive conference rooms we used over the course of the project and began discussing what to do.
We couldn't decide which domain administrators were truly needed and which we could disable, so we decided to disable them all on "company baseball game" day, and force those who really needed domain admin access to reaffirm their need. We drafted a domain admin access request form on one of the project laptops and called it a day. We would send out the forms just before "company baseball game" day so that each person who needed a domain admin account could get one in time to be prepared.
The next morning around 7:30 a.m., I entered that same executive conference room. The project manager was already there. He looked up at me, his eyes a bit wider than usual for the early hour, and said, "Here's our first two domain admin requests," as he flipped them to me.
What did he mean domain admin requests? The form wasn't out of draft stage and wasn't scheduled to go out for months. But there they were, two filled-out "domain admin access request" forms. They had some small, but very noticeable mistakes, so it was obvious they were not from our original draft. Each was filled in by team members belonging to a foreign subsidiary, who currently had domain admin access. The reason they were requesting the reinstated domain admin access? Because the current access was to be cut on baseball game day.
To this day, I still can't believe it. I was holding two forms that shouldn't have existed. The only draft was on a laptop on an air-gapped network. Our precious secret project code was blown. Astonishment passed from team member to team member along with the forms as we gave them the news.
After much investigation, we figured out that the APT, led by insiders, had infiltrated all the conference rooms using the data display projectors and executive videoconference systems. They were watching and digesting all our supposedly secret meetings. Their only mistake was in not understanding that the form didn't really exist yet and was not due to be sent out for months. Thank goodness for language barriers.
Lesson: If your conference equipment is networked and has the ability to record voice or video, make sure you disable them before conducting meetings.
APT war story No. 2: Not all APTs are as advanced as experts think
This is the story of an APT team that had taken total control of a company's network. They were actively creating connections all around the network, day or night, by the time I got called in. They were beyond caring whether they had been discovered.