A long time ago, in a galaxy far, far away.. The War of the Clones have raged across the known galaxy for years. Now, there are fears that Separatists are building a super weapon. A battle station is under construction by team of scientists and engineers. This battle station is the Death Star. The only way to stop the Death Star is to get its blue prints. For that, we will need a data breach.
Planet Scarif Data Breach Post Mortem
The Death Star is now nearing completion. A security breach on the planet Scarif leaked the plans. A threat actor known as ROGUE ONE online, carried out the breach with support from the Rebel Alliance fleet. Consequently, Darth Vader and The Imperial Office of CyberSecurity have commissioned this postmortem. It is designed to document, and explain what happened.
The data breach will not delay construction of the Death Star. Lord Vader expects the battle station to be operational before its previously announced date.
Death Star Plans
Background
The Death Star is a mobile orbital battle station and weapons platform created by the Geonosians. Specifically, the scientist Galen Erso. With funding halted by Geonosis, the Galactic Empire took the project over. Then, Empire recruited Erso to complete the project under their supervision. The Death Star is a major strategic and tactical enhancement to the Tarkin Doctrine. The Doctrine brought order to the galaxy.
Under Grand Moff Tarkin, the twenty Moffs and Imperial Ruling Council have maintained order. However, pockets of resistance known as the Rebel Alliance remain. This resistance has resulted in long wars for the citizenry of the Empire. To remove the last pockets of resistance, the Death Star deployed to known systems with Rebel activity. The Death Star will cleanse systems that harbor these Rebel criminals to restore order through two means:
- Fear of System Annihilation
- System Annihilation
Data breaches happened before within the Empire. Specifically, other independent actors attempted to sell them. Lord Vader stopped previous attempts to disclose the Death Star’s plans.
Threat Actor
ROGUE ONE is the threat actor group. They have a link to the Rebel Alliance. Rogue One has since combined Rebel special operations, intelligence, and previously independent actors. No longer independent, these actors converged for on an attack on Jedah. As you may know, the Empire peacefully harvests kyber crystals there.
Rebels abducted an Imperial pilot during the attack. The later infiltration of Scarif is linked with these attacks on Imperial troopers. Due to the unusual makeup of this ‘Rogue One’ their exact affiliation with the Rebel Alliance is unknown. Previous to the unprovoked attack on Jedah and Scarif, ROGUE ONE was an unknown. Since the destruction of Scarif, galactic chatter has not mentioned the actor.
The Infiltration
Recently ROGUE ONE launched a strategic infiltration on the planet Scarif. This attack was to obtain the blueprints for the Death Star. As per usual, security reviewed the transport logs. A stolen Imperial fleet transport ship was found. This transport, was how the bad actors arrived planet side. This transport contained still-active security credentials from the abducted Imperial pilot and his known associates. Once planet side, Rogue One began a lateral spread and launched multiple coordinated attacks to disrupt operations and extract information. The known attacks were:
- Rebel ground troop assaults on the Imperial Base.
- Rebel intelligence operatives gaining access to the base.
- Security detected suspicious log activity.
- Internal defenses initiated by security.
- Rebel fleet attack of Scarif’s Shield Gate. (**Please Note** significant lack of coordination between this campaign and the first two.) We believe it was due to operational error, and the Rebel Alliance falling apart.
- Data Breach of blueprints and plans.
Rebel Fleet over Scarif
While the initial attack on Scarif appears to indicate a highly coordinated and well-planned breach, the Empire intercepted several of the ships from the Rebel Fleet. However, it should be noted that the base, the Rebels left on Scarif were destroyed. A successful low-power test shot from the Death Star took care of both issues.
Known Damage
The assessment of the damage caused by The Rebel Alliance and ROGUE ONE is as follows:
Data containing the plans and blueprints about the construction of the Death Star were copied and transferred. However, the blueprints are considered to be of minimal intelligence value. The Death Star has proven to be highly effective at low power. The defenses are impenetrable.
We are confident that only a single copy of the plans has been leaked. The plans have not been copied and redistributed by those who received the transmission. Lord Vader is tracking down the copy of the plans.
The base on Scarif is lost. A detachment is currently recovering anything useful.
We expect the Rebels to Rally because of the successful attack on the Imperial base on Scarif. But, the construction schedule for the Death Star is on target . New recruits are finishing the project in record time. The firepower of a fully armed and operational battle station would have an appreciable effect on our defenses.
Security Flaws
Current Imperial security framework belief is that the edge is the most vital part of our defenses. Internal defenses are not stringent. Imperial defenses are flawed. Scarif’s Shield Gate was breached using credentials that should have been revoked when an Imperial pilot was abducted. Using those credentials, ROGUE ONE was able to land forces on the planet and infiltrate the base. Security had no way to see the lateral movement once breached other than logs after the fact.
Imperial ground forces are ineffective. Most troopers are deficient in marksmanship. and cannot hit the broadside of an Imperial Cruiser. Current trooper forces are at levels that are unsustainable. The budgetary strain alone prevents many projects and training. In addition, it is becoming harder to recruit troopers.
Imperial credential management is weak. Therefore, the Empire will need credential management. Then, credentials can be revoked if in question. Assets can also authenticate in multiple ways. Without multi-factor authentication any threat actor would be able to navigate our facilities, ships, and systems unchallenged.
Of Course We Work Here
Security Measures
In Conclusion, implement the following measures:
Create greater security visibility.
Create alarms for security is breaches. Currently, there is no way to detect or respond to it. Have a way to Manage, Detect and Respond to events. Get instant visibility on who did what and when on Imperial systems.
Consistent training of Stormtroopers. Adopt and develop marksmanship levels . Remove any Stormtroopers not meeting minimum levels.
Bad At Pew Pew
Improved credentials management. Revoke credentials in a timely manner. The Empire also needs to use an authentication manner that uses at least two sources to confirm the identity of an asset or individual.
Encrypt data at rest. Encrypted data is of no use to the Rebels or anyone else.
Establish an atmosphere of trust. Encourage Imperial assets to report issues. Most of the Empire is aware of stories of people who have lost imperial assets after meeting Lord Vader.
Respectfully submitted,
Imperial Office of Cybersecurity
