Rogue WAN – The Galactic Data Breach

A long time ago, in a galaxy far, far away.. The War of the Clones have raged across the known galaxy for years.  Now, there are fears that Separatists are building a super weapon. A battle station is under construction by team of scientists and engineers. This battle station is the Death Star.

Planet Scarif Data Breach Post Mortem

The Death Star is now nearing completion. A security breach on the planet Scarif leaked the plans. A threat actor known as ROGUE ONE online, carried out the breach with support from the Rebel Alliance fleet. Darth Vader and The Imperial Office of CyberSecurity has commissioned this postmortem to document and explain what happened.

The data breach will not delay construction of the Death Star. Lord Vader expects the battle station to be operational before its previously announced date.

Death Star Plans

Background

The Death Star is a mobile orbital battle station and weapons platform created by the Geonosians, and scientist Galen Erso.  With funding halted by Geonosis, the Galactic Empire took the project over.   The Empire recruited Erso to complete the project under their supervision.  The Death Star is a major strategic and tactical enhancement to the Tarkin Doctrine, which has unified and brought order to the galaxy.

Under Grand Moff Tarkin, the twenty Moffs and Imperial Ruling Council have maintained order, but pockets of resistance known as the Rebel Alliance remain.  This resistance has resulted in long wars for the citizenry of the Empire.  To remove the last pockets of resistance, the Death Star deployed to known systems with Rebel activity.  The Death Star will cleanse systems that harbor these Rebel criminals to restore order through two means:

  • Fear of System Annihilation
  • System Annihilation

Data breaches happened before within the Empire. Other independent actors attempted to sell them.  Lord Vader stopped previous attempts to disclose the Death Star’s plans.

Threat Actor

ROGUE ONE is the threat actor group.  They have a link to the Rebel Alliance.  Rogue One combined Rebel special operations, intelligence, and previously independent actors. These previously independent actors were sighted in an attack on Jedah, where the Empire was peacefully harvesting kyber crystals.  During this attack, an Imperial pilot was abducted by the Rebels. The later infiltration of Scarif is linked with these attacks on Imperial troopers. Due to the unusual makeup of this ‘Rogue One’ their exact affiliation with the Rebel Alliance is unknown. Previous to the unprovoked attack on Jedah and Scarif, ROGUE ONE was an unknown.  Since the destruction of Scarif, galactic chatter has not mentioned the actor.

The Infiltration

Recently ROGUE ONE launched a strategic infiltration on the planet Scarif to obtain the blueprints for the Death Star. On review of the planetary transport logs, a stolen Imperial fleet transport ship, was used to get the bad actors planet side.  This transport contained still-active security credentials from the abducted Imperial pilot and his known associates. Once planet side, Rogue One began a lateral spread and launched multiple coordinated attacks to disrupt operations and extract information. The known attacks were:

  • Rebel ground troop assaults on the Imperial Base.
  • Rebel intelligence operatives gaining access to the base. Internal defenses were activated as soon as suspicious logs were detected.
  • Rebel fleet attack of Scarif’s Shield Gate. It should be noted that it appears there was significant lack of coordination between this campaign and the first two. We believe it was due to operational error, and the Rebel Alliance falling apart.

Rebel Fleet over Scarif

While the initial attack on Scarif appears to indicate a highly coordinated and well-planned breach, the Empire intercepted several of the ships from the Rebel Fleet.  It should also be noted that the base, and the Rebels left on Scarif were destroyed after a successful low-power test shot from the Death Star.

Known Damage

The assessment of the damage caused by The Rebel Alliance and ROGUE ONE is as follows:

Data containing the plans and blueprints about the construction of the Death Star were copied and transferred.  That data is considered to be of minimal intelligence value. The Death Star has proven to be highly effective at low power.  The defenses are impenetrable.

We are confident that only a single copy of the plans has been leaked and that they have not been copied and redistributed by those who received the transmission. Lord Vader is tracking down the copy of the plans.

The base on Scarif is lost. A detachment is currently recovering anything useful.

Due to a successful attack on the Imperial base on Scarif, we expect it to rally the Rebels.  The construction schedule for the Death Star is on target .  New recruits are finishing the project in record time.  The firepower of a fully armed and operational battle station would have an appreciable effect on our defenses.

 

Security Flaws

Current Imperial security framework belief is that the edge is the most vital part of our defenses. Internal defenses are not as stringent and have proven to be flawed. Scarif’s Shield Gate was breached using credentials that should have been revoked when an Imperial pilot was abducted.  Using those credentials, ROGUE ONE was able to land forces on the planet and infiltrate the base. Security had no way to see the lateral movement once breached other than logs after the fact.

Imperial ground forces are ineffective. Most troopers are deficient in marksmanship and cannot hit the broadside of an Imperial Cruiser. Current trooper forces are at levels that are unsustainable. The budgetary strain alone prevents many projects and training. In addition, it is becoming harder to recruit troopers.

Imperial credential management is weak. The Empire will need to have some sort of credential management that can easily revoke any credential in question or force the asset to authenticate in multiple ways. Without multi-factor authentication any threat actor would be able to navigate our facilities, ships, and systems unchallenged.

Of Course We Work Here

Security Measures

The following measures are recommended to prevent a repeat of this incident:

Greater security visibility. When Imperial security is breached, there is no way to detect or respond to it.   Having a way to Manage, Detect and Respond to events will give us immediate visibility on who did what and when on Imperial systems.

Consistent training of Stormtroopers. Adopt and develop marksmanship levels .  Remove any Stormtroopers not meeting minimum levels.

Bad At Pew Pew

Improved credentials management. Revoke credentials in a timely manner.  The  Empire also needs to use an authentication manner that uses at least two sources to confirm the identity of an asset or individual.

Encrypt data at rest. Data that is encrypted is of no use to the Rebels or anyone else.

Establish an atmosphere of trust. Encourage Imperial assets to report issues. Most of the Empire is aware of stories of people who have lost imperial assets after meeting Lord Vader.

Respectfully submitted,

Imperial Office of Cybersecurity