Anatomy of the NSP Hack

Posted on

NSP has been quiet about what happened, but enough details came out in the OPC’s letter that we can piece together a likely scenario.

Editor Note: Though I’m probably mostly known as the shipping and built environment guy, My day job for the 26+ years is in IT, where for the last bit has been primary dealing with Endpoint management/security, so I’m uniquely qualified to speculate what NSP was doing (or not doing) based on the public details. I have no insider details, the only things i know for sure are what NSP, UARB and OPC have publicly released. the rest is plausible speculation on my part based on what I have seen over the years at other organizations, as well as how attacks like this typically operate. This article began life as a reddit post, and this updated article considers some of the feedback that post received.

On March 19 2025, a NSP Employee visited a compromised website that contained the SocGholish” (FakeUpdates) malware. The malware is frequently inserted into compromised wordpress sites, and pretends to be a message from the browser, informing users their browser are out of date and offering them a update to download. That “update” contains further malware that performs reconnaissance on the machine, reporting back to a command and control server, and typically downloads and installs other malware, such as ransomware, or remote access Trojans, which allow attackers to access the machine. They now have a beachhead to launch the full attack.

Example of a SocGholish fake Chrome browser update used to serve malicious downloads. (Via sucuri.net)

SocGholish has been around since 2017. It also suggests this was an attack of opportunity, rather then a targeted attack of NSP. The Criminal hacker group that began using SocGholish typically uses it to cast a wide net, investigating targets to find those that can potentially lead to a large payday. Historically threat actors have targeted large publicly prominent organizations to attempt to use that prominence to increase the likelihood of a ransom payout. Its not personal, its just business.

SocGholish will commonly download cobalt strike malware (which is also not new, and should be detectable by AV, at least until it kills the av), and it seems plausible that this was the next step in the attack. Cobalt Strike has a number of features, including providing remote access, data collection, and can perform privilege escalation attacks. Privilege escalation is a process by which a normal user gets granted admin rights on the device.

Cobalt strike is able to perform privilege escalation by exploiting poorly managed windows processes to run other code in their place. This requires a the service to be restart, which requires admin rights. (which if the attacker had, they wouldn’t need to perform privilege escalation). the other way to restart a service is by rebooting the device. this may explain the initial infection on the 19th, and traversal of the network occurring on or around April 8th. The attackers needed to wait for the device to reboot. Microsoft’s normal patch cycle releases monthly updates on Patch Tuesday, which is the second Tuesday of the month. In April 2025, patch Tuesday fell on the 8th, and the updates would have triggered a reboot.

Based on feedback I received, it looks like most end users at NSP operate day to day without administrator rights. Users who do have admin rights have the ability to install software and access privileged settings on the system. Having users operate day to day with Admin rights on their user account is a bad practice, but frequently happens due to perceived requirements of legacy software. In many cases legacy software can be made to work by changing permissions to the file system, or performing other tweaks, so that it will work without the user having admin rights.

if the attackers were able to compromise someone with local admin, or perform a privilege escalation attack to obtain admin, that grants them access to the internals of the Operating System. With admin access, a user can dump the local account database,and any cached credentials, and then run them against password cracking software.

Every device has a local administrator user, in many organizations, this account uses a common password, which then gives access to additional machines, and possibly servers. Microsoft has a tool called LAPS that will set and rotate local admin passwords ensuring they are unique on each device. Better practices are to not have any users normal accounts operate with admin rights, and to use a separate account for admin access. Admin should also be granted explicitly on devices rather then using domain admin rights to do so. A commonly used admin password would enable traversal across the network.

From the OPC Report “On or around April 8, 2025, the threat actor began to move laterally across systems in the Nova Scotia Power network environment, using accounts with domain administrator privileges. Between April 8 and April 22, 2025, the threat actor deployed and leveraged additional malware to perform internal reconnaissance and credential harvesting activities”

Domain admin credentials are the highest level of access that exists on a windows domain. accounts with domain admin rights basically have access to everything. Since a domain admin account was accessed its likely IT staff operate with this right, and use it more widely then they should.. this would result in domain admin credentials being cached locally on a device, and with the compromised user having admin rights, dumping the cache and cracking passwords offline would have been possible.

With Domain Admin rights, the attackers had access to every windows based device in the domain. this would have allowed them to exfiltrate data, likely by access file-shares and dumping entire databases. This also allowed them to destroy backups. Many organizations keep online backups, which are sufficient to protect against server failure, or data issues, but cant protect against malicious destruction, or physical loss of the equipment containing them. Periodic backups should be stored on disconnected media, and off site.

Domain Admin access would have also been sufficient to deploy ransomware widely, which works by encrypting systems so they cease to function. This also explains how so much of NSP’s operations were rendered inoperable.

We know the threat actors had access to NSP for a month. they were able to blend in, and avoid detection, until they chose to start breaking things. There were several controls that were they in place would have made this attack much less impactful, and certainly there were multiple events where the attack could have been detectable, by anti-virus, or network monitoring.

Endpoint Antivirus is important, but one of the first tasks of any basically competent malware is to disable anti-virus. Since almost all cyber crime is financially motivated, monitoring networks for endpoints accessing command and control is an important step in detection.

Based on the damage caused, and the wide spread access the attackers had, the recovery likely included rebuilding large portions of systems from scratch.

Leave a Reply

Your email address will not be published. Required fields are marked *