After identifying the data they were after, the attackers leveraged a file-compression utility, WinRAR, to compress and password-protect the IP; from there, they funneled the information back through the third-party firewall to exfiltrate. Beware the ‘Inside Accomplice’ Another attack vector I’ve observed does involve some physical presence, but the majority of the attack is conducted remotely. These attacks, which can take place at data centers and small site locations, involve employees of IT telecommunication companies assisting adversaries in gaining access to their targets. In one actual case of this, the adversaries, once in, installed a well-known remote access Trojan, 9002 RAT, with an extensive list of exfiltration capabilities tying back to the attackers’ command-and-control infrastructure. Because of a lack of visibility on the organization’s servers, the data was successfully exfiltrated after the adversaries dropped a file with China Chopper code, a webshell capable of exfiltrating information back to a remote command-and-control server.