'Several combinations of social engineering' used during cyberattack on camera maker Axis

Axis said ransomware was not involved but investigators did find malware.
Written by Jonathan Greig, Contributor

Camera maker Axis released more details about a cyberattack that started on the night of Saturday, February 19.

In its initial messages on its website, the Swedish camera giant said it got alerts from its cybersecurity and intrusion detection system on Sunday, February 20, before it shut down all public-facing services globally in the hopes of limiting the impact of the attack. 

But in a lengthy report about the attack, Axis says someone used "several combinations of social engineering" to sign in as a user on Saturday night "despite protective mechanisms such as multifactor authentication."

According to the report, there was no ransomware, but investigators did find malware and discovered that the company's internal directory services were compromised. Axis claimed no customer information was involved. 

"Inside, the attackers used advanced methods to elevate their access and eventually gain access to directory services. Axis threat detection systems alerted incident staff of unusual, suspicious behavior, and investigations began early Sunday morning. At approximately 9 am CET Sunday morning, IT management decided to bring in external security experts, and at approximately 12:00pm (noon), it was confirmed that hackers were active inside Axis networks. The decision was taken to disconnect all external connectivity immediately as a way of cutting the intruders off," Axis explained. 

Also: Nvidia says employee credentials, proprietary information stolen during cyberattack

"At 6pm, all network access had been shut off globally. The measure had the intended effect of shutting the intruders off from their access. It also resulted in a loss of external services for Axis staff, such as in- and outbound email. Partner services were also affected, with axis.com and extranets being unavailable. Investigations rapidly showed that parts of the server infrastructure had been compromised while other parts remained intact."

The company noted that their global production and supply chain remained "largely unaffected" during the attack. Their first customer-facing service returned on Sunday evening. 

Most external services were restored by February 27, while others are still waiting on security clearances. Axis said it is still operating in "a restricted mode" with internet-facing services. 

As of Wednesday, March 2, device upgrades for AXIS OS/Apps is still facing a major outage, and the company's licensing system is dealing with a partial outage.

"This will continue as long as the forensic investigation is ongoing and until the cleaning and restoration are completed. This mainly affects our internal work streams and has a very limited effect on customers and partners. We expect the final parts of our customer-facing services to be completely available within a few days," Axis said. 

"Needless to say, we are humble in the face of and due to the gravity of the situation. We are also grateful that we were able to catch and stop an ongoing attack before it had much more lasting effects."

The company initially announced the outages on Twitter but did not respond to requests for comment. On its status site Friday afternoon, Axis said its Case Insight tool in the US and the Camera Station License System were dealing with partial outages. 

Editorial standards