Threat Brief: CVE-2025-0282 and CVE-2025-0283 (Updated Jan. 17)
One Step Ahead in Cyber Hide-and-Seek: Automating Malicious Infrastructure Discovery With Graph Neural Networks
Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability
See all Unit 42 Threat Research

Major US utility contains large-scale cyberattack in 48 hours

Facing an attack with substantial impact to over 15 million customers, the utility company called Unit 42® to evict the threat actor and secure its environment.

Results
Challenge
Outcomes
Get in Touch
Results
48hours

To contain threat actor

0downtime

To critical utility operations

3days

To evict the threat actor and begin hardening business systems

The Client

A major US utility company that provides services to more than 15 million customers

The Challenge

The client received a third-party notification of an IP address associated with Muddled Libra accessing its network. Critical operations that serviced millions of customers were at risk with the threat actor actively exfiltrating data. Unit 42 quickly stepped in to:

  • Rapidly contain the threat actor and prevent further theft of sensitive data.
  • Establish a clear picture of the attack by correlating data across disparate log sources.
  • Develop a remediation strategy to evict the threat actor and secure the network.

Unit 42’s Rigorous Incident Response Approach for Superior Outcomes

Assess

Immediately worked with the client to harden its environment and identify compromised accounts.

Investigate

Deploying Cortex XSIAM®, Unit 42 identified lateral movement and identity management risks, and discovered 650 GB of data had been exfiltrated.

Secure

The Unit 42 investigation team engaged the Unit 42 MDR team to focus on eviction and prevent additional compromised systems and data exfiltration.

Recover

Remediated cloud and Active Directory environment, rebuilt key systems with a security-first mindset, and began BAU (business as usual) within seven days.

Transform

Expanded Cortex XSIAM system coverage from 50% to 100%, implemented VM-Series NGFWs and SSL inspection, added Next-Gen CASB, brought third-party logs into XSIAM for threat monitoring and analysis.

“We went from a nightmare situation to being fully supported in all aspects of the investigation, recovery, and hardening in a minimal amount of time thanks to Unit 42.”

CTO

First trigger point

Assess

Investigate

Secure

Recover

Transform

Scroll right

Resolution Timeline

Assess

Investigate

Secure

Recover

Transform

Days 0 - 4
Crisis Intervention

Assessed privileged account usage and cloud logs to identify the threat actor as Muddled Libra.

Identified privileged account compromises, lateral movement, and increasing of privileges to cloud platforms.

Hardened systems, blocked IoCs, and began 24/7 threat monitoring by Unit 42 MDR to contain threat actor.

Days 5 - 7
Discovery

Identified 650 GB of data exfiltrated.

Identified rogue systems used as staging points for persistence.

Established steps for client to ensure long-term eviction.

Began adding additional data sources to Cortex XSIAM for monitoring and detection.

Days 8 - 14
Recovery

Ensured system integrity and continued to identify previous threat actor movement.

Upgraded key systems, added SSL inspection to Next-Gen Firewalls, and added NGFW to the cloud network for further protection.

Expanded Cortex XSIAM to 100% of systems for uniform, enhanced visibility and protection.

Days 15 - 30
Fortification

Continued threat monitoring from Unit 42 MDR. Implemented CASB-X across cloud environment to protect from known and unknown threats.

Provided evaluation of client’s cloud configuration and on-premise integration. Laid long term plan for continued security of sensitive data.

Aided client in moving towards a zero-trust strategy to enhance security controls and introduce strict access controls.

Last trigger point

Threat-informed Incident Response

With Unit 42 Incident Response, stay ahead of threats and out of the news. Investigate, contain and recover from incidents faster and emerge stronger than ever before, backed by the full power of the world’s leading cybersecurity company. Contact us to gain peace of mind.

SPEAK TO AN EXPERT TODAY

Backed by Industry’s Best

  • Threat Intel logo icon
    Threat Intel

    Extensive telemetry and intelligence for accelerated investigation and remediation.

  • Technology icon
    Technology

    Palo Alto Networks platform for in-depth visibility to find, contain and eliminate threats faster, with limited disruption.

  • Experience symbol
    Experience

    Trusted experts who mobilize quickly and act decisively in over 1K incidents per year.

Get the latest news, invites to events, and threat alerts