Case Study: Large Financial Services Company halts targeted breach and restores enterprise security with Mandiant Incident Response Services

How One Bank Is Winning The Cyber Security War With Mandiant

Large Financial Services Company, a long-established banking and financial services provider, discovered that a malicious domain administrator account had been created, leaving thousands of Windows systems potentially compromised. To investigate and contain the multi-month targeted intrusion, the bank retained Mandiant Incident Response services to assess attacker activity and determine whether criminals remained active in the environment.

Mandiant performed an enterprise-wide forensic investigation, identifying the initial compromise two months earlier, breach artifacts on 96 systems (26 servers and 70 workstations) with 30 systems running active malware, and C2 infrastructure tied to 20 IPs and 5 FQDNs; they also recovered advanced malware families (WHITEOUT, SLIMDOWN, NESTEGG) and evidence of credential capture (30 hosts with screen-grabber artifacts and over 50 profiles keylogged). Mandiant helped block the attackers’ C2 access, halt subsidiary-to-bank communications, correct ACL misconfigurations that reopened access, and deliver a staged remediation plan—actions that stopped ongoing attacker activity and fed intelligence into Mandiant’s global threat-sharing network.