#NSBCS.088 - Your Backups Are Under Attack Why Traditional Backup Isn't Enough Anymore
Source: NSB Cyber
Your Backups Are Under Attack: Why Traditional Backup Isn't Enough Anymore
Backups used to be the ultimate safety net. Create copies of your data, store them safely, and sleep soundly knowing you could recover from any disaster. But Threat Actors have evolved their tactics and they're coming for your backups too. Today's Threat Actors don't just encrypt your files and demand ransom. They systematically hunt down and destroy your backups first, leaving you with no recovery options. This isn't opportunistic — it's strategic. Ransomware groups now spend days or weeks infiltrating networks, mapping backup infrastructure, and ensuring complete data destruction before revealing their presence.
Having backups no longer guarantees recovery if they're not being properly performed and also protected. An effective backup process will reduce recovery time in the event of a cyber security incident, but also preserve critical forensic data needed for effective incident investigation and response.
Foundational Backup Strategy
Ensure you maintain an up-to-date asset inventory that identifies and categorises all systems by criticality.
Perform full backups weekly for critical systems, with daily incremental backups capturing only changed data. For high-transaction environments (databases or email servers), consider more frequent incrementals such as every 4-6 hours.
Use incremental backups for daily operations to minimise backup windows and storage. Reserve differential backups (all changes since last full backup) for weekly cycles when you can afford longer backup times but want faster restores.
Maintain at least 14 days of recent backups on fast, local storage for quick recovery. Use a grandfather-father-son rotation: daily incrementals (son), weekly fulls (father), and monthly archives (grandfather). This provides multiple recovery points while optimising storage costs.
Synchronise backups to offsite locations daily for critical data, but stagger the timing. If primary backups run at night, push to offsite storage during off-peak hours to avoid network congestion. For less critical systems, every 2-3 days to offsite may be acceptable.
Follow industry standards for retention i.e. 30 days of daily backups, 12 months of weekly backups, and 7 years of monthly archives for regulatory compliance. Adjust based on your recovery time objectives (RTO) and recovery point objectives (RPO) — e.g. financial services may need hourly transaction logs, while static file servers need less frequent backups.
Defending Your Last Line of Defence
Store backups in locations where they cannot be modified or deleted, even by privileged accounts. Cloud services with write-once-read-many (WORM) capabilities or air-gapped systems that physically disconnect from networks provide this immutability.
Isolate backup infrastructure from production networks. If attackers compromise your main systems, they shouldn't automatically gain access to backup storage. Use separate network segments with strict access controls between them.
Never use domain administrator credentials for backup operations. Create specialised service accounts with minimal privileges — just enough to perform backup functions, nothing more. This limits the blast radius if credentials are compromised.
Schedule quarterly restoration tests using isolated environments. Many businesses discover their "successful" backups are missing, encrypted or incomplete only during an actual incident. Document restoration times and procedures.
Deploy dedicated monitoring for backup infrastructure, independent from your primary security stack. Alert on failed backups, unauthorised access attempts, unusual deletion patterns, or changes to backup policies. Integrate these alerts with your Security Operations Center (SOC).
Implement validation processes to ensure the backups are not only successfully being done, but are also complete. Beyond a complete list of systems being backed up and file-level checks, validate that restored data is functionally correct. For databases, run consistency checks and sample queries. For applications, verify that restored systems can actually boot and function. Test user accounts, permissions, and critical business processes after restoration.
Modern cyber threats require modern backup strategies. It's not enough to have copies of your data — you need copies that can survive a determined adversary. Review your backup security today, because when attackers come for your data, they're already planning to come for your backups too.
Ready to be supported by an experienced cybersecurity team? Let’s start the conversation - book a meeting with us today.
What we read this week
U.S. Charges Operator of RapperBot Botnet for Global DDoS Attacks - The U.S. Department of Justice has charged a 22-year-old from Oregon with operating the RapperBot botnet, also known as CowBot or Eleven Eleven Botnet, which has targeted IoT devices such as DVRs and Wi-Fi routers to launch DDoS attacks across more than 80 countries since 2021. Authorities seized the botnet's infrastructure on 6 August 2025 following a search of the individual's residence. If convicted, the operator faces up to 10 years in prison. This incident underscores the persistent threat of IoT-based botnets, and organisations are advised to secure devices with strong passwords, disable unused ports, and monitor network traffic to prevent similar disruptions.
North Korean Hackers Target South Korean Diplomatic Missions with Spear-Phishing - Researchers have uncovered a campaign by North Korea's Jasper Sleet group targeting South Korean embassies from March to July 2025, utilising 19 spear-phishing emails impersonating trusted contacts to deliver the Xeno RAT via Dropbox and Daum Cloud, with GitHub serving as command-and-control. This enables system control and data theft. Detailed on 20 August 2025, diplomatic organisations should enhance email filtering, verify senders, and monitor cloud services for anomalies to defend against such state-sponsored espionage.
New GodRAT Trojan Targets Financial Institutions via Skype - A campaign deploying GodRAT, a Gh0st RAT-based remote access trojan, has been targeting financial firms in Hong Kong, UAE, Lebanon, Malaysia, and Jordan since September 2024. Spread through malicious .SCR files disguised as financial documents on Skype, it employs steganography to hide shellcode, facilitating data theft and secondary payloads like AsyncRAT. Noted on 20 August 2025, firms should block suspicious file types, enforce endpoint security, and train staff on social engineering risks to prevent infections.
Inotiv Suffers Ransomware-Style Cyberattack Disrupting Operations - American contract research organisation Inotiv experienced a cybersecurity incident where a threat actor gained unauthorised access and encrypted certain systems, indicative of a ransomware-style breach. Disclosed on 20 August 2025, the Qilin ransomware gang claimed responsibility, alleging theft of 176 GB of data and posting samples on their leak site. The attack caused disruptions to networks and operations, with the company engaging external experts and activating business continuity plans. Organisations in the pharmaceutical sector should prioritise immutable backups, multi-factor authentication, and continuous threat monitoring to mitigate similar incidents.
iiNet Customers' Data Exposed in Cyber Attack on Australian Provider - Hundreds of thousands of customers of Australia's second-largest internet provider, iiNet, had their data compromised in a cyber attack on its order management system. Parent company TPG reported that approximately 280,000 active email addresses, 20,000 landline phone numbers, and smaller amounts of user names, street addresses, and modem passwords were accessed. Discovered on 19 August 2025, containment measures were implemented swiftly, with notifications underway and no confirmed misuse yet. Businesses should deploy real-time intrusion detection, segment critical systems, and conduct regular audits to avoid similar breaches.
ReferencesU.S. Charges Operator of RapperBot Botnet: https://thehackernews.com/2025/08/us-charges-22-year-old-with-operating.htmlNorth Korean Hackers Target South Korean Diplomatic Missions: https://thehackernews.com/2025/08/north-korean-hackers-target-south.htmlNew GodRAT Trojan Targets Financial Institutions: https://thehackernews.com/2025/08/new-godrat-trojan-targets-trading-firms.htmlInotiv Suffers Ransomware-Style Cyberattack: https://industrialcyber.co/pharma/inotiv-cyberattack-disrupts-operations-after-systems-encrypted-in-ransomware-style-breach/iiNet Customers' Data Exposed: https://www.cybersecurity-review.com/australias-second-largest-internet-provider-iinet-customers-data-exposed-in-cyber-attack/