The duped hackers showed some skill, but also made some amateur errors.
Industrial attacks are on the rise as threat actors are no longer merely interested in raiding your bank account, while some have set their sights far higher.
Cyberattackers targeting industrial control systems (ICS) have demonstrated their potential to disrupt core systems in recent years.
From the takedown of the power grid in Ukraine which left residents of Kiev without electricity for an hour to the successful compromise of a dam in New York three years ago, the targeting of country services can have serious, detrimental effects.
Attacks against industrial systems, including power grids, utilities, and emergency response platforms may lead to energy and fuel shortages, the collapse of basic facilities including water supplies and more.
You would think that these core services would be the first to receive cybersecurity protections and investment. However, ICS architecture has a serious issue across the board, many are legacy systems and embedded units which are difficult to upgrade without clearing the slate.
In addition, components may also not be able to accept over-the-air (OTA) security updates or any patches at all due to the use of simple firmware which utilizes low-capacity memory.
These are weaknesses that have paved the way for a new breed of cyberattacker.
Attacks against industrial systems are on the rise and researchers from Cybereason want to know what they are dealing with when it comes to the ICS attacker class.
Gain Access to the Operational Technology
On Tuesday, the cybersecurity firm revealed the results of new research into attacks against industrial systems.
A team from the company established a honeypot masquerading as a power transmission substation of a major electricity provider.
In order to fully compromise an industrial system, it is necessary to gain access to the operational technology (OT) which acts as the facilities’ backbone. The OT environment is responsible for the operation of components and equipment including pumps, breakers, and monitors.
According to Cybereason, threat actors discovered the honeypot only 48 hours after it went live and immediately got to work.
The asset was immediately prepared for sale in the underbelly of the Internet, the Dark Web, where it was purchased and sold on to another unwitting criminal entity.
Cybereason says that based on how quickly the cyberattackers acted against the honeypot, they appear to be: “very familiar with ICS, the security measures that utility providers implement and know how to move from an IT environment to an OT.”
The honeypot went live on July 17 and included both IT and OT environments, a human-machine interface protected by a firewall, three Internet-facing servers, and weak passwords.
The system was not advertised in any way; and yet, it took no time at all for threat actors to discover the fake ICS.
A carrot dangled in order to attract attention was the registration of DNS addresses which resembled a utility provider which caters for both US and UK customers.
“The attackers appear to have been specifically targeting the ICS environment from the moment they got into the environment,” commented Cybereason CISO Israel Barak.
“They demonstrated non-commodity skills, techniques and a pre-built playbook for pivoting from an IT environment towards an OT environment.”
Enough Noise to Alert
Tools were added to the honeypot by the threat actors including backdoors and reconnaissance was conducted in order to find an entry point from the IT environment to the OT area. The group ignored everything else other than their goal.
However, the hackers also made a number of amateur mistakes which brought them down a peg or two in the threat actor echelons.
According to Ross Rustici, Cybereason’s Senior Director of Intelligence, the cyberattackers disabled security tools on one of the honeypot’s servers, a move that would generate enough noise to alert most enterprise security teams.
Once sold on, the honeypot’s new ‘owners’ then connected to it by way of one of the backdoors on July 27.
Their first move was to disable Cybereason security systems, installed in both a simplistic manner and a hardened version, but not when the software was remotely implemented at enterprise recommended settings.
The hackers then moved on to Active Directory to conduct network discovery and to seek out technical data files. These files, planted by the security researchers, were exfiltrated.
Instead of exploring all of the elements of the honeypot, the attackers honed in on the ICS endpoints and attempted to perform remote code execution to compromise the system. The firewall barred them from doing so, but the hackers in question were able to circumvent this line of defence.
The threat actors performed a multipoint scan on the network and leaped from the remote server to the domain controller and other systems to find an entry point.
As the system was nothing more than a ruse, no damage was done. However, the experiment does give us an insight into how determined some hackers can be when it comes to disrupting ICS systems.
Barak suggests that a unified System and Organization Controls (SOC) which can monitor both IT and ICS environments in the industrial sector may help the enterprise reduce the risk of compromise.
“Companies may have a network operations centre (NOC) monitoring the OT environment, but a combined SOC lets you see all operations as they move through the network,” Barak added.
“Having this visibility is important because attackers could start in the IT environment and move to the OT environment.”