Is the OT network backfired or is it an increasingly trendy target for attacks?
Since the days of the large encyclopedia of computer viruses in cult MS-DOS-era antivirus programs, the evolution of threats has clearly changed direction. In the past several years, various viruses and trojans have given way primarily to phishing and ransomware, and instead of the average Internet user’s computer, network devices and server components in businesses and corporations have become targets. In addition to the financial motive, cyber-attacks – sometimes taking the form of APTs (Advanced Persistent Threat) – are sometimes launched by “hacktivists” or groups with likely geopolitical ties, where disrupting a business or critical infrastructure will be of strategic importance to the political or economic relationship between two countries. Therefore, a new niche is slowly growing inexorably in this landscape – attacks on industrial networks. It’s increasingly difficult today to imagine OT infrastructure cut off from the Internet at every possible point – the benefits of combining IT and OT, such as remote monitoring and automation of OT maintenance activities, bring tangible benefits, including financial ones. But there’ s another side to the coin. Here’s a look at some of the most popular, and yet the only open to the general public, examples of malware targeting OT networks. Knowledge about these attacks can help analyze the risk in one’s own infrastructure. It is also worth remembering that malware targeting critical infrastructure is not the only possible cause of industrial failures or downtime (there are also examples of classic attacks where the victims were or were supposed to be industrial companies or critical infrastructures; see WannaCry/NotPetya, LockerGoga, ransomware at Colonial Pipeline, remote access by a former Post Rock Water District employee).
1
Stuxnet
Year of detection: 2010
Creator: Equation Group (likely: US/NSA/TAO, Israel/IDF/Unit 8200)
Motive: geopolitics
Type of attack: worm, APT
Entry point and direction of attack: Infected media, MS Windows, Siemens WinCC/PCS 7/STEP7 (SCADA), Siemens PLC (e.g. Simatic S7-300) with specific VFDs (Vacon or Fararo Paya) operating in a specific frequency range (807 – 1210 Hz)
Type of activity: industrial espionage, disruption of frequency converters in uranium enrichment centrifuges resulting in destruction of aluminum centrifuge tubes
Features: malicious software specifically targeting the uranium enrichment site at Natanz, Iran; highly complex code and sophisticated PLC attack criteria requiring an enormous amount of specialised knowledge and manpower, which, according to experts, is only possible with government involvement
Known victims: Atomic Energy Organization of Iran
Impact of the attack: up to 1,000 centrifuges (10%) destroyed on Iranian territory, retaliatory cyberattacks on US banks
2
BlackEnergy
Year of detection: 2007
Creator: Sandworm (Russia)
Motive: unspecified
Type of attack: Botnet, DDoS
Entry point and attack direction: Phishing/spear-phishing, malicious Word/PowerPoint attachments
Action type: DDoS, keylogging, password capture, screenshots, “remote desktop”, network scanning, destruction of infected system, among others
Features: several versions of BlackEnergy with new features added over several years of development, rich toolkit
Known victims: energy infrastructure in Ukraine (Prykarpattyaoblenergo, Chernivtsioblenergo, Kyivoblenergo)
Impact of the attack: the attack included shutting down power substations via SCADA, disabling or destroying IP infrastructure components (e.g. modems and UPS systems), distributing other malware to destroy data on servers and workstations, DDoS on call-centers; the main impact was the shutdown of dozens of substations (110 kV and 35 kV), blocking the supply of 73 MWh of electricity; more than 200,000 residents were cut off from power for several hours
3
Havex
Year of detection: 2013
Creator: Energetic Bear (Russia)
Motive: industrial espionage
Type of attack: trojan, APT
Entry point and attack direction: Phishing/spear-phishing, malicious Word/PowerPoint attachments, redirection from frequently visited sites to their malware counterparts or – in case of vulnerable manufacturer sites – replacement of official software with malware-containing ones, weak security at IT/OT interface, OPC protocol
Type of operation: remote control, network scanning for OT devices (e.g. Siemens and Rockwell Automation), logging data capture, screenshots, file transfer
Features: almost a hundred variants of malware
Known victims: MESA Imaging, eWON/Talk2M, MB Connect Line as examples of vendors whose websites were enriched with Havex malware; more than 2,000 sites across the U.S. and Europe became targets of espionage campaigns in multiple sectors (initially in defense and aerospace, then in energy, pharmaceuticals and oil and gas industries, etc.)
Impact of the attack: difficult to determine
4
Industroyer/Crashoverride
Year of detection: 2016
Creator: Electrum/Sandworm (Russia)
Motive: unknown
Type of attack: backdoor, wiperware
Entry point and direction of attack: exploitation of vulnerabilities in Siemens SIPROTEC/SIPROTEC 4 equipment, shutting down substations, deleting configuration files on workstations controlling the infrastructure and destroying the operating system
Type of operation: disruption of ICS systems in substations; mapping of infrastructure based on a number of protocols (OPC, IEC 61850, IEC 101, IEC 104), execution of commands on reachable control devices, deletion of all system registry keys on infected computers and overwriting of files to damage the infected system and make it unbootable, overwriting of ICS configuration files on all local and remote drives (specifically, files related to ABB PCM600)
Features: versatility and modularity; first known malware specifically targeting energy infrastructure, indicating high specialization of its creator in the area of ICS systems; second known malware (after Stuxnet) directly targeting industrial systems
Known victims: Kiev, Ukraine
Effects of the attack: 20% of Kyiv area was cut off from power supply for one hour (probably a test attack)
5
TRITON
Year of detection: 2017
Creator: CNIIHM (Russia) or Helix Kitten/APT34 (Iran)
Motive: unknown
Type of attack: APT
Point of entry and direction of attack: insufficient firewall configuration, taking control of controller machine (Windows), zero-day vulnerability, disrupting industrial process safety systems (SIS)
Type of operation: maintaining continuous attacker’s access to Tricon 3008 (Schneider Electric) systems with a specific software version, with the possibility of reprogramming the system, e.g. “sleeping” safety mechanisms (allowing to detect e.g. the release of toxic and extremely flammable hydrogen sulfide)
Features: uncompromising attack with the objective of causing severe physical consequences of the attack with the risk of loss of human lives; first known attack on SIS systems
Known victims: Petro Rabigh refinery (Saudi Arabia)
Impact of the attack: failure mode of several controllers while the attackers attempted to reprogram them (which in turn allowed the attack to be detected – it is suspected that the intruders’ operation may have originated in 2014)
6
EKANS
Year of detection: 2019/2020
Creator: unknown
Motive: financial
Type of attack: ransomware
Entry point and attack direction: phishing/spear-phishing to capture login credentials, or vulnerabilities in the RDP protocol (no exploitation of this method has been observed)
Mode of operation: encryption of files on the infected machine and on attached network resources, disabling selected (kill list) processes of security systems, databases (e.g. MS SQL Server), backup systems (e.g. IBM Tivoli) and ICS systems (e.g. Proficy)
Features: ransomware attack deliberately targeting ICS processes; “target list” including system processes and database or industrial applications indicates inspiration/evolution from MegaCortex ransomware, formerly LockerGog; EKANS appears to be a “hardened” MegaCortex variant
Known victims: Fresenius Group, Honda, Enel Group; affected companies in energy, architecture, healthcare, transportation and manufacturing
Effects of the attack: from negligible (ended with an attempt to introduce malware) to actually taking programmed actions resulting in, among others, suspension of production in the affected area
In conclusion, it is worth remembering that besides the easiest way for malware to enter an industrial area is through the IT network or computer stations in the OT network. Risk analysis and security measures adopted should take into account not only the protection of industrial automation systems but also IT devices, because at the organizational level, a successful attack on the IT area itself may also result in the need to halt industrial processes.
Fill in the form. Our experts will contact you to arrange individual tests.