In recent years attackers have hacked into the control system of a dam in New York, shut down Ukraine’s power grid and installed malware on the operating systems of US companies in the energy, nuclear and water sectors, demonstrating the importance of cybersecurity for critical infrastructures such as utility distribution networks.
As attacks against infrastructure providers have increased, adversaries who specifically target ICS have emerged, based on the findings of Cybereason researchers who analysed the data collected in a honeypot that masqueraded as a power transmission substation of a major electricity provider.
Judging by how quickly the attackers operated, they’re very familiar with ICS and the security measures that utility providers implement, and know how to move from an IT environment to an OT (operational technology) environment. Just two days after the honeypot went live, attackers had discovered it, prepared the asset for sale on the dark web and sold it to another criminal entity who was also interested in ICS environments.
Getting to the OT network was the primary objective
Unlike other attackers who buy and sell access to compromised networks, the adversaries who accessed the honeypot showed no interest in partaking in more generic and less targeted activity like running botnets for crypto mining, spamming and launching DDoS attacks, said Cybereason CISO Israel Barak. In this case, the attackers had one intention: getting to the OT network.
“The attackers appear to have been specifically targeting the ICS environment from the moment they got into the environment. They demonstrated non-commodity skills, techniques and a pre-built playbook for pivoting from an IT environment towards an OT environment,” Barak said.
Accessing the OT environment is the ultimate goal of these specialised attackers since these systems operate the pumps, monitors, breakers and other hardware found in utility providers. Whoever controls the OT environment determines who gets utilities such as electricity, natural gas and water.
“Despite the attackers’ sophisticated techniques, they made some amateur moves that indicate their approach needs some refinement,” said Ross Rustici, Cybereason’s Senior Director of Intelligence. He noted that the attackers disabled the security tools on one of the honeypot’s servers, a move that “made a lot of noise” and, in an enterprise, would draw the security team’s attention.
“The approach of going after ICS systems and ignoring everything else and living off the network to conduct the activity is a level of sophistication you don’t normally see in honeypots. But they made some mistakes, raising red flags that don’t allow us to put them in that upper echelon of attackers,” he said.
Setting the ICS honeypot
The honeypot environment went live on July 17. In addition to the IT and OT environments, there was a human-machine interface (HMI), protected by a firewall, connecting the two, allowing people in the IT environment to control the OT systems.
The honeypot contained bait to entice attackers, including three Internet-facing servers (SharePoint, SQL and domain controller) with remote access services like RDP and SSH and weak passwords. Nothing was done to promote the servers to attackers. There were no posts to Pastebin or black market forums about the servers. However, the servers’ DNS names were registered and the environment’s internal identifiers were names that resembled the name of a major, well-known electricity provider that serves both residential and business customers in the United States and the United Kingdom
Two days after the honeypot was launched, Cybereason researchers determined that a black market seller had discovered it based on a toolset that had been installed in the environment. The tool -- xDedic RDP Patch -- is commonly found in assets that are being sold in the xDedic black market. It allows a victim and an attacker to use the same credentials to simultaneously log-in to a machine using RDP (Remote Desktop Protocol).
Windows doesn’t allow the same user to be logged into a machine twice. If administrators used their credential to log-in to a computer and use RDP as an attacker uses the administrator’s credential to remotely access the same computer, Windows will log off the administrators. The tool gets around the Windows restriction and allows both the administrator and the attacker to be logged into the same machine at the same time without any interruptions.
The seller also installed backdoors in the honeypot servers by creating additional users, another indicator that the asset was being prepared for sale on xDedic. The backdoors would allow the asset’s new owner to access the honeypot even if the administrator passwords were changed, a scenario that would prevent the adversaries from accessing the servers.
Under new ownership
The honeypot was silent until July 27 when what Cybereason’s researchers assume were the asset’s new owners connected to it by using one of the backdoors. Based on the actions they took, they were fully prepared to navigate the ICS environment of an electricity provider. Their first move was to disable the environment’s security features, including the Cybereason platform. Cybereason was intentionally installed in a way that made removing it simple.
This was a test to gauge the attackers’ skills. Cybereason was installed again with some hardening, but still below the level that’s recommended in a deployed environment. The goal was to further assess the attackers’ capabilities. They were able to disable the hardened version of Cybereason. After that incident, the platform was installed a third time based on our recommended guidelines and the attackers haven’t been able to deactivate it.
For sale! Access to a power transmission substation. IT and OT environments included.
After disabling the security software, they used Active Directory to conduct network discovery. They looked at all accounts on active directory and looked for technical data files. These files, which had been planted on the machine, included information like the operational status of devices. These files were exfiltrated from the honeypot. They also discovered ICS assets like the HMI and controller components for the OT environment. The adversaries were only interested in ICS assets. They didn’t access any other systems.
And after discovering the ICS assets, the attackers showed no interest in the other assets. They focused on attempting remote execution on ICS endpoints. The firewall prevented them from taking that step, but the attackers knew how to circumvent these security measures.
No security strong enough
After being stymied by the firewall, the adversaries began using a multipoint network reconnaissance. This approach assumes that different assets in an environment have different firewall policies. For example, the domain name controller may have restrictive policies for interacting with the firewall but the policies for the administration console interacting with the ICS environment aren’t as strict. With multipoint network reconnaissance, the attackers move laterally to multiple assets and run parallel network scans to locate an asset with more relaxed policies around interacting with the HMI and OT computers.
The attackers moved from the remote server, to the SharePoint server, to the domain controller, to the SQL server to run network scans to determine if one of these assets would allow them to access the ICS environment. Instead of scanning the full network, attackers focused on scanning for assets that would give them access to the HMI and OT computers.
“In two days, the attackers got into the environment, conducted reconnaissance aimed at finding an entry point from the IT environment to the OT environment, which is really what they wanted,” Barak said.
What does this mean for securing the smart grid?
Barak suggests that organizations and companies with ICS environments operate a unified SOC that provides visibility into both the IT and OT environments. As the honeypot demonstrated, attackers are looking to use IT environments as gateways into OT environments.
“Companies may have a NOC monitoring the OT environment, but a combined SOC lets you see all operations as they move through the network. Having this visibility is important because attackers could start in the IT environment and move to the OT environment,” Barak said.
Threat hunting is also beneficial, he said. This activity looks for activity that indicates attackers are already in a company’s environment. Instead of waiting to react to an alert issued by a security tool, threat hunting allows defenders to take a proactive approach to security by detecting adversaries before they cause severe damage to a network.
The activity observed in the honeypot also suggests an increased risk for operators. The possibility that this is a trophy taker rather than an APT (advanced persistent threat) actor with training on these types of environments dramatically increases the risk of a mistake having real-world consequences.
Many of these systems are old and fragile and even trained hacking units make mistakes that cause failures in these controls. Hackers seeking to make a name for themselves or simply prove that they can get into a system are far more likely to cause failures out of ignorance rather than malice. This makes incident response and attribution harder, but it also is more likely to result in an unintended real-world effect.