German Steel Mill Attack: Inside Job

Wednesday, September 9, 2015 @ 01:09 PM gHale

By Richard Sale
The attack on a German steel mill last year was most likely the result of an inside job.

While no real definitive answers are available yet, ISSSource learned more details about the attack that first came to light last December and sent alarm bells ringing in the cyber security community across the globe.

Blackhat: Recovering from Shamoon
Stuxnet Loaded by Iran Double Agents
Iran behind Shamoon Attack
IT Getting an OT Education

In December of 2014, the German Federal Office of Information Security (BSI), a group noted for the accuracy of its reporting, released their annual findings report. In it, BSI related how a malicious actor had infiltrated a German steel facility, using a spear phishing email to invade the corporate network. The virus then moved into the plant network, causing “multiple components” of the system to fail. In other words the mill suffered severe damage.

According to the BSI report, the exploitation of the mill took place thanks to targeting on site personnel in the corporate network. The phishing emails contained a document that hosted a malicious code that would have taken advantage of vulnerabilities in the target’s system.

In the first stage, the target system would have opened a remote connection point allowing the virus access to the entire network.

The second stage of the attack would have established a foothold on the network through the compromise of small sets of work stations. Previous reconnaissance of the work stations found their weaknesses, scrutinizing keyloggers, network scanning, and compromising of systems such as Active Directory, the report said. Little is known about the second stage where the virus moved into the plant network.

Trojanized software acted as the infection vector for the Havex virus, according to sources interviewed by ISSSource. The viruses use spam email and exploit kits while Trojanized installers were able plant the virus on compromised vendor sites. The use of contaminated spam and exploit kits are very common. Of more interest is the third channel, which could be considered a form of “watering-hole attack” as the attackers chose to compromise an intermediary target — the ICS vendor site — in order to gain access to the actual targets.

“Social engineering is a big factor in breaches like this,” said Doug Wylie of NexDefense. Nowadays, he said, “the sophistication level of malware-makers has evolved to customize it to a particular target and even specially modify, craft and deliver it in a way that is intended hide in plain sight and fool people who are tasked with supporting critical control systems.”

Steel Mill Similar to Stuxnet
The German steel mill attack echoed the capabilities of the U.S.-Israeli Stuxnet virus that damaged Iran’s nuclear enrichment program. That attack ended up implanted by an Israeli proxy — an Iranian, working for Israel, used a corrupt “memory stick.32, according to former CIA officials.”

This joint program first surfaced in 2009 and worked in concert with an earlier U.S. effort that consistently sabotaged Iran’s purchasing network abroad.

These sources said using a person on the ground would greatly increase the probability of computer infection, as opposed to passively waiting for the software to spread through the computer facility. “Iranian double agents” helped target the most vulnerable spots in the system,” one former U.S. intelligence official said. In October 2010, Iran’s intelligence minister, Heydar Moslehi said an unspecified number of “nuclear spies” ended up arrested in connection with Stuxnet.33 virus, according to published reports.

Former and senior U.S. officials believe nuclear spies belonged to the Mujahedeen-e-Khalq (MEK), which Israel uses to do targeted killings of Iranian nationals, they said. “The MEK is being used as the assassination arm of Israel’s Mossad intelligence service,” said Vince Cannistraro, former head of the CIA’s Counterterrorism.

He said the MEK is in charge of executing “the motor attacks on Iranian targets chosen by Israel. They go to Israel for training, and Israel pays them.” These dissidents have a functioning, effective network inside Iran and they have access to officials in the nuclear program.

Another Insider Attack
In the 2012 Shamoon attack, two former senior CIA officials first alerted ISSSource the breach was the work of a disgruntled Shiite insider (or insiders) that had full access to the system. The malware weapon, the Shamoon virus, took down at least 30,000 to 35,000 of oil giant Saudi Aramco Company’s computers, adding the culprit in the attack was Iran working with personnel inside the computer center. They said the Saudi regime is investigating the attack and is arresting suspects like operating staff, janitors, office people, and cargo handlers.

While Aramco officials said production did not suffer from the attack, Jim Lewis, a computer expert at the Center for Strategic and International Studies (CSIS) in Washington. Said, “It is hard to believe they did not have production issues.”

In fact, production did not suffer from the attack, but the aftermath became a problem for the entire country.

“Tanker trucks were lined up for miles waiting to get refined gasoline,” said Christina Kubecka, who Aramco hired after the attack to shore up their security, during a talk at the Blackhat USA security conference in Las Vegas this past August. “Seventeen days after the attack there were gasoline shortages around Saudi Arabia. ICS and IT networks remained isolated. There were no emails, no phones, and no fax machines.”

Richard Stiennon at IT-Harvest, a firm that tracks and reports on evolving cyber threats, told ISSSource Iranian-trained hackers launched the attack “in deep wrath” because of the mistreatment of the Shiites at the facility, and in Syria and Bahrain — two countries where the Saudi government has reportedly aided Sunni factions in their struggle with the Alawite-dominated regime and the Shiite majority, respectively.

– Richard Sale

Murky Politics
The German steel mill breach might have a similar cause as the Shamoon attack. The Shamoon attack occurred in August 2012 and it took down at least 30,000 of Saudi Aramco Company’s computers. Two former CIA officials said the culprit in the attack was Iran working with personnel inside the computer center.

In the German steel mill attack, a U.S. congressional source said there was a suspicion that it was a “corrupt employee in the pay of a foreign government” could have been the source of the German steel mill breach, adding “so far, we have no conclusive proof of that.” However the question is still under investigation.

The German government has a long history of being infiltrated by Russian actors, former U.S. intelligence officials said.

But the politics behind the attack remained murky.

The BSI report did not make clear whether the German steel mill was a blast furnace, a basic oxygen furnace or an arc furnace. And it didn’t provide the information about the damage that would result from the mis-operation of the usual safeguards. Although it did say damage occurred when they were not able to properly shut down the process.

The BSI report did not say when the attack took place, and no source gave ISSSource a precise date for the attack.

While the BSI report noted the intrusion penetrated the steel mill’s corporate network, it did not outline the methodology used nor did it release technical detail. Nor did the report list the virus used to cause the intrusion. However, the report did name a possible suspect.

Jim Lewis, a cyber expert at CSIS in Washington, D.C. told ISSSource “I have heard indirectly that the attack was attributed to the Russians.”

Havex Malware
BSI noted several German firms have been the targets of a cyber-espionage campaign known as Energetic Bear or Dragonfly which has launched hacker attacks in 84 countries, thanks to the Russian Federation. The attacks, which target ICS operators particularly in the energy sector, have relied on malware known as Havex.

In June of 2014, PC World reported hackers have started to use Havex against firms that use or develop industrial applications and machines. Researchers with a cyber security firm, F-Secure noted at the time of the European-based organizations that have fallen victim to Havex, two are German industrial application or machine producers, one was a French industrial machine producer and two more were major educational institutions in France known for technology-related research. Another victim was a Russian construction company that specializes in structural engineering.

In a report released in January of this year, security intelligence firm CrowdStrike said the Havex RAT had launched targeted attacks against energy sector organizations as far back as August 2012.

Said a former CIA intelligence cyber expert, “In all likelihood, it was the Havex RAT that was the culprit, but we lack proof of this.”

This same source said Havex hacks ICS companies, by “poisoning their legitimate software downloads.”

Some of its earlier victims were in Belgium, Germany, and Switzerland. This source also said earlier hacks hit two companies that develop ICS “remote management software,” while third company supplies high-precision industrial cameras.

The hackers modified legitimate software installers to drop an additional and corrupt file in the computers. This method ends up used in conjunction with spam and web-based exploits, he said. The virus targets ICS or SCADA controls.

OPC Attack Vector
OPC is a widely adopted open communications standard that allows data exchange and interaction between primarily Windows-based industrial control products, applications and process control hardware. During a Havex attack, the malware is known to scan the local network to which it’s connected to look for devices that communicate popular industrial protocols, including OPC. For devices that respond to OPC requests, the Havex RAT is able to gather information about these and other industrial control devices within a system and then send that information back to its command-and-control (C&C) server. Such intelligence helps to paint a strong picture of how a control system is built, including product details and precisely what processes are used during its operations.

Vince Cannistraro, former CIA chief of Counterterrorism, said, “This definitely is a kind of low-grade cyber war. The threat it poses are unmistakable except to the blind.”

There are two other cases in which, reportedly, physical damage occurred via digital means: The Trans-Siberian Pipeline explosion in 1982, and the BTC Turkey pipeline explosion in 2008 both of which were seen as a precursor to Stuxnet. In both cases, however, information was scant and technical analysis unavailable, and questions were raised about the reliability of the reporting sources, according to published reports.

“Between porous technology or badly configured networks, there is always a way in,” Lewis said in an earlier interview, “more than 80 percent of corporate-network penetrations required only the most basic techniques, such as sending a bogus email with an infected attachment, and that most went undetected for months — another sign of lax security. (One more sign: They were usually discovered by an outsider rather than the victimized company.)”

Rep. Mike Rogers, former head of the House Intelligence Committee, said in congressional testimony, “There doesn’t seem to be a sense of risk among nation states and groups and individuals … that you can just do literally almost anything you want and there is no price to pay for it.

“We have got to develop, I believe, a set of norms or principles. … Absent that kind of thing, being totally on the defensive is a very losing strategy,” he said.

“The more we learn at these events, the more we need to look at them with a different lens,” Wylie said. “There is no absolute level of comfortable risk or acceptance.”

SANS ICS said in a report last year that “proper architecture such as limited access to chokepoints creates an opportunity for network security analysts to collect and monitor data traversing networks and network data internal to ICS IP network.” Such monitoring could help speed detection of the malware, the report said.

“The more we learn about these types of events, the more we find that we must look at them with a different lens,” Wylie said. “The consequences of successful malware attacks on critical control systems can be unarguably extreme. And for this reason, the level of what’s considered acceptable risk must shrink as industry, governments and citizens alike become more enlightened about active threats targeting ICS systems on which we rely.”

Richard Sale is a freelance writer based out of Durham, NC, and was United Press International’s Intelligence Correspondent for 10 years and with the Middle East Times, a publication of UPI. He is the author of Clinton’s Secret Wars and Traitors.