Honeypot Report: Build an ICS, Attackers will Come

Wednesday, August 8, 2018 @ 04:08 PM gHale

Attackers moved from the remote server to a Sharepoint server, to the domain controller to the SQL server, running network discovery to determine if one of these assets would allow them to access the ICS environment. Instead of scanning the full network, attackers focused on scanning for assets that would give them access to the HMI and OT controllers.

Industrial control system (ICS) environments that handle the generation, transmission and metering of energy have been on the radar of attackers.

Just look at some very recent assaults where attackers have hacked into the control system of a dam in New York, shut down the Ukraine’s power grid twice and installed malware on the operating systems of U.S. companies in the energy, nuclear and water sectors.

RELATED STORIES
Attack Halts Chip Maker Production
Industrial Firms Hit by Spear Phishing
Forget Hyperbole: Stay True to Security Message
Political Ploy or Not, Industry Needs to Act

The U.S. government, realizing a cyberattack on energy utilities would have major repercussions for businesses and citizens alike, this November will test the ability of the nation’s power grid to bounce back from a simultaneous cyberattack on electric, oil and natural gas infrastructure.

Along those lines a security firm created a honeypot masquerading as a power transmission substation for a major electricity provider. The purpose was to attract attackers and analyze how they operate against the energy sector of the critical infrastructure.

Within two days of going live in June, the honeypot developed and operated by Cybereason was found, prepped by a black-market reseller, and sold on in the dark web underworld. xDedic RDP Patch was found in the environment. This is a tool developed by the owners of the xDedic underground forum that allows multiple simultaneous uses of the same RDP credentials. xDedic is a forum that focuses on selling RDP credentials. The initial attacker, notes the report, “also installed backdoors in the honeypot servers by creating additional users, another indicator that the asset was being prepared for sale on xDedic.”

On June 27, eight days after the first incursion, a new criminal entity arrived. It was immediately clear, explains Cybereason in a report, this attacker had just one purpose – to pivot from the IT side of the ‘substation’ and gain access to the OT environment.

The honeypot had been designed to look like a typical substation: An IT side separated by a firewall from the OT side, comprising the industrial control systems separated from the pumps, monitors, breakers and other hardware elements of the energy provider.

It was immediately clear these attackers had high level skills.

High Skill Level
“The attackers appear to have been specifically targeting the ICS environment from the moment they got into the environment. They demonstrated non-commodity skills, techniques and a pre-built playbook for pivoting from an IT environment towards an OT environment,” said Cybereason CISO Israel Barak.

The attackers showed no interest in anything but the ICS assets. But with access to the ICS devices on the IT side of the environment, the attackers were still denied immediate access to the target OT by the firewall. Blocked by the firewall, the attackers used multipoint network reconnaissance.

“The attackers moved from the remote server, to the SharePoint server, to the domain controller, to the SQL server to run network scans to determine if one of these assets would allow them to access the ICS environment. Instead of scanning the full network, attackers focused on scanning for assets that would give them access to the HMI and OT computers,” researchers said.

Barak said organizations and companies with ICS environments should operate a unified SOC that provides visibility into the IT and OT environments. As the honeypot demonstrated, attackers are looking to use IT environments as gateways into OT environments. 

“Companies may have a NOC monitoring the OT environment, but a combined SOC lets you see all operations as they move through the network. Having this visibility is important because attackers could start in the IT environment and move to the OT environment,” Barak said. 

Threat hunting is critical, he added. This activity looks for indicators that attackers are already in a company’s environment. Instead of waiting to react to an alert issued by a security tool, threat hunting allows defenders to take a proactive approach to security by detecting adversaries before they cause severe damage to a network. 

Operator Risk
The activity observed in the honeypot also suggests an increased risk for operators. The possibility that this is a trophy taker rather than an APT actor with training on these types of environments dramatically increases the risk of a mistake having real-world consequences. 

“The biggest lesson learned from the honeypot is that multiple tiers of attackers find ICS environments interesting. That’s increasing risk for people who operate those types of systems. The security basics are really what’s going to prevent a bad day from becoming a catastrophic day,” said Ross Rustici, Cybereason’s senior director of intelligence.

Many of these systems are old and fragile and even trained hacking units make mistakes that cause failures in these controls. Hackers seeking to make a name for themselves or simply prove that they can get into a system are far more likely to cause failures out of ignorance rather than malice. This makes incident response and attribution harder, but it also is more likely to result in an unintended real-world effect, he said.



Leave a Reply

You must be logged in to post a comment.