The energy sector – and the ICS (industrial control systems) that run the pumps, switches and meters responsible for powering homes and businesses – have long been on the radar of cyberattackers. Cybersecurity firm Cybereason reveals the findings of a honeypot project further exploring the cyberthreat to the sector in this report.
In recent years attackers have hacked into the control system of a dam in New York, shut down Ukraine’s power grid and installed malware on the OSes of US companies in the energy, nuclear and water sectors.
As attacks against infrastructure providers have increased, adversaries who specifically target ICS have emerged, based on the findings of Cybereason researchers who analysed the data collected in a honeypot that masqueraded as a power transmission substation of a major electricity provider.
Judging by how quickly the attackers operated, they are very familiar with ICS, the security measures that utility providers implement and know how to move from an IT environment to an OT (operational technology) environment. Just two days after the honeypot went live, attackers had discovered it, prepared the asset for sale on the Dark Web and sold it to another criminal entity who was also interested in ICS environments.
Unlike other attackers who buy and sell access to compromised networks, the adversaries who accessed the honeypot showed no interest in partaking in more generic and less targeted activity like running botnets for cryptomining, spamming and launching DDoS attacks, said Cybereason CISO Israel Barak.
In this case, the attackers had one intention – getting to the OT network.
“The attackers appear to have been specifically targeting the ICS environment from the moment they got into the environment. They demonstrated non-commodity skills, techniques and a pre-built playbook for pivoting from an IT environment towards an OT environment,” Barak said.
For sale: Access to a power transmission substation’s IT and OT environments
The honeypot environment went live on July 17. In addition to the IT and OT environments, there was an HMI (human machine interface), protected by a firewall, connecting the two, allowing people in the IT environment to control the OT systems.
The honeypot contained bait to entice attackers, including three Internet-facing servers (SharePoint, SQL and domain controller) with remote access services like RDP and SSH and weak passwords. Nothing was done to promote the servers to attackers.
There were no posts to Pastebin or black-market forums about the servers. However, the servers’ DNS names were registered and the environment’s internal identifiers were names that resembled the name of a major, well-known electricity provider that serves both residential and business customers in the United States and United Kingdom.
Two days after the honeypot was launched, Cybereason researchers determined that a black-market seller had discovered it based on a toolset that had been installed in the environment. The tool – xDedic RDP Patch – is commonly found in assets that are being sold in the xDedic black market.
Under new ownership
The honeypot was silent until July 27 when, what Cybereason’s researchers assume were the asset’s new owners, connected to it by using one of the backdoors. Based on the actions they took, they were fully prepared to navigate the ICS environment of an electricity provider.
Their first move was to disable the environment’s security features, including the Cybereason platform. Cybereason was intentionally installed in a way that made removing it simple. This was a test to gauge the attackers’ skills. Cybereason was installed again with some hardening but still below the level that is recommended in a deployed environment.
The goal was to further assess the attackers’ capabilities. They were able to disable the hardened version of Cybereason. After that incident, the platform was installed a third time based on recommended guidelines and the attackers were not able to deactivate it.
After disabling the security software, they used Active Directory to conduct network discovery. They looked at all accounts on Active Directory and looked for technical data files. These files, which had been planted on the machine, included information like the operational status of devices. These files were exfiltrated from the honeypot. They also discovered ICS assets like the HMI and controller components for the OT environment. The adversaries were only interested in ICS assets. They didn’t access any other systems.
And after discovering the ICS assets, the attackers showed no interest in the other assets. They focused on attempting remote execution on ICS endpoints. The firewall prevented them from taking that step but the attackers knew how to circumvent these security measures.
Ain’t no security measure strong enough to keep me from you
After being stymied by the firewall, the adversaries began using a multipoint network reconnaissance. This approach assumes that different assets in an environment have different firewall policies. For example, the domain name controller may have restrictive policies for interacting with the firewall but the policies for the administration console interacting with the ICS environment aren’t as strict. With multipoint network reconnaissance the attackers move laterally to multiple assets and run parallel network scans to locate an asset with more relaxed policies around interacting with the HMI and OT computers.
The attackers moved from the remote server to the SharePoint server, to the domain controller, to the SQL server to run network scans to determine if one of these assets would allow them to access the ICS environment. Instead of scanning the full network, attackers focused on scanning for assets that would give them access to the HMI and OT computers.
“In two days, the attackers got into the environment, conducted reconnaissance aimed at finding an entry point from the IT environment to the OT environment, which is really what they wanted,” Barak said.
What does this mean for security professionals?
Barak suggests that organisations and companies with ICS environments operate a unified SOC that provides visibility into both the IT and OT environments. As the honeypot demonstrated, attackers are looking to use IT environments as gateways into OT environments.
“Companies may have a NOC monitoring the OT environment, but a combined SOC lets you see all operations as they move through the network. Having this visibility is important because attackers could start in the IT environment and move to the OT environment,” Barak said.
Threat hunting is also beneficial, he said. This activity looks for activity that indicates attackers are already in a company’s environment. Instead of waiting to react to an alert issued by a security tool, threat hunting allows defenders to take a proactive approach to security by detecting adversaries before they cause severe damage to a network.
The activity observed in the honeypot also suggests an increased risk for operators. The possibility that this is a trophy taker rather than an APT (advanced persistent threat) actor with training on these types of environments dramatically increases the risk of a mistake having real-world consequences.
Many of these systems are old and fragile and even trained hacking units make mistakes that cause failures in these controls. Hackers seeking to make a name for themselves or simply prove that they can get into a system are far more likely to cause failures out of ignorance rather than malice. This makes incident response and attribution harder, but it also is more likely to result in an unintended real-world effect.