chungking - Fotolia
This was one of the key findings of a study that analysed the data collected in a honeypot that was designed to look like a power transmission sub-station of an electricity supplier.
The rapid response to the honeypot showed that some cyber attackers are very familiar with industrial control systems and the security measures that utility providers implement, and that they know how to move from an IT environment to an OT (operational technology) environment.
Just two days after the honeypot went live, researchers said attackers had discovered it, prepared the asset for sale on the dark web and sold it to another criminal entity interested in ICS environments.
Unlike other attackers who buy and sell access to compromised networks, the researchers said the adversaries who accessed the honeypot showed no interest in more generic and less targeted activity like running botnets for cryptomining, spamming and launching distributed denial of service (DDoS) attacks.
“In this case, the attackers had one intention, which was getting to the OT network,” said Cybereason CISO, Israel Barak.
“The attackers appear to have been specifically targeting the ICS environment from the moment they got into the environment. They demonstrated non-commodity skills, techniques and a pre-built playbook for pivoting from an IT environment towards an OT environment,” he said.
Accessing the OT environment is the ultimate goal of these specialised attackers, the researchers said, because these systems operate the pumps, monitors, breakers and other hardware found in utility providers that could be used to control or disrupt services.
However, despite the attackers’ sophisticated techniques, they made some amateur moves that indicate their approach needs some refinement, according to Ross Rustici, Cybereason’s senior director of intelligence.
He noted that the attackers disabled the security tools on one of the honeypot’s servers, a move that “made a lot of noise” which in a real enterprise would draw the security team’s attention.
“The approach of going after ICS systems and ignoring everything else, as well as living off the network to conduct activity, is a level of sophistication you don’t normally see in honeypots. But they made some mistakes, raising red flags that don’t allow us to put them in that upper echelon of attackers,” he said.
In addition to the IT and OT environments, the honeypot included an HMI (human machine interface), protected by a firewall, connecting the two to allow people in the IT environment to control the OT systems.
To attract attackers, the honeypot also included three Internet-facing servers with remote access services and weak passwords, but nothing else was done to promote the servers to attackers.
However, the researchers said the servers’ DNS names were registered and the environment’s internal identifiers were names that resembled the name of a major, well-known electricity provider that serves both residential and business customers in the US and the UK.
Two days after the honeypot was launched, Cybereason researchers determined that a black market seller had discovered it based on a toolset that had been installed in the environment.
Read more about ICS security
- Cyber threat to industrial control systems highest yet
- Airbus is helping to drive the cyber security market for industrial control systems used throughout industry, including many providers of critical national infrastructure.
- There is a pressing need to improve cyber security in industrial control system environments, according to security certification body Crest.
- Vulnerabilities in industrial control systems commonly used by suppliers of critical national infrastructure are potentially the biggest threats to UK cyber security.
- Organisations should mitigate six key vulnerabilities in industrial control systems to reduce the risk of cyber attack, warns security firm FireEye.
The researchers said the tool, xDedic RDP Patch, is commonly found in assets that are being sold in the xDedic black market. It allows a victim and an attacker to use the same credentials to log-in to a machine simultaneously using RDP (remote desktop protocol), which would otherwise be impossible because of built in security restrictions.
The seller also installed backdoors in the honeypot servers by creating additional users, another indicator that the asset was being prepared for sale on xDedic, the researchers said.
The backdoors were designed to allow the asset’s new owner to access the honeypot even if the administrator passwords were changed.
The honeypot was silent for a week until the asset’s new owners connected to it by using one of the backdoors. Based on the actions they took, researchers said the new owners were fully prepared to navigate the ICS environment of an electricity provider.
The action was to disable the environment’s security features, including the Cybereason platform. Cybereason was intentionally installed in a way that made removing it simple. This was a test to gauge the attackers’ skills.
After disabling the security software, they used Active Directory to conduct network discovery. They looked at all accounts on active directory and looked for technical data files. These files, which had been planted on the machine, included information like the operational status of devices. These files were exfiltrated from the honeypot.
The attackers also discovered ICS assets like the HMI and controller components for the OT environment. The adversaries were interested only interested in ICS assets and did not access any other systems.
The attackers focused on attempting remote execution on ICS endpoints, and while the firewall prevented them from taking that step, the attackers knew how to circumvent these security measures by using multipoint network reconnaissance.
This approach assumes that different assets in an environment have different firewall policies and the attackers move laterally to multiple assets and run parallel network scans to locate an asset with more relaxed policies around interacting with the HMI and OT computers.
The attackers moved from the honeypot’s remote server, to the SharePoint server, to the domain controller, to the SQL server to run network scans to determine if one of these assets would allow them to access the ICS environment. Instead of scanning the full network, attackers focused on scanning for assets that would give them access to the HMI and OT computers, the researchers said.
Cybereason was installed a second time with some hardening, but still below the level that is recommended in a deployed environment. The goal was to further assess the attackers’ capabilities. The result was that the hardened version was also disabled.
The platform was installed a third time based on recommended guidelines. To date, the attackers have not been able to deactivate it, according to Cybereason.
“In two days, the attackers got into the environment, conducted reconnaissance aimed at finding an entry point from the IT environment to the OT environment, which is really what they wanted,” said Barak.
Unified security operations centre
He suggests that organisations and companies with ICS environments operate a unified security operations centre (SOC) that provides visibility into both the IT and OT environments because the honeypot demonstrated that attackers are looking to use IT environments as gateways into OT environments.
“Companies may have a network operations centre (NOC) monitoring the OT environment, but a combined SOC lets you see all operations as they move through the network. Having this visibility is important because attackers could start in the IT environment and move to the OT environment,” said Barak.
“Threat hunting is also beneficial because this looks for activity that indicates attackers are already in a company’s environment. Instead of waiting to react to an alert issued by a security tool, threat hunting allows defenders to take a proactive approach to security by detecting adversaries before they cause severe damage to a network,” he said.
The activity observed in the honeypot also suggests an increased risk for operators, according to the researchers because the possibility that this is a trophy taker rather than an advanced persistent threat (APT) actor with training on these types of environments dramatically increases the risk of a mistake having real-world consequences.
They added that many of these systems are old and fragile and even trained hacking units make mistakes that cause failures in these controls.
Hackers seeking to make a name for themselves or simply prove that they can get into a system, they said, are far more likely to cause failures out of ignorance rather than malice, makes incident response and attribution harder more difficult and making it more likely to result in an unintended real-world impact.