THREAT INTELLIGENCE: CYBERATTACKS AND THE UTILITY INDUSTRY
THREAT INTELLIGENCE: CYBERATTACKS AND THE UTILITY INDUSTRY
CYBERATTACKS AND THE UTILITY INDUSTRY
In 2010, the Bushehr Nuclear Plant in Iran came under a cyberattack involving the Stuxnet worm. Since that attack, government authorities are increasingly concerned about the security of Industrial Control Systems (ICS)1 and defense of their critical infrastructure. The consequences of a cyberattack against ICS systems could be devastating:
- potential of altering chemical levels at water plants
- disabling of power to cities
- manipulation of internal processes and disruption of controls causing long-term environmental impacts
- loss of a product or service
- closure of businesses
- loss of lives
SIGNIFICANT ICS CYBERATTACKS SINCE 2010
- Stuxnet, a 500-kilobyte computer worm, infected software of 14 industrial sites. Though the fullimpact of the attacks is not known, the worm reportedly disrupted Iran’s ability to enrich uranium and consequently, their nuclear advancement.2
2015 United States
- •A regional power grid operator (name not released publicly) in the U.S. was infected with Cryptolocker ransomware after an employee opened a personal email on a company laptop. The facility ultimately paid $17,000 in Bitcoin to regain access to their systems.3
- BlackEnergy, an espionage and destructive malware, caused a widespread power outage in WesternUkraine. The attack is believed to have been carried out by Russian hacking group “Sandworm”.4,5
2016 Multiple Countries
- HawkEye malware, a commercial spyware used to steal sensitive data, was used to target more than130 organizations in over 30 countries, including electric power generation and transmission companies.6
- CrashOverride, a destructive malware capable of controlling electricity substation switches andcircuit breakers, caused a one-hour power outage in the country’s capital, Kiev.7
ADVERSARIES THAT TARGET UTI LITIES
- Nation-state actors may use information such as public project details, personal interests of anemployee, or public names of company CEOs or supervisors to craft convincing spearphishing emails with malicious attachments to gain access to a network for espionage or future destructive attacks.
- Cybercriminals may craft convincing spearphishing emails with malicious attachments todistribute ransomware.
- Hacktivists may use stolen information from utility networks to sabotage or delay projects, as well as gain more information about a company and its employees to use in future attacks (i.e., doxing).
Nation-states and cybercriminals are the adversaries most likely to target the utilities industry due to their critical role in society and the need for operations to remain up and running. Nation-state adversary motivations for carrying out cyberattacks against ICS, specifically utilities, are sabotage, research and espionage. Cybercriminals are usually motivated by financial gain. Hacktivists are groups of like-minded individuals who use computers and networking technology to promote social, political, religious or environmental agendas. They may also seek to sabotage or delay controversial utility projects as well as gain additional information about a company and their employees to use in future attacks.
PATH OF LEAST RESISTANCE: EXPLOITING THE HUMAN
Spearphishing is the most likely attack vector for ICS network compromise. Well-crafted phishing emails exploit the utility employees’ interests, curiosity, fear and urgency. Cyberattackers generate custom emails that reference real business projects, personal interests or pretend to be an important company persona such as a HR representative or senior executive.8
Leaked employee credentials can also be used to access ICS networks. Attackers leverage easily accessible credentials found and sold in online markets and forums. This information includes sensitive user information from data breaches from such sources as LinkedIn, Dropbox, Yahoo, Tumblr and Adobe Systems. Once collected, attackers search for instances of password reuse by attempting to apply breached credentials to targeted network accounts.
STUXNET 2.0: TRITON ATTACKS UTILITIES IN 2017
In late 2017, Stuxnet’s successor, Triton Malware, was used to target ICS networks. Triton is a form of malicious software first seen as Stuxnet in 2010. It was deployed against Iran at that time, and later thought to be used by the Russian Sandworm team against Ukraine’s power grid.
Technically, Triton is its own malware family with main deployment modules trilog.exe and library.zip. The trilog.exe leverages the library.zip to communicate with Triconex controllers, which are safety instruments within a system. This communication causes mishaps in utilities systems such as shutting down a power grid or, as in the Iranian Stuxnet attacks, slow centrifuges that keep nuclear materials separated.9,10
HOW TRITON WORKS
Triton was first deployed through the Safety Instrumented System (SIS) engineering platform on a machine running Microsoft Windows. The initial malware was conventionally named “Triton” to hide in the legitimate Triconex Trilog application and avoid detection. The malware is deployed as a Py2EXE compiled with a Python-dependent script using standard Python libraries. This deployment allowed it to interact with the Triconex controllers.
The executable contained two binary files (inject.bin and imain.bin) which were deployed together as the payload. The instance of trilog.exe is initiated separately for each target in the controller environment. The Triton malware does not access the libraries capability but instead takes an option from the initial command line, such as a single IP address of the targeted Triconex device. To hide within the system, the script periodically checks for the status of the controller it has infected. If an error is detected, reset of the controller is attempted. If this fails, trilog.exe attempts to write a decoy program to memory.11
REPORTED ATTACKS AGAINST UTILITIES ENTITIES IN 2017
According to Paolo Passeri’s cyberattack tracking website, hackmageddon.com , there were 12 disclosed attacks against utilities in 2017.12 Some of these attacks, such as ransomware exploits, indirectly targeted utility functions, while others were direct attacks against utility companies to impede their ability to provide essential services to the population.
Note: This is a list of reported incidents against utilities providers worldwide. Information is not available regarding unreported incidents. Companies often do not report cyber incidents/intrusions in order to protect their brand.
*Transneft self-reported the incident; independent investigators did not confirm.
As the utilities industry continues to advance technologies for process improvement, nation-states and cybercriminals will continue developing tools to exploit those technologies and security practices. An adversary does not need a sophisticated tool to break into a network. Convincing email lures with malware-laced attachments remain a reliably successful tactic for attacking unpatched systems.
1. ICS is a collective term used to describe types of control systems, including supervisory control and data acquisition (SCADA) systems and distributed control systems (DCS).
2. ArsTechnica. February 16, 2016. https://arstechnica.com/tech-policy/2016/02/massive-us-planned-cyberatta…
3. SysAdmin Magazine Netwrix. April, 2016. http://www.netwrix.com/download/documents/sysadmin_magazine_april_2016.pdf
4. ICS-CERT. February 25, 2016. https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01
5. Sans ICS. March 18, 2016. https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
6. Kaspersky Lab ICS CERT. December 16, 2016. https://ics-cert.kaspersky.com/alerts/2016/12/16/spear-phishing-attack-h…
7. Sans ICS. March 18, 2016. https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
8. Tripwire. October 9, 2017. https://www.tripwire.com/state-of-security/ics-security/icsscada-devices…
9. Wired. November 3, 2014. https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/
10. FireEye. December 14, 2017. https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-ne…
11. FireEye. December 14, 2017. https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-ne…
12. Hackmageddon. http://www.hackmageddon.com/
13. Reuters. December 25, 2017. https://www.reuters.com/article/us-russia-transneft-cryptocurrency/trans…
14. Security Affairs. December 17, 2017. http://securityaffairs.co/wordpress/66813/cyber-crime/transneft-monero-c…
15. The Guardian. December 15, 2017. https://www.theguardian.com/technology/2017/dec/15/triton-hackers-malwar…
16. Wired. December 14, 2017. https://www.wired.com/story/triton-malware-targets-industrial-safety-sys…
17. Common Vulnerabilities and Exposures. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0199
18. SecureList. October 30, 2017. https://securelist.com/gaza-cybergang-updated-2017-activity/82765/
19. NBC News. October 10, 2017. https://www.nbcnews.com/news/north-korea/experts-north-korea-targeted-u-…
20. Cyber Scoop. October 10, 2017. https://www.cyberscoop.com/north-korea-ics-hacking-dhs-ics-cert/
21. Wired. September 6, 2017. https://www.wired.com/story/hackers-gain-switch-flipping-access-to-us-po…
22. ArsTechnica. September 6, 2017. https://arstechnica.com/information-technology/2017/09/hackers-lie-in-wa…
23. Reuters. August 21, 2017. https://www.reuters.com/article/us-china-cyberattack/sinopecs-shengli-oi…
24. Motherboard. July 17, 2017. https://motherboard.vice.com/en_us/article/9kwg4a/gchq-says-hackers-have…
25. The Times UK. July 15, 2017. https://www.thetimes.co.uk/edition/news/russia-backed-hackers-try-to-hij…
26. Talos. July 7, 2017. http://blog.talosintelligence.com/2017/07/template-injection.html#more
27. New York Times. July 6, 2017. https://www.nytimes.com/2017/07/06/technology/nuclear-plant-hack-report….
28. Reuters. May 11, 2017. https://www.reuters.com/article/us-baltics-cyber-insight/suspected-russi…
29. Security Affairs. May 20, 2017. http://securityaffairs.co/wordpress/59277/cyber-warfare-2/baltic-energy-…
30. Data Breaches. March 14, 2017. https://www.databreaches.net/city-erases-re-installs-server-after-ransom…
31. Cincinnati.com/ March 14, 2017. https://www.cincinnati.com/story/news/local/2017/03/14/city-erases-re-in…