A security firm established a sophisticated honeypot masquerading as a power transmission substation for a major electricity provider. The purpose was to attract attackers and analyze how they operate against the energy sector of the critical infrastructure.
Within two days of going live on June 17, the honeypot developed and operated by Cybereason was found, prepped by a black-market reseller, and sold on in the dark web underworld. xDedic RDP Patch was found in the environment. This is a tool developed by the owners of the xDedic underground forum that allows multiple simultaneous uses of the same RDP credentials. xDedic is a forum that focuses on selling RDP credentials. The initial attacker, notes the report, “also installed backdoors in the honeypot servers by creating additional users, another indicator that the asset was being prepared for sale on xDedic.”
On June 27, eight days after the first incursion, a new criminal entity arrived. It was immediately clear, explains Cybereason in a report published today, that this attacker had just one purpose — to pivot from the IT side of the ‘substation’ and gain access to the OT environment.
The honeypot had been designed to look like a typical substation: an IT side separated by a firewall from the OT side, comprising the industrial control systems separated from the pumps, monitors, breakers and other hardware elements of the energy provider.
It was immediately clear that these were attackers with skills beyond script kiddies. “The attackers appear to have been specifically targeting the ICS environment from the moment they got into the environment. They demonstrated non-commodity skills, techniques and a pre-built playbook for pivoting from an IT environment towards an OT environment,” said Cybereason CISO Israel Barak.
The attackers showed no interest in anything but the ICS assets. But with access to the ICS devices on the IT side of the environment, the attackers were still denied immediate access to the target OT by the firewall. Blocked by the firewall, the attackers used multipoint network reconnaissance.
“The attackers,” reports Cybereason, “moved from the remote server, to the SharePoint server, to the domain controller, to the SQL server to run network scans to determine if one of these assets would allow them to access the ICS environment. Instead of scanning the full network, attackers focused on scanning for assets that would give them access to the HMI and OT computers.”
But this was not a nation-state attack. “I would place the attackers in the upper echelon of criminal hackers, just below the expertise of state operators,” Ross Rustici, Cybereason’s senior director for intelligence services told SecurityWeek. They made mistakes and were too noisy to be the best of the best — for example, they disabled the security tools on one of the servers, which would present an immediate red flag to the security team.
Cybereason had installed its own platform in the honeypot — but intentionally in a manner that would make its removal simple. The attackers removed it. The Cybereason platform was re-installed with some hardening, but less than the level recommended by the firm. Again, the attackers were able to disable the hardened version. “After that incident,” notes the report, “the platform was installed a third time based on our recommended guidelines and the attackers haven’t been able to deactivate it.”
This gives us some insight into the attackers. They were not sufficiently competent to be stealthy, but were not afraid of being discovered. They persisted, even though they would have known that their presence had been detected. This argues against a state actor, who would firstly avoid detection, but then, if detected, most likely silently withdraw.
To be fair, Rustici wasn’t expecting a state attacker. “Nation-state attacks against the critical infrastructure of an adversary state are effectively military operations; and military operations are planned with incredible detail,” he said. “Such adversaries will be aware of all an energy provider’s substations, and while we designed the honeypot sufficient to fool cybercriminals, it would not have withstood the standard reconnaissance and reconnoitering of a military operation.”
What this tells us, however, is that the critical infrastructure is a target for standard criminals. The most obvious motivation would be extortion — taking control of the substation and holding it to ransom. Detection would not be considered important if the endgame of extortion was still possible. But the motivation could also be just for the kudos or even CV-building.
ICS environments are often complex and use a diverse set of control system vendors. Without familiarity of the OT environment and assets, it becomes more challeging for attackers to cause any significant disruption.
The danger is that criminal hackers are more clumsy than elite state actors. Current geopolitical tensions encourage nation states to explore the critical infrastructure of adversaries looking for an advantage in case of an escalation into actual warfare; but for the moment, that type of preparatory cyberwarfare is stealthy reconnaissance. State actors do not wish to be discovered.
These criminals were clumsy and not concerned with being discovered. This type of activity, warns Cybereason, “dramatically increases the risk of a mistake having real-world consequences… Hackers seeking to make a name for themselves or simply prove that they can get into a system are far more likely to cause failures out of ignorance rather than malice. This makes incident response and attribution harder, but it also is more likely to result in an unintended real-world effect.”
The long-term danger to the critical infrastructure may come from nation-sate attacks — but the immediate danger is more likely to come from less competent cyber crim
inals. Cybereason recommends that companies with ICS environments should operate a unified SOC. “Companies may have a NOC monitoring the OT environment, but a combined SOC lets you see all operations as they move through the network. Having this visibility is important because attackers could start in the IT environment and move to the OT environment,” said Barak.
Boston, MA-based threat-hunting Cybereason raised $100 million in Series D funding from SoftBank Corp in June 2017 — bringing the total raised to $189 million. It was founded by Lior Div, Yonatan Amit, Yossi Naar in 2012. All three are veterans of Israel’s elite IDF 8200 intelligence unit.