A recent report released by Cybereason, a cybersecurity firm, reveals a detailed explanation of how cyber attackers find their way around organizations to get into their control system. A more advanced persistent threat group and other cybercrime groups have made the various energy, water, and utility organizations a “sitting duck” to their attacks. According to the report, there is another skilled group that also makes the Industrial Control System environment a target based on a honeypot Cybereason setup.
In a bid to have a complete understanding of how these cyber attackers operate, Cybereason set up a fake Electricity substation network with operational technology (OT) environment features, IT environment and Human Machine Interface. Also, internet facing servers and remote access services including a weak password were added to the honeypot to make it look real. Just as expected, the cybersecurity firm realized that hackers on the dark web had detected the honeypot in just two days with the help of a toolset installed in the environment.
According to the report, the hackers used a tool called the xDedic RDP Patch which is available on the dark web to access the administrator panel. This tool is able to make it possible for victims and hackers to access the honeypot simultaneously.
Not just that, they created more users on the honeypot, indicating that it had been put on sale. A few days afterward, the hackers infected it with crypto-mining bots, phishing bots, DDoS bots, and connected it using the newly created user. In other to have a total control over the Industrial Control System, the hacker attempted to break down the security system. This security system was made in a simple way for the hackers to easily deactivate. Cybereason designed the security system to test the skills of the hackers.
In an attempt to break into the system, attackers decided to scan assets that would provide them the access to the HMI and OT controllers, instead of scanning through the full network. It took them just two days to break into the environment.
The analysis of this operation put much emphasis on the fact that companies may be protected enough when a combined SOC is used instead of NOC. Israel Barak, Cybereason CISO said that NOC monitors the activities of the OT, but the SOC monitors all operations. This may help to keep track of attackers as they sometimes may use the IT as a gateway into the OT.
The Operational Technology was stated to be the major goal of the attackers since it controls the equipment that ensures that power is distributed to various destinations. When hackers get into this area, they can, therefore, decide on who should get electricity or power, and who should not. In this case, the region is the heart of the system; hence it demands effective security measures.
The hackers identified the potential path from the IT to the OT using the multipoint network reconnaissance process.
Ross Rustici, Cybereason’s Senior Director of Intelligence, based on the assessment and recent records of attacks said that attackers find it interesting to attack the ICS environment. This, therefore, put operators at a constant risk considering the fact that it took just two days for attackers to discover the activeness of the honeypot in the environment. Rustici emphasized that it takes a stronger security system to prevent an attack from going bad to worse.
The report stated that the attackers were very much familiar with the ICS environment, and they had no problem breaking into the system easily. It was also clear that they had a fair idea of how the security systems of the utility companies are, and how to get to the OT using the IT as a gateway.
Cyber attackers recently showed how dangerous they could be by shutting down the Ukraine power grid. Not just that, they infected the OSes of US companies with malware. The water and energy sector has also become a target lately.
Hackers have been selling “access to private computer networks of critical infrastructures,” on the darknet after a successful time of control. This has forced the government to employ measures in other to offset future attacks to reduce the effects on the people and the country.
Similar techniques and methods were used to hack the control system of a dam in New York. Cybercrime was reported to have reached an all-time high in the previous year, and more incidents are expected to occur this year.