Embed Size (px)
Citation preview
SCADA ATTACK VOCABSCADA- SUPERVISORY CONTROL AND DATA ACQUISITIONPLC- PROGRAMMABLE LOGIC CONTROLLERSRTU- REMOTE TERMINAL UNITHMI- HUMAN MACHINE INTERFACEICS-INDUSTRIAL CONTROL CENTER
- December 23rd 2015 local energy provider Prykarpattyaoblenergo was breached with a malicious attack that caused blackouts across the Ivano-Frankivsk region. In all, 3 power stations were the target of a malicious attack which took out an entire region
-SCADA attacks like this or any ICS attack are not meant for financial gain but more for destruction. These can be seen as terrorist attacks.
- The SCADA system used was for Industrial control systems that controlled the power plant to the area and region.
- The ICS was attacked using malware imbedded in macros.
Question#1 Describe the environment of the SCADA system used
#2 WHERE WAS THE SCADA SYSTEM LOCATED WHO WAS THE OPERATOR
• The SCADA system was located in the Ukraine• There is very little information about where the SCADA system was located but
due to the region we do know it was in the Ukraine.• Generally, it is common for some of this information to not be made public. SCADA
systems are extremely vulnerable to attacks due to numerous reasons primary reason is they were built for functionality and not security and through some of these attacks exposing vulnerabilities will expose more ICS systems to attacks.• ICS system are not segregated, typically have no encryption and are using
software that is very outdated as we will see in this presentation.
#3WHAT WAS THE CYBER ATTACK
• The primary objective of this attack was to target a SCADA system for a power outage.• This attack caused 250,000+ people to lose power• Unlike most Cyber attacks SCADA attacks are not for financial
gain but more for destruction and terror• The attack targeted 3 power station in the region
#4 WHO WAS THE ATTACKER
• Unfortunately there is no information on who conducted the attack and no groups have taken responsibility for this. Although they are calling the attackers “the Black Energy 3”
#5WHAT WERE THE VULNERABILITIES THAT WERE EXPLOITED IN THIS SCADA ENVIRONMENT.
1- VPNs into the ICS from the business network appear to lack two‐factor authentication
2-firewall allowed the adversary to remote admin out of the environment by utilizing a remote access capability native to the systems
3-based on media reporting, there did not appear to be any resident capability to continually monitor the ICS network and search for abnormalities and threats through active defense measures; network security monitoring. IDS and IPS Systems were not being monitored.
4-From the appearance of the attached Excel sheet it appears they were using MS Office 2007 or XP. Being this attack happened in 2015 more secure versions of applications should have been used. We could assume based on the old versions they may not have been patched correctly.
5-External to the oblenergos and prior to the attack, there was a variety of open‐source information available; including a detailed list of infrastructure such as Remote Terminal Unit (RTU) vendors and versions posted online by ICS vendors.
• 6- Because SCADA was developed for functionality and not security updating the system to a more efficient operating system could have caused compatibility issues. This is an issue for all ICS’s face. It comes down to what they systems were built for. To upgrade would be a huge financial burden and would not guarantee a more secure enviornment.• 7-We can assume proper Anti-Virus was not installed, this
may have caught the kill disk and Black energy malware that was injected into the machine.
#6 HOW WAS THE ATTACK EXECUTED STAGE 1 PREPERATION
Step 1- Reconnaissance, Although there is no proof that this was done, there is scientific basis to believe that recon was done to asses the network and deploy a plan that would work. This plan starting from step 1 was strategically planned out. The plan and attack started six months before the take down.
Step 2- Weaponized MS office application with Black Energy 3 malware. This was done through a phishing campaign through email. Once the office application was weaponized and sent (most likely to an Engineer) the email had a pop up asking to enable macros. Macros are a single instruction that expands automatically into a set of instructions to perform a particular task.
Enabling the macros allowed the malware to Exploit Office macro functionality to install BlackEnergy 3 on the victim system
Step 3-Upon the Install step, the BlackEnergy 3 malware connected to command and control (C2) IP addresses to enable communication by the adversary with the malware and the infected systems. This allowed the pathways to gather information and pivot between machines for 6 months to gather all the information and credentials they needed. They needed to understand the ins and out of the system. What to target what asset was most important, how to interact with the system and Document management system (DMS)
Step 4- While inside the system find all VPN access, and all system credentials. This would allow them to blend as a system admin, being undetected and gaining access to all systems acting as an HMI. Step 3 and 4 were all a part of internal discovery.
Step5- Once all intelligence was gathered E-ISAC and SANS believe that attackers tested their capabilities prior to the deployment of the killdisk malware to ensure everything was working. Some believe the successful test was pure luck while others believe due to the elaborate planning this was done with extreme knowledge of the systems.
THE ATTACK• In Final preparation for the attack adversaries completed the install and modify of the killdisk which rendered
workstations inoperable.• This killdisk would allow adversaries to take control of work stations and in turn take the ability away from the
operator to have any control.• The final step was to take control of the HMI’s in the SCADA environment to open the breakers. At the
minimum 27 substations were taken off line.• Once controlled was gained of the HMI’s attackers uploaded malicious firmware to the serial-to-ethernet
gateway devices. This insured that even if the engineers gained control back commands could not be used to bring the substations back up. SANA characterized this as “Blowing the Bridges”.
• Essentially this is where they hijacked the entire infrastructure from the from work stations, network and HMI.• Next came the social engineering- Once they took the grid offline, thousands of calls flooded dispatch so real
customers could not call in with real outages. This caused a delay in the reaction to what was happening. This could also be considered a DDOS attack.
• Important note- Blackenergy 3, Killdisk, and backdoor pivoting were singularly not responsible for this attack but all played a part in gaining the right access and privileges to perform the attack.
• For example the killdisk on some systems deleted event logs while on others it deleted the boot record the actual cause of the attack was the manipulation of the ICS system and loss of control from the operators.
THE ATTACK
SUMMARY OF ATTACK• In my opinion 6 months of reconnaissance which first started
with a phishing campaign• This led to malicious malware embedded in the macros of the
excel document• From there attackers were able to pivot through the systems
looking for VPN tunnels and credentials into systems.• Gaining remote access and testing the attack vectors (most
likley on systems home made)• Using back doors to move about the system undetected to
prepare for the attack• Taking control of the HMI interface to close shut down
services• At the same time DDOS attack/social engineering attack
SCADA MAP
• http://www.forbes.com/sites/thomasbrewster/2016/01/04/ukraine-power-out-cyber-attack/#3a3f81b05e6f
• http://thehackernews.com/2016/01/Ukraine-power-system-hacked.html• https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-
power-grid
• http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf
• http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/faq-blackenergy
