By Anthony Perridge, VP International, ThreatQuotient
“Without change, something sleeps inside us, and seldom awakens. The sleeper must awaken.”
This quote from Dune is a favourite of mine because it speaks to a phenomenon we see around cyberattacks, particularly those targeting critical infrastructure. In many instances, the industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems that run such infrastructure have been in place for years. Hesitant to make changes for fear of causing disruption, operators seldom update these systems. But aging infrastructure and other security weaknesses are creating opportunities for hackers. For example, recent evidence suggests that Russia was behind the devastating 2017 cyberattack, NotPetya, which targeted Ukraine’s banks, government and power grid. Back in 2015, Ukraine also experienced an attack known as BlackEnergy, the first known successful cyberattack on a power grid. Now, more than ever, we need to learn our lessons from this and other critical infrastructure attacks, using current expertise and research. They can serve as a blueprint for what is yet to come.
There are three main points to take away from the BlackEnergy Power Grid Hack:
- It was the first time in history that a power grid was brought down by a cyberattack.
- It was a coordinated operation that targeted three different sites and a call centre, all of which went down at the same time.
- Approximately 225,000 people lost power, and confidence in the service was diminished.
Attack methodsWe now know that the attack was technically sophisticated and that it took six months from the first intrusion to the actual power outage. In other words, for six months the attackers stayed under the radar – plenty of time to ensure flawless execution. So, what happened during this period of time? This first stage of the attack consisted of the intrusion and lateral movement across networks. The attacker weaponized a Microsoft Office document with an attachment, in this case, a decoy document that embedded a BlackEnergy dropper. The delivery method was spearphishing. Emails were sent to individuals on the network who took the bait – they opened the attachment that enabled a macro designed to exploit a specific Microsoft vulnerability. When not patched, the vulnerability allows remote execution of embedded executables, which was in this case the dropper for the BlackEnergy malware.
At this point, Windows 64 bit requires a digital signature in order to validate the process. However, BlackEnergy changed the boot configuration to allow for temporary signatures. Making this change can alert the user with an on-screen “test mode” message. So, to remain undetected, BlackEnergy ran a patch to mask the “test mode” text so that it is not visible. The malware also masked the typical User Account Control (UAC) pop-up that automatically comes up. Next, it located an available disabled driver and replaced it with a malicious DLL driver.
We’re now into the second stage of the attack, focused on the ICS itself. With the DLL up and running, the attackers can now use a library of plug-ins for different types of capabilities from stealing passwords to destroying systems, taking screen shots, key logging, and so forth. Using stolen credentials, the hackers were able to conduct network discovery, locate the SCADA system and disable UPS systems to eliminate backup once power is out. Using the system information gathered, they developed firmware specific to the sites they planned to compromise and simulated the attack in their own test environment to make sure it worked flawlessly.
After six months, they were ready to launch the attack and executed three critical activities simultaneously. They accessed the human machine interface (HMI) remotely to flip off the breaker. They used KillDisk to remove all evidence, render the SCADA system unusable and wiped the hard drive. As a final blow, they launched a telephony-based denial of service (DoS) attack into call centres so that when those who lost power tried to call to report it, they couldn’t get through.
This attack was extremely targeted, orchestrated, multi-faceted, and tested.
Lessons Learned
What could have been done to detect and stop malicious activity sooner? It starts with indicators of compromise (IOCs). At each point during the attack you can use various tools to gather IOCs. This often includes pieces of data without context that may, when tied together and overlaid with additional information, reveal malicious behaviour. These tools can comprise sandboxes for malware, network packet capture and analyser tools, observables (key words, file name, hash files, DLLs, registry keys) and threat data feeds (open source, commercial, and industry-specific). With a threat intelligence platform you can aggregate IOCs from these disparate systems and tools as well as add context to learn more about them. For example, you can cross-correlate internal log files with external IOCs or use enrichment tools, like VirusTotal, that provide history related to a piece of malware, or give an IP address for additional context. IOCs could have helped to detect that credentials were being misused, that a VPN tunnel was being created to access the HMI, that the UPS system was being modified, and so forth.
The Ukraine BlackEnergy Power Grid hack created a power outage that lasted for a few hours, however it could have been much worse. We can be sure that similar attacks are on the horizon, but there are measures that we can take to mitigate risk. As previously mentioned, our critical infrastructure systems are largely legacy systems and all use similar network structures. They aren’t being patched for fear of disrupting operations. The specific vulnerability used within this attack, and other known attacks, can be patched. However, that is not the only vector for intrusion. Additional layers of security and policies can strengthen defences. It can also help to address human behaviour, which remains the weakest security link, through network segmentation, staff training, password policy enforcement, and other measures. A threat intelligence platform that aggregates, classifies, scores and correlates IOCs is one of the tools that can work to detect and stop an attack similar to the BlackEnergy hack that this piece has analysed. The sleeper must awaken.