Threats To Industrial Control SystemsIWS 11 – Oklahoma City, Oklahoma

Dan Scali

Dragos, Inc. | October 2018

Topics For Today

How do ICS attacks work?

What have we learned from them?

What can we do about it?

1

2

3

ICS attack capabilities are improving – on both offense and defense

1998 - 20092010 - 2012

2013 - 2015

2015-2017

Lack of Collection• Campaigns: APT1• ICS Malware: None

New Interest in ICS• Campaigns: Sandworm• ICS Malware: Stuxnet

Campaigns Target ICS• Campaigns: Dragonfly• ICS Malware: BlackEnergy 2

and Havex• First attack to cause physical

destruction on civilian infrastructure (German Steel)

Adversaries Disrupt ICS• Campaigns: 10 Unique• ICS Malware:

CRASHOVERRIDE and TRISIS

• First and second ever electric grid attacks that disrupt power

• First malware to target human life

German Steel Mill 2014

• Dec 18, 2014 German Government’s BSI released annual report highlighting incidents

• Identified “massive damage” in a steel facility due to a cyber attack

• 2nd publicly known case of physical damage to control systems from cyber attacks

Ukraine 2015

• First ever cyber attack on a power grid to lead to outages

• 3 power companies across Ukraine

• SCADA Hijack scenario by a well funded team

Ukraine 2016 - CRASHOVERRIDE

2017 TRISIS

• TRISIS was delivered into an industrial facility by a well funded attack team

• Targeted Safety Instrumented System (SIS) and failed causing a stop in operations

• First malware to specifically target human life

The ICS Cyber Kill ChainST

AG

E 1

STA

GE

2

Vectors of ICS compromise, by frequency

Interconnectivity

Self Propagation

Trojanized Software

Phising

1

2

3

4

The Diamond Model of Intrusion Analysis

ADVERSARY

INFRASTRUCTURECAPABILITY/TRADECRAFT

VICTIM/TARGET

ELECTRUMADVERSARY• Operating since at least 2017

INFRASTRUCTURE• Legitimate infrastructure• University IPs for C2

CAPABILITY / TRADECRAFT• CRASHOVERRIDE• Long-term persistence• Use Microsoft SQL

database servers as the gateway that bridges business and ICS networks

• Electric grid disruption

VICTIM/TARGET• Electric utility companies in the Ukraine

XENOTIMEADVERSARY• Unique tool development

since at least 2014

INFRASTRUCTURE• European web hosting providers• Asian shipping company

CAPABILITY / TRADECRAFT• TRISIS• Custom credential

harvesting

VICTIM/TARGET• Oil & Gas• Middle East

CHRYSENEADVERSARY• Evolution of “Greenbug” activity• Possible links to Shamoon

INFRASTRUCTURE• Register domains mimicking

legitimate IT services or companies

• Configure an adversary-controlled authoritative nameserver for the domain

CAPABILITY / TRADECRAFT• Watering holes• 64-bit malware• Covert C2 via IPv6 DNS• ISMDOOR

VICTIM/TARGET• Oil & Gas, Manufacturing• Europe, MENA, North America

COVELLITEADVERSARY• Emerged in September 2017 • No clear ICS-specific capability

demonstrated

INFRASTRUCTURE• Legitimate infrastructure• University IPs for C2

CAPABILITY / TRADECRAFT• Sophisticated implant with secure

communication channels• Similar features to malware used

against South Korean targets• Specific session key used for

payload and second encrypted layer• 41 minute and 30 second sleep

VICTIM/TARGET• Electric utility companies in the

United States

MAGNALLIUMADVERSARY• Espionage group with ICS industry focus.• Associated with APT 33.

INFRASTRUCTURE• Registers own infrastructure• Spoofs victim organizations and

generic IT themes

CAPABILITY / TRADECRAFT• STONEDRILL wiper, variants

of TURNEDUP malware

VICTIM/TARGET• Petrochemical, Aerospace• Saudi Arabia

ALLANITEADVERSARY• Operations began no later than May 2017• Similar but distinct from DYMALLOY

INFRASTRUCTURE• Compromised ISPs• European VPS resources

CAPABILITY / TRADECRAFT• Phishing w/ engineering

focused resumes• Compromised legitimate

websites for ICS OEMs and providers

VICTIM/TARGET• Electric utility companies in the

United States

DYMALLOYADVERSARY• Observed mid- to late-2017• Some indications of

relationship to Dragonfly

INFRASTRUCTURE• Compromised ISP service nodes• No domains observed, IP only

used for C2, infection

CAPABILITY / TRADECRAFT• GOODOR• DORSHEL• KARAGANY• Mimikatz

VICTIM/TARGET• Energy sector, Oil & Gas, Advanced Industry• Turkey, Europe, US

RASPITEADVERSARY• Associated with LeafMiner

INFRASTRUCTURE• Registers domains that look like

legitimate IT services• Utilize RDP communications to

controlled C2 servers for remote access

CAPABILITY / TRADECRAFT• Service installer malware

designed to beacon out to adversary infrastructure

VICTIM/TARGET• Electric Utilities• US, Saudi Arabia, Japan, Europe

Conventional Wisdom: ICS Cybersecurity is Hard

other17

Unknown110

Spear Phising109

Abuse of Authorized

Access7

Weak Authentication

18

Network Scanning /

Probing26

FY 2015 INCIDENTS BY INFECTION VECTOR 2015 ( 295 TOTAL)

HUNDREDS

BILLIONS

ICS CYBER SECURITY SPECIALISTS

Defense is Doable• Industrial infrastructures are

some of the most *defensible* networks on the planet

• Predictable high-confidence cyber attacks are difficult (ICS Cyber Kill Chain)

• The threats are worse than we realize but not as bad as we want to imagine

Commodity malware remains a risk to ICS

You cannot just patch away the problem

• Dragos’ 2017 in Review reports revealed that for ICS vulnerabilities:

• 64% of all patches didn’t eliminate the risk

• 72% provided no alternate mitigation to the patch

• Only 15% could be leveraged to gain initial access

Ref: www.dragos.com/YearInReview/2017

Understanding your threat model

Sliding Scale of Security: Where are you now? Where do you want to be?

Ref: https://www.sans.org/reading-room/whitepapers/analyst/sliding-scale-cyber-security-36240

Thank you

@dan_scalidscali@dragos.com