by Graeme Pyper, Cyber Security, Thales Australia
Sometimes, the best way to understand the threat cyber attackers can pose is by taking a closer look at previous cases, and considering the impact these had on the businesses they targeted. Here, we look at two high profile cases in the energy industry, and consider some of the lessons we can take from these incidents.
Triton: the new decisive threat to the energy sector
Triton is a very sophisticated malware allowing the manipulation of the industrial control systems (ICS) of critical infrastructures. It was discovered at the end of 2017 when it caused an accidental shutdown of the machines of a petrochemical plant in Saudi Arabia.
The attacker’s tools indicate that it has prepared to conduct operations that can last several years. In a 2017 attack, the group compromised the target’s network almost a year before reaching the Safety Instrument System (SIS). During this period, priority seems to have been given to operational security. The lack of “curiosity” during the operation may indicate that the aggressor was still in the preparation phase and that the real targets had not yet been determined.
It is difficult to definitively determine the motivation behind this campaign. According to several observers, the main objective was to test the tools and refine the techniques. It should be noted that according to Dragos, the Triton group (also known as Xenotime) is probably one of the most dangerous groups known to date, since it attacks industrial security systems almost exclusively with destructive intent causing loss of life.
At the end of 2017, an oil and gas installation in Saudi Arabia was shut down due to infection by a strain of Triton malware capable of interfacing with the installation’s industrial control systems.
This malware was aimed at Schneider’s Triconex instrumented security system. Access to the system was carried out in the traditional way, with phishing and identity hacking by changing the telephone number to receive the SMS, giving the administrator password.
The group then compromised a system administrator workstation, after having laterally crossed the demilitarised zone constituting the airlock between the IT network and OT.
The identifiers were then used to access the SIS controllers to compromise them. The controllers were placed in “Program Mode” during their operation, allowing the attackers to reprogram them. The attackers stayed for nearly a year in the system’s engineering station. It is from this starting point that they were able to send a trojan horse to infect the memory of SIS automatons via the operation of a zero-day, allowing an increase in privilege.
Such an attack requires deep technical knowledge and, although probably not reproducible on a large scale, it shows that the attacker is sufficiently capable to attack and potentially cause physical damage to plants and industrial systems.
The group has been using test environments to test the internal workings of its malware since at least 2013. Further intrusions were carried out by this attacker in the Middle East on undisclosed dates, focusing on oil and gas companies until the end of 2018. It should be noted that the group has also begun to survey energy systems in the United States and other countries.
The ambition is to stay as long as possible in the target’s systems to test this tool more and more. The case of this group shows that the theory of security by darkness, consisting in thinking that an ICS/SCADA system is complex and therefore secure, no longer holds. The rise of attacker groups, the generalisation of protocols and the standardisation of systems have changed the situation.
DragonFly 2.0: gathering technical and operational information
DragonFly is an espionage group that has been active since at least 2011. The group led a campaign in 2015 named “DragonFly 2.0” by Symantec. This campaign was focused on the energy sector, and had two different goals:
- First, gaining information about the operational aspect of the energy sector, notably by stealing documentation
- Second, getting “first-hand” experience of the way these systems work, by gaining access to these facilities
Symantec asserts that the group has gathered enough knowledge and information to cause destructive action and sabotages should the group decide to change its objectives.
The campaign started in 2015 and has targeted organisations around the world, including the United States and Turkey (two recurrent targets of the group) and Switzerland.
The group uses multiple techniques in order to get to its victims, but none of them are specific to industrial control systems. Indeed, these attacks are focused on IT systems and most of the time work by abusing the user’s naivety.
Among the common techniques used by the group are spear phishing emails, a technique that the group used with increased intensity between 2016 and 2017, watering hole attacks, as well as programs containing trojans.
The group uses the Phishery tool in order to send their emails, a tool that became available publicly on GitHub. These techniques allowed the group to harvest credentials of users in the sectors that it considered relevant.
The group was able to move onto the next step, and use this information to insert backdoors (in this case a malware named Goodor) in servers.
While the original campaign of the group was focused on gathering technical information, this new campaign seemed to be more specifically focused on operational information. For example, the group took a large number of screenshots, and especially of machines that had access to control systems.
Interestingly, the group likes using off-the-shelf malware, potentially in an attempt to make attribution harder. This assumption is reinforced by the presence of strings in different languages, indicating that at least one of these languages act as a false flag.
Independent of the motivation or source of a cyber-attack, the consequences are significantly higher than measures to avoid them. It’s important to note that the majority of attacks can be easily avoided with basic cybersecurity strategies.
Interested in learning more about how your organisation can guard itself against cyber security threats? Click here to download the Report on Cyber Threats to Operational Technologies in the Energy Sector.