Attacks on Industry

A Cyber-attack can vary from stealing information up to a destructive attack, from cyberwarfare to cyber espionage, from stolen Email addresses to stolen credit card and financial data.

The Industry is most concerned about Malware or Cyber-attacks may change the Technical Integrity (Process Safety) of production facilities. Also data integrity or application function integrity (I) could disrupt or damage the production process or that it may stop the production process, the availability (A).

The PS and CIA priorities are applied:

  • PS    = Process Safety
  • C      = Confidentiality
  • I        = Integrity
  • A      = Availability

2010 Stuxnet (PS, I and A):

The first destructive attack in industry was Stuxnet in 2010, a malicious computer worm believed to be jointly built by an American-Israeli team that created a cyber weapon. Designed to sabotage Iran’s nuclear program with what would seem like a long series of unfortunate accidents, i.e. centrifuges damaged due to overspeed. The attack caused a set-back of the nuclear program by 1-2 years.

2011 Duqu (C):

Duqu uses the part that have been developed as part of Stuxnet and looks for information that could be useful in attacking industrial control systems, such as stealing digital certificates and corresponding private keys. Duqu’s objective is not to be destructive, the known components are trying to gather information. The target of Duqu again is Iran.

2012 Shamoon 1 (A):

Shamoon 1 is an attack on the oil and gas company Saudi Aramco and wiped out 35,000 computer systems on 15 August 2012. One week later RasGas experienced a similar Cyber-attack. The malware stole information and then destroyed data and computer operation and is seen as the “Biggest hack in history”. Shamoon caused the company to spend more than a week restoring their production.

2013 Havex (C):

Havex malware, also known as Backdoor.Oldrea, is a RAT (Remote Access Trojan) employed by the Russian attributed APT group “Energetic Bear”. It includes an OPC (Ole for Process Control) scanning module, used to search for industrial devices on a network. Havex is known to have been used in at least 2000 attacks targeted against various industrial sectors, particularly the energy sector, such as Electric Power Plants in the United States and Europe. Once installed, Havex scanned the infected system to locate any SCADA or ICS devices on the network (ICS = Industrial Control System, like PLC, DCS or SCADA) and sent the data back to command and control servers. To do so, the malware used OPC and collect information such as CLSID key, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.

2015 BlackEnergy, also called KillDisk (A):

Was an attack to the Ukraine’s power grid and caused a shutdown of Ukraine’s power grid and temporarily disrupt electricity supply to the end consumers by remotely switching off substations. BlackEnergy Malware was first reported in 2007 that generated Distributed Denial-of-Service (DDoS). In 2010, BlackEnergy 2 appeared with capabilities beyond DDoS. In 2014, BlackEnergy 3 came equipped with more functionality and a variety of plug-ins. A Russian-based cybergang known as Sandworm is recognised with using BlackEnergy attacks. The attack is distributed via an Email attachment being a Word document or PowerPoint file, trapping victims into clicking the apparently normal file.

2015 PLC-blaster worm (A):

Programmable Logic Controllers (PLC) and used in industry to control the process and are nowadays equipped with Ethernet ports and can communicate using TCP and IP-addresses, as used in Internet technology. A lab-worm was created in 2015 by researchers from OpenSource Security to prove that PLC worms can seriously threat a PLC. The PLC blaster worm was specifically designed to attack SIMATIC S7-1200 v3 controllers. This worm does not require any additional PCs to spread to other PLCs. The worm lives and runs only in the PLC. The worm scans the network for new targets (other PLCs), attacks these targets and replicates itself onto the targets found. The worm creates a DDoS attack and luckily was never out in the open.

2016 Industroyer, also called Crashoverride (A):

Industroyer (also referred to as Crashoverride) is the second generation of malware used in the cyberattack on Ukraine’s power grid on 17 December 2016. A fifth of Kiev, the capital of Ukraine, was cut off power for one hour and is considered that this was just a large-scale practical test. This was the second Cyberattack on Kiev in two years. Again, it used remote controls and OPC to get controls over IACS systems and also erased system-crucial Registry-keys and overwrite files to make the system unbootable, i.e. not able to restart. See also 5.7 Types of malware, for a comparison of the first generation and the second generation of attacks on the Ukraine’s power grid.

2016 Shamoon 2 (A):

On the 2nd of Dec 2016, 4 years after the first attack, the same happened again to Saudi Aramco called Shamoon 2 with disk-wiping malware, slightly modified, return of the Disttrack Wiper. Since late November 2016, the Shamoon 2 attack campaign has brought three waves of destructive attacks to Saudi Arabia. Shamoon 2 also wipes data and takes control of the computer’s boot record, which prevents the PC from being turned back on. According to security experts, the actor behind the Shamoon attacks was likely the Iranian government.

Shamoon 1 and 4 years later Shamoon 2 demonstrated that attackers are learning faster than we can keep up!

2017 WannaCry (A):

WannaCry was a ransomware attack on 12 May 2017. It was caused by a ransomware Crypto-worm using the Microsoft Windows operating system (OS) by encrypting data and demanding ransom payments in the Bitcoin Cryptocurrency. The attack was estimated to have affected more than 250,000 computers across 150 countries, with total damages ranging from hundreds of millions to billions of US Dollars. According to Kaspersky Lab, the four most affected countries were Russia, Ukraine, India and Taiwan in the first day.

2017 Petya Goldeneye (A):

Petya (named after the weapon satellite in a James Bond movie Goldeneye) is a family of encrypting ransomware, first discovered in March 2016 and targeted Windows-based systems. On 27 June 2017, a major global cyberattack began, named NotPetya (to distinguish it from the 2016 variants), with infections in France, Germany, Italy, Poland, United Kingdom and the United States. However, most infections were targeting Russia and the Ukraine. Initially more than 80 companies were attacked, including the National Bank of Ukraine. The targets in these countries were mainly Energy Companies, the power grid, bus stations, gas stations, the airport and banks. Around that period other variants (mutant versions) were launched as well called Red Petya, Green Petya, Mischa and PetrWrap, using one of the most advanced cryptographic algorithms around, it also encrypts the entire hard drive by overwriting the master reboot record, to lock the system in order to prevent the computer from loading the OS again. Goldeneye is distributed by phishing e-mails, probably from a German native speaker, called Janus Cybercrime Solutions. WannaCry, Petya GoldenEye and NotPetya are using the same vulnerability from the NSA leaks called EternalBlue.

Afbeeldingsresultaat voor WannaCry"
Ransomware is attacking everyone!

2018 Triton (PS, I and A):

Triton (also called TRISIS) is an ICS Attack Framework and has caused operational disruption to critical Infrastructure. The attacker (most probably the Russians again, called Xenotime) have developed the capability to cause physical damage and as a result the shutdown of operations of a Petrochemical company in Saudi Arabia, at Saudi Aramco. The malware gained remote access to a SIS Engineering Workstation and deployed the Triton Attack Framework to reprogram the Triconex SIS, the Safeguarding Systems of oil production facilities. Luckily a mistake was made by the attackers in the attack framework that cause the facilities to shutdown on a diagnostic failure message. Triton is seen as the first direct attack on SIS, the integrity heart and last line of defence of production facilities. Xenotime, Hacking Group behind Triton, found probing Industrial Control Systems (ICS) of Power Grids in the US in 2019.

2018 Xbash (A):

Some people recommend to change to another operating system, such as Linux, but new attacks, like Xbash ransomware, attacks both Linux and Microsoft Windows servers. Xbash was discovered by Palo Alto Networks in September 2018 and it combines a Botnet, Ransomware and Coinmining in one worm, so it is a multipurpose worm. Xbash has self-propagating capabilities that means that it has worm-like characteristics like WannaCry. Linux is also used in Industrial Applications and is therefore also a candidate of being attacked.

2019 LockerGoga (A):

“OSLO (Reuters) – Norske Hydro, one of the world’s largest aluminium producers, has made some progress restoring operations but is not yet back to normal after it was hit on 18-03-2019 by a ransomware Cyber-attack”, the company said on Wednesday, 20-03-2019. The attack, LockerGoga malware, is the most active ransomware. It focuses on targeting companies and bypass AV signature-based detection. It loads, using the company’s own Active Directory services, a malicious file on the system to the ‘%TEMP% directory’ from an infected Email attachment and progresses to the OT, where it infects PCD-systems.

Malware and attacks are evolving to smarter attacks, more focussed and more automated attacks. A good example is a comparison by Prof. Sandro Etalle, Technical University Eindhoven that showed that the Industroyer/Cashoverride attacks (2016) are much smarter than the BlackEnergy/KillDisk (2015) attacks and more is automated.

Attack smartness is evolving fast, e.g. the attacks on the Ukraine Power Stations

There are many different Cyberattacks and depending on its objective can be split in the following types:

  1. Indiscriminate attacks, do not seem to discriminate between governments and companies
  2. Destructive attacks, inflict damage on specific organisations
  3. Cyberwarfare, politically motivated destructive attacks aimed at sabotage and espionage
  4. Government espionage, stealing information from/about governments
  5. Corporate espionage, stealing confidential data from corporations
  6. Stolen e-mail addresses and login credentials, hacking purposes
  7. Stolen credit card and financial data, create financial benefit
  8. Stolen medical-related data, to be sold on the black market
  9. Hacktivism, to promote a political agenda or a social change to enforce free speech and human rights

On the black market, the going rate for your Social Security Number (Burger Service Number) is 10 cents, your credit card number is worth 25 cents, but your electronic medical health record could be worth hundreds or even thousands of dollars.

It is evident when looking at the above list of successful hacks and attacks that a well-managed Firewall, up-to-date Anti-virus Definition files (AV) and applying the latest patches is not good enough to protect you against focused attackers. AV and Patching are always lacking behind and zero-day attacks will not be stopped!