Joe Slowik / @jfslowik

Dragos, Inc. | June 2019

1

2

3

4

https://ics.sans.org/media/An-Abbreviated-History-of-Automation-and-ICS-Cybersecurity.pdf

http://www.a2n.net/site/wp-content/uploads/2017/03/IoT_04.png

Preparatory Actions

Deny Degrade Destroy

CRASHOVERRIDE

TRISIS / TRITON

2017-2019 Electric Sector Intrusions

Launcher Start

•Select Payload

•Initiate ICS Impact

Payload Execution

•Connect to Control Systems

•Manipulate State

Wiper•Wait for Timer

•Delete Files, Remap Services, Reboot System

Post-Attack

•Leave behind “Backup” Backdoor

•SIPROTEC DDoS (Fail)

Long-Term Network Access

• Harvesting credentials over long periods

• Able to perform reconnaissance and survey environment

Insecure Environment

• Weak authentication mechanisms

• Re-used credentials

• Older operating systems on critical devices

‘Flat’ Network

• Central points of access (historians) to all ICS-managing hosts of interest

• Easy to move from IT to OT network

• Credential capture

• Native Windows commands and scripts

Stage 1

• Malicious service creation with timer

• ICS manipulation coded in malwareStage 2

What Worked

• Again penetrated ICS, produced impact

• Framework developed to scale attacks

What Could Have Been Better

• Attack was very immature

• Tools still in development stage

• Attack looks like a ‘test’

Gain access to and harvest credentials from IT network (Mimikatz, ‘SecHack’)

Leverage multiple open- or commercial-source tools for post-exploitation (WMImplant, administrative tools)

Utilize remote access to OT network via stolen credentials

Continue pivoting through network via credential capture

Gain sufficient access to SIS to deploy TRISIS

Media, General Infosec Companies

• WHO DID IT ???

• Where will this entity strike next?

ICS Security Community

• What was the intention/purpose?

• What are implications of targeting SIS?

• Credential capture

• Publicly- and commercially-available toolsetsStage 1

• Continuous credential capture and pivoting via same Stage 1 tools

• Develop and deploy victim-specific SIS rootkit

Stage 2

What Worked

• Yet again penetrated ICS, produced impact

• Expanded scope of possible targets for disruption to SIS

What Could Have Been Better

• Event did not appear to succeed

• TRISIS is very ‘brittle’ –only directly applicable to identical environments

Select Utility Targets

Identify Contractors,

Vendors, and Other Third Parties

Compromise Third Parties

Utilize Trusted Relationship to

Enable Access to Utility Targets

Known Victims

• United States

• United Kingdom

• Ireland?

Probable Victims

• Germany

• Switzerland?

Emerging Victims

• Ukraine

• Poland?

• Continuous Credential Capture

• Remote Logon, Leverage Native System Tools

Stage 1

• Initial Access and Survey of ICS Environment using Stage 1 Methodology

• Ultimate Intended Effect… ?Stage 2

What Worked

• AGAIN penetrated ICS

• Campaign leveraged combinations of publicly-available tools and techniques

• Provides an example of how to penetrate ICS without special tooling

What Could Have Been Better

• We’re not really sure yet!

• Increasing Avoidance of Custom Software, Malware

• Emphasis on Commodity and System Tools

• Increased Use of In-Memory Execution

Preparatory and Pre-ICS

Attack Phases

• Custom Attack Packages Tailored to Target Environment

• Limited Ability to Replay or Reuse AttacksICS Attack

STUXNET is first known and most

complex ICS malware

Subsequent events leverage

some use of vulnerabilities

Most-recent attacks rely on

underlying network

insecurity and connectivity

Ukraine 2016: ICS manipulation codified in software (CRASHOVERRIDE)

Saudi Arabia 2017: Develop product-specific rootkit to facilitate access and manipulation (TRISIS)

2017-Present: Information gathering on target systems to enable effects development?

Attackers codifying ICS manipulation in software vs. manual interaction

Intrusions will continue

Adversaries are getting smarter, more efficient

Infections may result in incidental harm

Attacker goal is mission accomplishment – not technical sophistication

Attackers will stick with “what works”

Divergence between initial access and final attack methodologies

Increased Efficiency and Cost Savings by Incorporating COTS Hardware/Software into ICS Equipment

Elimination of (some) custom environments, airgaps, and traditional separation from enterprise IT

Result: IT threat surface imported to IT environment – WITHOUT the same security capabilities

Efficiencies and Cost Savings Result in

Increased Adoption of IT Technologies in

ICS Environments

Extending IT Attack Surface to ICS Environment

ICS Environments Lack Security and

Monitoring Options in IT Environments

Attackers are Taking Advantage of this

Trend

• “Living off the land” prevalence means ICS security problems are just like IT

• Deploy and implement IT security in ICS environments, same tools and all!

The Wrong Lesson

• IT intrusion tradecraft extends to ICS

• Portions of IT defense must be embraced, but not all

• Effective defense requires knowing subtleties of operational networks (and their purpose)

The Right Lesson

Traditional ICS Perimeter

Vendor and Contractor Access

Increased Remote Work and Administration

Cloud and Off-Prem Products

Almost no Observed Use of “Zero Days”*

Most Targeted Vulnerabilities are Windows, not ICS

Use of Publicly-Available Attack Tools, Rarely Custom Software EXCEPT Final Attack

Initial Intrusion

•Breach IT

•Expand into ICS

Dwell Time

•Maintain Access

•Continuous Data Gathering

Event Execution

•Leverage Access

•Execute Disruptive Event

ICS Capability / Research

Team

Attack Team 1

Attack Team 2

Attack Team 3

Few ICS Disruptive Events

Multiple ICS Intrusions, Survey, Reconnaissance

Many ICS-Related IT Intrusions and Initial

Access

Disruption or Destruction

Erode Confidence

Influence and Messaging

Little or No Custom Malware in Initial Intrusion

Transition from “Access” to “Effects” Team when ICS Breached

Custom Malware Deployed Codifying ICS Knowledge in Software

Increasing Reliance on IT Concepts and Equipment Magnifies ICS Impact

• CRASHOVERRIDE – Dragos (https://dragos.com/blog/crashoverride/CrashOverride-01.pdf)• Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE – Dragos

(https://dragos.com/whitepapers/CrashOverride2018.html) • TRISIS – Dragos (https://dragos.com/blog/trisis/TRISIS-01.pdf)• Industroyer – ESET (https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf)• Analysis of the Cyber Attack on the Ukrainian Power Grid – SANS (https://ics.sans.org/media/E-

ISAC_SANS_Ukraine_DUC_5.pdf) • German Steel Mill Cyber Attack – SANS (https://ics.sans.org/media/ICS-CPPE-case-Study-2-German-Steelworks_Facility.pdf) • Electric Sector Targeting in Context – Joe Slowik (https://pylos.co/2018/12/26/electric-sector-targeting-in-context/)• Dragonfly: Western Energy Sector Targeted by Sophisticated Attack Group – Symantec

(https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks) • Evolution of ICS Attacks and the Prospects for Future Disruptive Events – Joe Slowik, Dragos (https://dragos.com/wp-

content/uploads/Evolution-of-ICS-Attacks-and-the-Prospects-for-Future-Disruptive-Events-Joseph-Slowik-1.pdf)