key: cord-0797697-13g2gfea
authors: Barak, Israel
title: Critical infrastructure under attack: lessons from a honeypot
date: 2020-09-30
journal: Network Security
DOI: 10.1016/s1353-4858(20)30106-9
sha: 38939a5721e4d7e917fdbf1116f2fa7fffdccf49
doc_id: 797697
cord_uid: 13g2gfea

As its name suggests, critical infrastructure is just that – critical. It includes facilities, information, processes and systems upon which our society functions and depends – from energy and our water supply, to transport, election systems and the government. The health sector too is pivotal in supporting everyday citizens and never has this been clearer than today, in the midst of a pandemic. Critical infrastructure includes facilities, information, processes and systems upon which our society functions and depends. And it is increasingly under attack. To counter this threat, critical infrastructure operators should aim to minimise mean time to response when attacks occur. They also need to gain more visibility into their systems – particularly between the IT and OT environments. And security needs to be an intrinsic element in all OT systems, right from the initial design, argues Israel Barak, Cybereason.

Indeed, due to Covid-19, one could argue that the remit of critical infrastructure may have even expanded beyond our 'traditional' understanding. For instance, it is no longer enough to classify the 'food production supply chain' under critical infrastructure without also including the retailers, or grocery stores, that bridge the gap between supplier and consumer. Either way, the vital nature of these various services and goods puts a target on their back, from both organised cybercrime gangs and state-sponsored actors.

In targeting these institutions, the stakes are decidedly heightened as well. Formerly, a cyber attack may have resulted in the loss or exposure of data, perhaps financial information -no doubt a grievous offence. Nevertheless, an attack on critical infrastructure, physically puts individuals at risk of harm, perhaps even death. In an almost dystopic, 'Black Mirror' example, the hijacking of a food-processing plant may result in false readings of hygiene levels, allergens, toxic elements etc, the consequences of which would be dire. Yet, choosing to believe that such catastrophic incidents are confined to the television screen would be a grave mistake, and one that serves up our safety and well-being on a silver platter.

Just a few months ago, in April 2020, the Portuguese energy giant, EDP, suffered a ransomware attack that saw 10TB of sensitive corporate data stolen and used to blackmail the corporation for nearly $11m. 1 In June 2020, Australian Prime Minister Scott Morrison informed the public of a string of malicious attacks being executed against the government, industry, education and other essential service providers. 2 And earlier this month, explosions at an Iranian nuclear facility were reportedly the result of an Israeli cyber attack -an alleged act of retaliation following the Iranian cyber attack on Israeli water systems two months prior. 3 Knowing this, critical infrastructure operators have every reason to be on high alert and to improve their defences. A part of being able to do so is through understanding the strategy of these bad actors. So, what is it?

Earlier this year, Cybereason launched its second ICS network honeypot to learn tactics, techniques and procedures (TTPs) of the criminal underworld as attacks against these environments continue to increase.

Much like flies are drawn to a pool of honey, a honeypot is a computer system that simulates a target that lures in hackers. In this case, Cybereason constructed a network architecture that mimicked an electrical company operating in North America and Europe. It included an IT environment, an operational technology (OT) environment as well as human machine interface (HMI) management systems, a dashboard that allows a person to control corresponding devices. Moreover, embedded within the setup were security vulnerabilities typically found in such environments, as well as similar controls such as network segmentation. From there, a team watched as attackers began to bite.

Only three days after the honeypot went live, hackers began to exploit it with a variety of ransomware attacks. In order to infiltrate the system, they began by targeting publicly accessible remote administration interfaces. It is through these interfaces that network operators provide technicians with access to the network and troubleshoot any issues or carry out maintenance work. In other words, the interface offers individuals the ability to perform privileged actions, making it a valuable mark for these hackers. Eventually, they were able to log in through brute force, using information gathered in real time from the honeypot environment.

Once through, the hackers exploited the use of fileless malware. While in the past malware was typically installed through a file or software, a fileless attack takes advantage of existing, legitimate tools to accomplish malicious plans, making it much harder to detect. In this case, a PowerShell script, or command codes, were utilised to open a backdoor for an 'admin' user. In doing so, these users were able to continue their efforts without raising any red flags.

From there, further attack tools were uploaded with the help of PowerShell. This included Mimikatz, an open-source application used to steal credentials. Through employing this new tool and the use of the PSExec remote execution utility, the attackers attempted to garner authorisations to other user accounts and move laterally across the network

As its name suggests, critical infrastructure is just that -critical. It includes facilities, information, processes and systems upon which our society functions and depends -from energy and our water supply, to transport, election systems and the government. The health sector too is pivotal in supporting everyday citizens and never has this been clearer than today, in the midst of a pandemic.

towards the domain controllers. In this instance, the bad actors failed to gain access to domain controllers as none of the accounts within the honeypot environment had these permissions. Nevertheless, they persisted in moving laterally, using network scanners to identify other possible endpoints. It was only when every endpoint had been penetrated that the attacker then dispensed the ransomware.

Interestingly, much like a python coiling around its prey, there appears to be a rising trend for attackers to become deeply embedded within a system before detonating their ransomware -making sure to not attack at the earliest opportunity but to first affect as many machines as possible, while amassing credentials. In doing so, they are guaranteed a bigger payday. This strategy differs from what we witnessed in a near identical honeypot conducted back in 2018.

In the beginning stages of the 2018 experiment, the hackers appeared to operate in a similar manner to the most recent honeypot. That is, exploiting remote access services and installing a backdoor, which allows bad actors to gain access to the network, regardless of whether there is a change in administrator passwords. In this case, however, the tool, xDedic RDP Patch, was also installed, suggesting that a black market seller had discovered the environment and was intending to sell it on xDedic.

Yet, unlike the 2020 honeypot which operated in a stealthier fashion, the hacker who first identified the environment almost immediately began unleashing a flood of attacks. This included crypto-mining bots, phishing bots and distributed denial of service (DDoS) bots. It was only 10 days later, when a new owner had connected to the environment, that work was done to move laterally across the network -more specifically, to identify a path from the IT to the OT environment. The attacker was also less concerned with scanning the full network for all endpoints and more interested in pinpointing an entryway into the HMI and OT controllers.

What's more, it appears that ransomware attacks have pivoted slightly. In 2018, the ransomware employed typically included file encryption capabilities. Yet, in 2020, on top of file encryption, the attackers had also added the ability to run hacking operations. In this way, presentday ransomware is more effective at milking each attack for what it is worth.

There is no doubt that cyber criminals have become more sophisticated in their attacks, now choosing to adopt a moretargeted, multi-stage approach to reap greater financial rewards. They are no longer content with holding a network for ransom but exploiting every single vulnerability within it. If we hope to avoid a nationwide blackout or worse, security teams will need to adhere to three best practices.

First and foremost, critical infrastructure operators should aim to minimise mean time to response. In other words, organisations should establish the response tools and procedures in both IT as well as OT networks to respond to a threat as quickly as possible. One way of doing this is through implementing a threat-hunting service that runs on a 24/7 basis.

Second, it is critical to have visibility -more specifically, visibility between the IT and OT environments as attackers are keen to gain access to the OT environment where their actions can produce more damaging, physical results. In order to do so, organisations should build a security operations centre (SOC). This team of security analysts and engineers can help in overseeing the cyber security operations of the entire organisation and assist in offering a more comprehensive, cohesive and efficient response to threats.

Last but not least, security needs to be in the fabric, or DNA, of any critical infrastructure system. That is to say, inbuilt from the design stage and into its operation. Security teams need to be prepared, knowing what threats currently exist as well as how they are evolving.

To be certain that all bases are covered, organisations would do well to partner with experts in ICS threats. Indeed, the public and private sector should team up against the common enemy. Running drills, or table-top exercises between red and blue teams, would also be highly beneficial as it allows security teams to consider every possible scenario, patch any vulnerabilities and create a roadmap in the unfortunate event of an attack. 

Energy Giant EDP suffers ransomware attack; hackers demand $10.9m'. Teiss

Australia cyber attacks: PM Morrison warns of 'sophisticated' state hack'. BBC News

Explosion at Iran's nuclear facility caused by Israeli cyber attack, report'. Computing