By Gregory Hale
Industrial control system (ICS) or SCADA users across the board need to understand they need to create a holistic security program to protect against targeted attacks like this past December’s Ukraine utility assault.
“The attacker had been developing its capabilities for at least a year, maybe two, and they discharged this tool and they will not use it anymore,” said Marina Krotofil, lead security researcher at the Honeywell Industrial Cyber Security Lab and an investigator on the December Ukraine utility attack during an interview with ISSSource. “It means they have developed much better capabilities, much higher and advanced. This what is scary because we don’t know what to prepare for.”
The attack in the Ukraine this past December was much deeper than just the grid. It was a systemic attack hitting key governmental and infrastructure points across the country.
The attack ended up being very similar to the attack that struck the Ukrainian power grid in December 2015.
But unlike the 2015 cyberattack that cut out 27 power distribution operation centers across the country and affected three utilities in western Ukraine, the December 2016 attack hit the electrical transmission-level substation Pivnichna, a remote power transmission facility and shut down the remote terminal units (RTUs) that control circuit breakers, causing a power outage for about an hour.
An interesting feature of the attack was leaving the tools behind, Krotofil said.
“The code was compiled specifically for this attack and dropped two days before. Since it was a long and prolonged attack, they could have taken the controls back, but they left them. If they left them it is because they wanted them to be found. If a cyber weapon is found the attacker just dumps it into the garbage. That means they deliberately dumped them into the garbage and they didn’t even use all the tools in the attack. They deliberately dumped more tools than they needed, or used. What that tells us the attacker doesn’t need those tools anymore. If he doesn’t need them it means he has much better tools. Secondly, he wanted the tools to be found. It means he is showcasing his capabilities. It can also be seen as an invitation. OK, guys, we know that everyone is hacking the ICS silently and trying to remove the tools, but let’s raise the bar again and let’s open up and let’s see where this level of (protection against these) tools should now be the new normal.”
New Families of Malware
In addition, the attacker left behind the code so other bad guys will take the code and we can expect new families that will be inspired the create an offshoot of the malware.
Another interesting aspect to the whole attack was the hackers had plenty of time to figure out how to get the job done.
“The attacker invested a lot of time to develop the position where they could speak to the device and send it into the off position, causing a shutdown,” Krotofil said. “They found the state command and then said ‘I can reverse it and then I can send it back and the device goes into shutdown.’ For that, they not only need to understand the protocol but they need to understand the language of the piece of equipment, which language and which command does the equipment speak, which commands are possible? That all takes time. They understood the equipment. They understood the protocol. Those are all developed and tested capabilities. At all those tools were developed a year or two ago. That means the attacker was working a long time in advance.”
At the time of the attack on the utility, Krotofil said there was a bigger attack going on throughout the country.
This attack against the Ukraine utility was part of a joint effort of attacks against multiple organizations within the country, Krotofil said.
Same, but Different
“The infiltration into the organization and the enumeration of networks and backdooring were all similar, but how they achieved the malicious goal inside the organization were all different,” she said.
How they approached an attack into the rail organization was different. The same with the Ministry of Finance. “For every organization they wrote different tools,” Krotofil said. “In each organization, there was specific malware written for each organization.”
This means there were specific scripts written to do a specific task within each organization under attack.
“The attacker already had very well-established connectivity to the SCADA server and the attacker dropped the script two days before the attack. It was compiled two days before the attack and dropped two days before the attack. It was not malware which was exploited in a Zero Day. It was a set of tools written for the specific attack.”
The attacker had already established a backdoor that was communicating with the command and control center and the utility did not monitor the communication, she said.
“We see super sophisticated, super smart malware every day. Every day it is super stealth, never seen before, difficult to reverse engineer; attackers’ capabilities are getting better and better day by day,” Krotofil said. “We tend to look at what we found and say this is the state of art in offense, but it is not. By the time we see it, it is already old. They already have something new. This is where we have to realize we have to prepare for much higher level. We see some malware and see it is state of the art and we will think it is so far advanced and it will not happen to me so I will not address it. We can’t think like that. We should think like they discharged it and we should think about what capabilities they have and what we will see tomorrow.”