Attacks Against Critical Infrastructure Seek Operational Intelligence

Advanced attacks against industrial control systems are intelligence gathering operations in order to learn the inner workings of ICS infrastructure to facilitate sabotage.

In most critical industries—petroleum refineries or energy utilities, for example—there is very little in the way of proprietary information. Refining crude oil into gasoline requires science, not a secret sauce. Same goes for power generation.

So why are advanced attackers using the same data exfiltration techniques deployed in APT-style attacks against IT against critical infrastructure, too? Intelligence gathering, says one expert who spoke last week during the Kaspersky Security Analyst Summit in Mexico.

“They’re not taking financial data, or [mergers and acquisitions] data. They’re taking data that correlates back to the inner workings of the ICS infrastructure,” said Dewan Chowdhury, principal at MalCrawler, and a longtime ICS and SCADA security consultant. “They want PLC blueprints that describe how refineries operate. They want .asr (ActionScript remote file) schemes for power distribution.”

The end game, especially in the Middle East where Chowdhury has spent considerable time, is usually sabotage. The intelligence gathering assists hackers with the weaponization of malware and other attacks that will disrupt manufacturing, oil production or power distribution, and impact economies worldwide.

“Sabotage is by far the scariest thing. When we see sabotage in IT, it’s more like removing files or stealing databases,” Chowdhury said. “But when you can impact something tangible and cause harm from a safety standpoint, that’s scary.”

The intelligence being stolen from ICS enables attacks such as one Chowdhury described in which a natural gas provider in the Middle East was experiencing pressure issues in its pipelines, yet the SCADA Masters looked legitimate and reported that all was well. A physical inspection, however, determined that a control room had been broken into and the subsequent investigation of ICS gear led to the discovery of a new service in the machine’s registry that was sending bogus data to the SCADA master while telling a remote terminal unit to malfunction.

“In order to really hit something like the power grid, you need to have information about the inner workings,” he said. “How is the ASR set up? And when does quality control kick in at a refinery? This is the data you need to manipulate and weaponize this stuff.”

In other words, this isn’t your daddy’s APT.

And speaking of the power grid, the old chestnut about attackers shutting down the grid is a fallacy given the built-in redundancy. Instead, it’s an effective marketing and propaganda tool for politicians wanting to create urgency for new regulations or some other part of their agenda.

“The grid is designed around self-preservation. It’s designed to protect itself from hurricanes, tornadoes and it’s a school of thought that’s been there since day one,” Chowdhury said. “And it’s designed that if one part of the grid goes down, it doesn’t destroy the rest.”

There have, however, been attacks against industry that have been destructive, the most prominent being the use of Shamoon wiper malware against Saudi Aramco that destroyed 30,000 workstations. Last November, the Industrial control System Cyber Emergency Response Team published an advisory warning operators of ICS vulnerabilities being exploited by the BlackEnergy malware, in particular the Sandworm APT gang.

Researchers at Kaspersky Lab published a report at the time on BlackEnergy, in particular a number of plug-ins that had been discovered used in attacks used for stealing passwords, digital certificates and more. One of the more disturbing plug-ins reported on was called dstr, a command that overwrites and destroys hard drives with random data in the event the attackers suspected they had been found out.

Chowdhury said he’d like to see a similar evangelical effort happen with ICS that began some years ago in software development circles when a concentrated effort was made to instill security from the outset of development lifecycles.

“We’re seeing the fruits of it now; a lot of layer 7 stuff is much harder to do compared to five years ago,” Chowdhury said, noting that with ICS, the real challenge may be cultural since engineers, not IT, run the shop. “The cyber community needs to engage with engineers and give them the reality of it.”

In some circles, for example, there still exists the mindset that it’s cheaper to deal with something post-incident rather than be proactive. Chowdhury said in electric utilities, for example, regulations put forth by the North America Electric Reliability Corporation (NERC) provide utilities with not only a security checklist, but have led some to push vendors to include security controls such as IPsec or RADIUS installed on capacitor banks or electric voltage network regulators.

“That’s big,” Chowdhury said.

Suggested articles