Cyber security within SCADA environments is a threat that is, in many cases, being ignored. It has a direct effect in the creation of governmental regulation and legislation, can have deep financial impact and – in some cases – can even cost lives. Many people in the industry think that cyberattacks are something new from the last couple of years. However, we must realize that cyberattacks are NOT new, they are real and they are there for quite some time.
In fact, the first cyberattacks originates over 35 years back. Allegedly, in 1982 the CIA deliberately introduced flaws in control system software stolen by Russia, leading to a massive explosion in June. The Washington Post described how the operation caused “the most monumental non-nuclear explosion and fire ever seen from space”. In 1992 a disgruntled employee sacked by Chevron managed to disable emergency alert protocols in 22 states in the USA.
In 2010 Stuxnet was discovered. Stuxnet changed the playing field because it was the first malware that was using stealth technology to spy on industrial automation systems and to prevent its discovery. For many security specialists this event marked a new era of attacks that are becoming more sophisticated and are able avoid common security measures. In June 2016 the SFG malware was discovered at an European energy company. This malware has been designed to overcome next generation firewalls, as well as antivirus- solutions. SFG collects information and creates a backdoor that could be used to deliver a payload with malware, for instance for shutting down an energy grid.
A politically motivated information stealing adversary
On June 15, 2016 researchers from Fox-IT presented the results of an extensive study into Mofang, a threat actor that almost certainly operates out of China and is probably government-affiliated. The results are reported in the paper ‘Mofang: A politically motivated information stealing adversary’ which can be downloaded from the Fox-IT website. It is highly likely that Mofang’s targets are selected based on involvement in Myanmar with investments, or technological advances that could be perceived as a threat to the Chinese sphere of influence. In addition to the campaign in Myanmar itself, Mofang has been observed to attack targets across multiple sectors (government, military, critical infrastructure and the automotive and weapon industries) in multiple countries. This is most clearly the case in a campaign focusing on government and critical infrastructure of Myanmar. Chances are about even, though, that Mofang is a relevant threat actor to any organization that invests in Myanmar or is otherwise politically involved.
Threats to critical Infrastructure
The above underlines Fox-IT’s view that cyberattacks are being launched by nation state actors to gain control and/or valuable insights over a(n) infrastructure, region, country or regime. Nation states that actively supporting cyberattacks are willing to spend millions of euro’s and deploy hundreds of technical savvy specialists to develop and build cyber tools that stay undiscovered as long as possible to achieve maximum impact.
At Fox-IT, we recognize four types of cyber vulnerabilities threatening critical Infrastructure companies:
- Architectural design – Not having properly segmented networks, using DMZ’s and/or DataDiode technology to segregate networks is something we often come across. The current trend to connect ERM systems to CRM systems potentially opens up new possibilities for attackers.
- Security policies – Enforcing security policies has no priority. While performing security audits we often find yellow sticky notes revealing system passwords.
- Legacy systems – OT environments were not built with cybersecurity in mind. The main design goal was availability and continuity. As a result many OT systems are still running on old but reliable operating systems. These cannot easily be taken down to perform maintenance or installing updates, because any downtime can be very costly. As a result these systems are very vulnerable for cyberattacks.
- Communication protocols – Many industrial protocols are well documented and this documentation can be easily found on internet. It may take a hacker only one of two weekends to master the protocols and understand the attack surfaces that can be exploited. And although encryption and enhanced security protocols do exist, many legacy systems still use old protocols. The Regin virus for example was exploiting this vulnerability.
So, that leaves us with the main question: How can you prepare? Is it really possible to defend yourself against the power of a nation state with virtually unlimited budgets and resources? The answer is ‘yes’, but only through a holistic approach executed on a continuous basis, based on solid intelligence and driven by government regulations. A holistic approach based on ‘prevention, rapid detection and fast response. All necessary products, solutions and/or services are available. But aside from the technology perspective, further government regulation is needed to get more insight in the volumes and nature of the occurring attacks. This insight will assist in building a global network of defense against cyber attackers of all sorts. A network that not only defends against cyberattacks but also offers legal frameworks needed to prosecute criminal organizations and even nation states.
The goal of Fox-IT is to make the digital world safer. We are recognized by major analyst in the world as a cyber security leader. Recent publications like the Mofang report mentioned above, but also other reports, will provide insight in our expertise.
We and our partners are there to assist you to prepare!
Four horsemen of the cyberpocalypse
Together with OGIQ, Fox-IT investigates annually the state of cybersecurity in ICS environments. In the 2015 report, cyber threats were divided into 4 groups, referred to as the “Four horsemen of the cyberpocalypse”.
These four horsemen are:
- Hacktivism. Hacktivism is the term for breaking into computer systems for a politically or socially motivated purpose. Hacktivism was coined in 2008, when Anonymous perpetrated ‘Project Chanology’, a campaign aimed at the Church of Scientology. Other examples are the attacks on Exxon, Shell and Rosneft because of their Arctic drilling activities.
- Cyber warfare. The IT based equivalent of conventional warfare, involving politically motivated attacks on information and information systems. The 2010 Stuxnet malware is considered as the first cyber warfare attack, performed by nation state actors, aimed at disturbing the production of an Irian nuclear plant. Thanks to Stuxnet, people in increasingly realize is not only well organized criminal organizations can perform attacks, but also government backed actors.
- Cybercrime. The broad definition of a cybercrime is ‘any criminal activity that is facilitated by means of a computer or a network’. In the second half of 2014 Norwegian oil companies were blackmailed by hackers who used Cryptolocker ransomware.
- Cyber espionage. The practice of obtaining information by unauthorized and clandestine means from individuals, groups and governments for personal, economic, political, or military ends via a range of internet and network based technologies. For example: a German steel company became victim of cyber espionage when, according to sources, its intellectual property was stolen by a group of Chinese hackers.