Automation and equipment responsible for supplying electricity were unavailable, as cyber criminals cleared the entire configuration on them, depriving operators of the ability to control the system.
On the night of December 17-18, a power outage occurred in several districts of Kiev and adjacent districts of the Kiev region …” This is how most of the notes about the 2016 cyberattack accident at the Pivnichna substation (330 kV) in the Ukrainian village of Novi Petrivtsi begin. The researchers named the malware used by the hackers Industroyer or Crashoverride.
Automation and equipment responsible for supplying electricity were unavailable, as cyber criminals cleared the entire configuration on them, depriving operators of the ability to control the system. Fortunately, the Ukrainian colleagues, who at that time were directly at the facility, managed to quickly restore the substation’s operation due to manual control.
After examining the data published on this attack, several important conclusions can be drawn:
- the attack was purposeful, that is, the attackers had to develop individual tools, having studied the features of the implementation of the automated process control system at a given facility. All this required time, high labor costs, expertise and investment from them, which indicates a high level of training and motivation of cyber criminals;
- cybercriminals were inside the network from 2 to 12 months before the attack. They needed this time to research the network and prepare for the attack;
- the initial penetration took place through the corporate network and, despite the segmentation between OT and IT networks, entry points and hosts were found that had access to both networks;
- cybercriminals used common tools and methods that are often used at the initial stage of attacks on corporate networks: phishing, credential theft utilities (Mimikatz and analogues), exploitation of vulnerabilities, network scanning, credential manipulation, etc .;
- Malware (Industroyer) is modular and can be modified to attack other types of industrial facilities.
How can we detect the actions of cybercriminals at different stages of such an attack? What event sources need to be connected to the Security Operations Center (hereinafter SOC) and what detection scenarios are needed? We will try to answer these questions below.
How hackers attack ICS
ICS attacks are different from attacks on IT infrastructure, although they have similar principles. At the moment, two methodologies are widely used to describe the actions of cybercriminals in industrial networks:
The first is the Cyber Kill Chain, developed by Lockheed Martin in 2011. Initially, according to the methodology, the cyberattack was divided into 7 stages, but in 2015 for the ICS segment the model was supplemented with 5 more stages:
Stage 1 describes the actions of an intruder on the corporate network and ends with penetration into the industrial segment of the network. Stage 2 describes actions in the ICS network and ends with an attack on cyber-physical systems and processes. |
This division makes it possible to analyze the attack, to structure the approach to both the application of protective measures and measures to detect and respond to emerging incidents.
The second is MITER ATT & CK, which refines the Cyber Kill Chain model and introduces the techniques and tactics used by cybercriminals at every stage. Initially, Miter released 3 separate models for different types of systems: Enterprise (corporate networks), Mobile (mobile technologies) and ICS (ICS). But modern industrial networks are built using standard AWPs (automated workstations) of engineers / technologists / operators and servers running specialized software for controlling industrial equipment, controllers and sensors. This includes using Microsoft Windows, Linux OC, SQL Servers to organize Historian, and other components. Thus, in ICS and in corporate segments, attackers use similar techniques and methods. Therefore, recently Miter announced on the merger of the Enterprise (corporate network) and ICS (APCS) model into a new hybrid matrix ATT & CK.
Fig. 2. Methodology MITER Enterprise + APCS
In the following, we will use both of these methodologies for a detailed analysis of the Industroyer.
How the Industroyer attack is implemented
The main stages of an Industroyer can be summarized as the following diagram (including links to techniques and tactics described in MITER):
The primary compromise consisted in a successful attack on the company’s IT infrastructure and further anchorage in it. Most likely, the first step of the cybercriminals was a targeted phishing mailing list to energy companies in Ukraine in early 2016. They then found a server that was connected to both the IT and OT networks. It turned out to be a Data Historian server based on Microsoft Windows Server running MS SQL service.
These steps have led to the following consequences for the process control system:
- personnel lost the ability to monitor the state of the system ( Loss of View – T0829 ) and manage it ( Loss of Conrol – T0827 );
- hackers gained access to electrical equipment (circuit breakers / disconnectors) and were able to control it ( Manipulation of Control – T0831 );
- The APCS, in turn, received an incorrect value / status from the equipment (“Primary Variable out of Limits”) and could not display information correctly ( Manipulation of View – T0832 );
- DoS attack resulted in unavailability of Siemens SIPROTEC relay protection system ( Loss of Safety – T0880 );
- due to blocking of COM ports, the personnel lost the ability to control (Denial of Control – T0880) and monitor equipment ( Denial of View – T0815 ) directly.
The cybercriminals’ actions were crowned with success thanks to the broad capabilities of the Industroyer malware, which was developed specifically for this attack.
Let’s take a look at the features of the work of each of the components. This information will be useful in the future for the development of approaches and techniques for timely detection of this and similar attacks:
Component | Technics | Description |
Main backdoor | C&C (TOR) | Uses HTTPS + TOR to connect to C&C server. In this case, a local proxy server is used in the network of the attacked company |
Installing the service | Installs itself as a service in Windows with administrative privileges | |
Stopping / starting processes | Has the ability to stop / start other processes on the system | |
Using “non-standard” directories | For work, it uses directories that are not typical for launching programs, into which you can write without local administrator rights. Including: c: \ users \ public or c: \ users \ <executing user> | |
Change the configuration of running services | To avoid detection, it can hide behind another process, changing the ImagePath values in the registry to its own binary file | |
Additional backdoor | C&C | Uses other C&C servers to maintain control in case of main backdoor blocking |
Masquerading / replacement of legitimate software with malware | It is a trojanized version of Windows Notepad. It is a fully functional application, but virus writers have added malicious code to it that is executed every time it is launched. | |
Launcher | Loading and running DLL | Can load different payloads and run the corresponding DLL and config file |
Separate process | Is a standalone executable file (EXE) | |
Component IEC-101 | Stopping a legitimate process and replacing it with your own | Attempts to stop the legitimate process that controls the RTU and replace it with itself. Component 101 attempts to terminate this process and accesses the specified device using the Windows API functions CreateFile, WriteFile, and ReadFile. The first COM port from the configuration file is used for actual communication, the other two are open to prevent other processes from accessing. Thus, component 101 can take over control of the RTU. |
Interaction with RTU (via COM port) | Attempts to change the RTU parameters by iterating over all IOA ranges. For each IOA, it creates a batch of commands and sends them to the RTU. The main purpose of the component is to change the value of the switch. At the first stage, it tries to switch the IOA to Off, at the second – On, at the final – to return it to Off. | |
Component IEC-104 | Stopping a legitimate process | Attempts to stop the legitimate process controlling the RTU. By default, this is D2MultiCommService.exe or another process specified in the configuration |
Interaction with RTU (via TCP / IP) | Attempts to connect to the RTU and change its parameters using the functions of the IEC-104 protocol itself. To do this, first examines the available IOA, then tries to change their value. | |
Creating a log file on the file system | To send the results to the attacker, the IEC-104 component keeps a log file about its work | |
Component IEC 61850 | Running processes | It exists as a separate executable file (61850.exe) and DLL (61850.dll) |
Scan devices | Detects IP addresses of all interfaces and scans all found networks for TCP 102 connectivity | |
Interaction with RTU (via TCP / IP) | Connects to RTU to collect information about the device and its status | |
Creating a log file on the file system | The component writes all collected data (IP addresses, variable values and node state) to a log file | |
OPC DA component | Process start | It is a separate malicious tool OPC.exe and OPCClientDemo.dll. Supposedly based on the OPC Client open source project. Runs remotely using xp_cmdshell |
Scan devices | Using the OPC DA protocol, determines the available OPC servers, searches for information on ABB devices (IOPCBrowseServerAddressSpace) | |
Change configuration | Attempts to change the state of detected OPC items using the IOPCSyncIO interface by writing the value 0x01 twice | |
Creating a log file on the file system | Writes all collected data to a log file (OPC server name, OPC item name status, quality code and value) | |
Data wiper | Process start | The file name of this component is haslo.dat or haslo.exe, it can be executed by the launcher or used as a separate malicious tool |
Change service configuration | sets the ImagePath registry value with an empty string in each encountered entry in the HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services registry key | |
Deleting important files | Scan all connected hard drives and remove important configuration files (pcmp, .paf, etc.) | |
Stopping a legitimate process | tries to kill all processes, including system processes, except for its own. This will cause the system to stop responding and eventually crash. | |
Additional tool:Network scanner | Port scan | Works similar to NMAP network scanner |
Additional tool:DoS module | Exploiting vulnerabilities | The tool exploits the CVE-2015-5374 vulnerability to cause the device to freeze |
Switch to firmware update mode | DoS puts the device into Firmware Update mode |
How to counter an Industroyer
As can be seen from the previous description, although the attack is a component attack, its complex execution gives information security specialists time and the ability to detect hackers‘ actions by indirect signs, anomalies in the operation of the network, hosts and applications, and by signals coming from various protection means.
Of course, it is better to prevent intruders from penetrating your corporate and industrial network, making the attack as difficult as possible. This requires the following technical and organizational measures:
- segmentation between IT and OT networks;
- inventory of the used equipment and software in the APCS;
- use of built-in security tools in APCS systems;
- availability of antivirus tools on hosts (workstations and servers);
- work on raising awareness of personnel in the field of information security (Security Awareness);
- thoughtful password policy;
- streamlined vulnerability management process;
- installation of NGFW, IPS / IDS in the IT network at the perimeter and between IT / OT;
In addition, it is important to timely detect and promptly respond to the actions of cybercriminals. This will require a SOC and the systems necessary for its operation (SIEM, TIP, EDP / EDR, NAD and others), which will become sources of valuable data for information security specialists. At the same time, the SIEM must be configured to determine the listed sequences of events, and the SOC must be prepared to detect, analyze and respond to these events.
Attacks like Industroyer are organized by highly qualified professional cybercriminals who behave as invisibly as possible and try to avoid detection by available information security tools. To detect them in the infrastructure, we recommend, in addition to full-fledged monitoring of the IT network, to connect and analyze events from a large number of sources in the APCS, including:
- operating systems of AWP and SCADA servers;
- network equipment (switches, routers, firewalls);
- imposed protection means (antivirus software, IDS on hosts);
- specialized information security tools for industrial networks (IDS);
- logs from controllers (PLC, DCS) and application software (SCADA, Data Historian).
This will detect the smallest errors of cybercriminals. The sooner the SOC detects their actions, the faster it will be able to neutralize them (remove them from the network) and the less potential losses the company as a whole and the APCS in particular will incur.
That is, the SOC must:
- see as many information security events as possible;
- have detection rules for the entire ICS Kill Chain / MITER ATT & CK;
- have enough expertise in terms of analytics for a timely and correct response to an incident.
All three points apply to IT and OT networks at the same time. The issue of monitoring in IT networks has been described more than once, but it is worth dwelling on the topic of OT in a little more detail. Let’s supplement the table with the techniques that were used by Industroyer, possible detection scenarios and the necessary event sources:
Technics | Description | Sources of events | Complexity of implementation | Detection scenarios |
Main Backdoor | ||||
C&C (TOR) | Uses HTTPS + TOR to connect to C&C server. In this case, a local proxy server is used in the network of the attacked company | Firewall ProxyPSB | Medium: depends on the availability of system documentation (required accesses and protocols) | Network connections are profiled from the workstation to the entire infrastructure. Exclusion from the profile is an alert. |
Low | Using Threat Intelligence (TI).When detecting network connections to C & C / TOR – alert.It is recommended to run TI on the entire infrastructure, and not only in the ICS segment, since the backdoor can use intermediate servers as proxies. | |||
Low | Setting up alerts for the appropriate categories of information security information. | |||
Installing the service | Installs itself as a service in Windows with administrative privileges | Windows | Medium: potentially many false positives | Installing the service or changing the corresponding registry keys. |
Medium: difficulty of detection for svchost cases | An improved version of the first alert: there are additional filters for the names of the processes being launched (powershell, cmd, etc.) and for the location.But malware often runs as svchost, in which case the detection rule needs to be improved. | |||
Stopping / starting processes | Can stop /start other processes on the system | Windows | Medium: potentially a lot of legitimate activity | Determining process stop events in Windows.Important:- the script does not work on Windows 8.1 and higher;- requires additional check to stop the process when the host is turned off.It is better to implement it through checks in the IT monitoring system (Zabbix, etc.) |
Using “non-standard” directories | For work, it uses directories that are not typical for launching programs, into which you can write without local administrator rights. Including c: \ users \ public or c: \ users \ <executing user> | SysmonEndpoint Protection | High: long-term profiling | The facts of launching processes in Windows OS are profiled (host, user, image path).It is recommended to make exceptions for dynamic paths. |
Change the configuration of running services | Can hide behind another process (by changing the ImagePath value in the registry to its own binary) | WindowsEndpoint Protection | Low | Modifying the corresponding registry keys (ImagePath) |
Additional Backdoor | ||||
C&C | Uses other C&C servers to maintain control in case of main backdoor blocking | Firewall ProxyPSB | Medium: depends on the availability of system documentation (required accesses and protocols) | Network connections are profiled from the workstation to the entire infrastructure. Profile exclusions – alert |
Low | Using TI. When a network connection is detected to C & C / TOR – alert.It is recommended to run it on the entire infrastructure, and not only in the ICS segment, since the backdoor can use intermediate servers as a proxy. | |||
Low | Configuring alerts for the relevant ISS categories | |||
Masquerading / replacement of legitimate software with malware | It is a trojanized version of Windows Notepad. It is a fully functional application that has added malicious code that runs on every startup. | WindowsSysmonEndpoint Protection | High: long-term profiling | Creating a profile of legitimate processes launched in Windows OS (host, user, image path) and comparing the launched processes with the profile |
Low | Launching system processes from non-standard directories | |||
Low | Using the Application Control Mechanism on an Endpoint Protection Solution | |||
Launcher | ||||
Loading and running DLL | Can load different payloads and run the corresponding DLL and config file | SysmonEndpoint protection | Medium: long-term profiling | Tracking the events of loading an unsigned DLL into a running process.In general, profiling of the certificates used in the system will be required, since attackers can sign DLLs with accessible certificates (comodo, etc.) |
Separate process | Is a standalone executable (EXE) file | Windows Event Log | High: long-term profiling | Creating a profile of legitimate processes launched in Windows OS (host, user, image path) and comparing the launched processes with the profile |
Low | Using the Application Control mechanism on Endpoint Protection solution | |||
Component IEC-101 | ||||
Stopping a legitimate process and replacing it with your own | Attempts to stop the legitimate process that controls the RTU and replace it with itself. Component 101 attempts to terminate this process and accesses the specified device using the Windows API functions CreateFile, WriteFile, and ReadFile. The first COM port from the configuration file is used for actual communication, the other two are open to prevent other processes from accessing. Thus, component 101 can take over control of the RTU. | Windows | High | Determining process stop events in Windows.Important:- does not work on Windows 8.1 or higher.- additional required checks to stop the service when the host is shutdown.It is better to implement it through checks in the IT monitoring system (Zabbix, for example). |
Interaction with RTU (via COM port) | Attempts to change the RTU parameters by iterating over the entire IOA range. For each IOA, it creates a command packet and sends it to the RTU. The main purpose of the component is to change the value of the switch. At the first stage, the component tries to switch the IOA to Off, at the second – On, at the final – to return it to Off. | PLC logsEndpoint Protection | High: integration with specific type of PLC (logging capabilities may vary) | At the current moment in time, there are no examples of explicit detection of such an event. Each time you need to develop your own script logic, depending on the capabilities of logging on the PLC and AWP. |
Creating a log file on the file system | To send the results to the attacker, the IEC-104 component keeps a log file about its work. | SysmonEndpoint Protection | Low (but also low efficiency) | Using IoC specific to find the name of files created in the OS. |
Component IEC-104 | ||||
Stopping a legitimate process | Attempts to stop the legitimate process controlling the RTU. By default, this is D2MultiCommService.exe or another process specified in the configuration. | Windows | High | Determining process stop events in Windows.Important:- does not work on Windows 8.1 or higher.- additional required checks to stop the service when the host is shutdown.It is better to implement it through checks in the IT monitoring system (Zabbix, for example). |
Interaction with RTU (via TCP / IP) | Attempts to connect to the RTU and change its parameters using the functions of the IEC-104 protocol itself. To do this, it first examines the available IOA, then tries to change their value. | Firewall IDS | Low | Processing alerts of the corresponding SZI (scan events). |
Average | Based on the ME logs, checking the number of unique hosts / ports from one source host for the required time interval.For launching, it is recommended to limit the list of ports on which the “scan” check is performed. This will reduce the load on SIEM and improve detection accuracy. | |||
Creating a log file on the file system | To send the results to the attacker, the IEC-104 component keeps a log file about its work. | SysmonEndpoint Protection | Low (but also low efficiency) | Using IoC specific to find the name of files created in the OS. |
Component IEC 61850 | ||||
Running processes | It exists as a separate executable file (61850.exe) and DLL (61850.dll). | WindowsSysmonEndpoint Protection | High | The facts of launching processes in Windows OS are profiled (host, user, image path)It is recommended to make exceptions for dynamic paths. |
Scan devices | There is a scan function: it determines the ip-addresses of all interfaces and scans all found networks for the possibility of connecting via TCP 102. | Firewall IDS | Low | Processing alerts of the corresponding SZI (scan events). |
Low | Based on the ME logs, checking the number of unique hosts / ports from one source host for the required time interval.For launching, it is recommended to limit the list of ports on which the “scan” check is performed. This will reduce the load on SIEM and improve detection accuracy. | |||
Interaction with RTU (via TCP / IP) | Connects to the RTU to collect information about the device and its status. | PSB | Low | Processing of alerts of the corresponding SZI – sending commands, parsing the corresponding protocols, alerts for deviations from the “standard” set of commands, etc. |
Creating a log file on the file system | The component writes all collected data (ip-addresses, variable values and node state) to a log file. | SysmonEndpoint Protection | Low (but also low efficiency) | Using IoC specific to find the name of files created in the OS. |
OPC DA component | ||||
Process start | Separate malicious tool OPC.exe and OPCClientDemo.dll. Supposedly based on the OPC Client open source project.Runs remotely using xp_cmdshell | WindowsSysmonEndpoint Protection | High | The facts of launching processes in Windows OS are profiled (host, user, image path).It is recommended to make exceptions for dynamic paths. |
Scan devices | Using the OPC DA protocol, it determines the available OPC servers, searches for information on ABB devices (IOPCBrowseServerAddressSpace) | PSB | Low | Processing Alerts of the Corresponding DSS: Scan Events |
Change configuration | the OPC DA component tries to change the state of the detected OPC items using the IOPCSyncIO interface, writing the value 0x01 twice | PSB | Low | Processing alerts of the corresponding information security system: changing parameters |
Creating a log file on the file system | The component writes all collected data to a log file (OPC server name, OPC item name status, quality code and value) | SysmonEndpoint Protection | Low (but also low efficiency) | Using IoC Specific to Find the Name of Files Created in the OS |
Data wiper | ||||
Process start | The file name of this component is haslo.dat or haslo.exe, it can be executed by the launcher or used as a separate malicious tool. | WindowsSysmonEndpoint Protection | High | The facts of launching processes in Windows OS are profiled (host, user, image path)It is recommended to make exceptions on dynamic paths |
Change service configuration | Sets the ImagePath registry value with an empty string in each encountered entry in the HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services registry key | WindowsSysmonEndpoint Protection | Low | Changing the corresponding registry branches (image path parameter) |
Deleting important files | Scan all connected hard drives and remove important configuration files (pcmp, paf, etc.) | WindowsEndpoint Protection | Low | Control of mass changes or deletion of critical files (within the framework of setting up and operating features of applications, when configuring the system for monitoring) |
Stopping a legitimate process | Tries to terminate all processes, including system processes, except for its own. This will cause the system to stop responding and eventually crash. | Windows | High | Determining process stop events in Windows.Important:- the script does not work on Windows 8.1 and higher.- requires additional check to stop the service when the host is shutdown.It is better to implement through checks in the IT monitoring system (Zabbix, for example) |
Add. Tool: Port Scanner | ||||
Port scan | Works similar to NMAP | FWPSB | Low | Processing Alerts of the Corresponding DSS: Scan Events |
Low | Based on the ME logs, checking the number of unique hosts / ports from one source host for the required time interval.For launching, it is recommended to limit the list of ports on which the “scan” check is performed. This will reduce the load on SIEM and increase the accuracy of detections. | |||
Add. Tool: DoS module | ||||
Exploiting vulnerabilities | The tool exploits the CVE-2015-5374 vulnerability to cause the device to freeze. | PSB | Low | Processing alerts for the corresponding information security system |
Entering Firmware Update Mode | DoS puts the device into Firmware Update mode | PLC logsPSB | Low | Processing alerts of the corresponding SZI: sending the FIRMWARE UPDATE command |
High: integration with a specific type of PLC (logging capabilities may vary) | Definition of a command based on the PLC logs. However, depending on the vendor and version, they may not contain sufficient information (user, IP address, etc.). |
In addition to the correct configuration of protection and detection tools, a timely and qualified response to an attack from an information security specialist is also important. One of the main difficulties in dealing with attacks like the Industroyer is that there are significant differences between the IT and OT domains. The analyst must know how industrial protocols work, what components the systems are composed of, what certain actions of an intruder can lead to, and also have a general idea of the technological processes in the company. At Rostelecom-Solar, for example, Solar JSOC specialists undergo training on the basis of stands, as well as improve their qualifications in the framework of knowledge exchange and creation of a knowledge base. In addition, our ICS protection specialists are always involved in connecting a specific APCS to monitoring,
Conclusion
The Industroyer attack targeted power companies, but cyber criminals can use similar methods and techniques in different sectors of the economy. The combination of SOC-based detection / response to cyber attacks and the correct implementation of technical and organizational measures to protect the infrastructure will significantly reduce the likelihood of a successful cyber attack.
In particular, the SOC must simultaneously see both the IT infrastructure and production networks. An especially important task is to detect an attack in the early stages of the Cyber Kill Chain, since it will be too late to do anything at the moment of data destruction or sending commands to the PLC. That is why SOC analysts should have access to events and logs from a variety of IT equipment / software, and from the industrial segment, including PLCs, workstations, application software, SCADA and Historian servers, domain controllers, network equipment, specialized information security systems.
ICS monitoring has its own specifics, however, the general principles are similar to the detection of attacks in the IT infrastructure. However, SOC analysts need training to understand the general principles of industrial systems and how they apply protocols and technologies.