Upload
paladionnetworks01
View
70
Download
0
Embed Size (px)
Citation preview
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2015
Click to edit Master text styles Second level
Third level
Fourth level
Fifth level
STRICTLY PRIVATE & CONFIDENTIAL © 2015
1
Black Energy- Pushing the Country to Total Darkness
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2015
Click to edit Master text styles Second level
Third level
Fourth level
Fifth level
2 STRICTLY PRIVATE & CONFIDENTIAL © 2015
Power Outage for Several Hours in Ivano‐Frankivsk Region of Ukraine On December 24, 2015, three different
distribution oblenergos (energy company) were attacked, resulting in several substation outages that caused approximately 225,000 customers to lose power across various areas in Ivano‐Frankivsk Region of Ukraine.
The attack was limited to 3 distribution oblenergos only. Other distribution companies, transmission substation, power generation plant and control center was not impacted by this attack.
While the impacted oblenergos were able to restore service after an outage window that lasted several hours, it is reported that they still continue to operate their distribution systems in an operationally constrained mode
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2015
Click to edit Master text styles Second level
Third level
Fourth level
Fifth level
3 STRICTLY PRIVATE & CONFIDENTIAL © 2015
Consolidated List of TTP’s used by the Attacker1. Spear phishing to gain access to the business networks of the
oblenergos
2. Use of BlackEnergy 3 malware to establish 1st level of control into the IT network of compromised oblenergos
3. Theft of credentials from the IT network and establishment of persistence
4. Use of existing virtual private networks (VPNs) from IT network to enter the ICS network
5. Use of existing remote access tools within the SCADA environment or issuing commands directly from a remote station similar to an operator HMI
6. Malicious firmware level upgrade of the serial to ethernet ‐ ‐communications devices used to operate the field devices i.e. switch gears.
7. Use of KillDisk utility to erase the master boot record of impacted organization systems as well as the targeted deletion of some logs
8. Manipulation of UPS systems to impact the substation directly with a power outage during the actual attack duration
9. Telephone denial of service attack on the call center to stop ‐ ‐customers from registering complaints about the outage.
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2015
Click to edit Master text styles Second level
Third level
Fourth level
Fifth level
4 STRICTLY PRIVATE & CONFIDENTIAL © 2015
1. Initial Spearphish During the initial intrusion, malicious Office
documents with embedded Blackenergy 3 malware were delivered via email to individuals in the IT network of the electricity companies
Emails were spoofed to appear to be one belonging to ukranian parliament.
When these documents were opened, a popup was displayed to users to encourage them to enable the macros in the document
Enabling the macros allowed the malware to Exploit Office macro functionality to install BlackEnergy 3 on the victim system
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2015
Click to edit Master text styles Second level
Third level
Fourth level
Fifth level
5 STRICTLY PRIVATE & CONFIDENTIAL © 2015
2. First level of compromise and establishment of C2 Upon Install, the BlackEnergy 3 malware connected to command and
control (C2) IP addresses
It enabled communication with the attacker over an SSH channel.
As per current investigations, attackers appears to have gained access more than six months prior to December 23, 2015, when the power outage occurred
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2015
Click to edit Master text styles Second level
Third level
Fourth level
Fifth level
6 STRICTLY PRIVATE & CONFIDENTIAL © 2015
3. Credential Theft and Persistence C2 communications allowed attacker to gather information from the
environment Attacker used key loggers to perform the credential thefts. It started harvesting credentials, escalate privileges, and move laterally
throughout the environment (e.g. target directory service infrastructure to directly manipulate and control the authentication and authorization system).
After stealing the legitimate user identities, attacker established a persistence in the IT network as an authorized user
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2015
Click to edit Master text styles Second level
Third level
Fourth level
Fifth level
7 STRICTLY PRIVATE & CONFIDENTIAL © 2015
4. Use of VPN to get into SCADA network Attacker identified VPN connections in the IT network that are used to
connect to SCADA network by authorized users Attacker used these as the main avenue to get inside the SCADA network It started conducting recon of the SCADA network to understand the
environment and make itself ready for the next step of compromise- SCADA systems
It collected information related to different Distribution Management System (SCADA-DMS) used in the oblenergos
remote terminal units e.g. serial to Ethernet devices that are used to convert signals from SCADA to Circuit Breakers
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2015
Click to edit Master text styles Second level
Third level
Fourth level
Fifth level
8 STRICTLY PRIVATE & CONFIDENTIAL © 2015
5. Remotely Control the SCADA After gaining understanding of the SCADA- DMS, PLC’s and RTU’s, attacker
invested time in preparation for the actual hack. This involved- learning how to interact with the three distinct DMS environments using the native controls
present in the operator screens.
More importantly, they developed malicious firmware for the serial-to‐ethernet devices.
The attacker likely had test systems in their organization that they were able to use to evaluate the malicious firmware.
Attacker delivered the malicious firmware using remote administration tool available on the operator workstation
Attacker installed KillDisk software across SCADA environment. Attacker also modified connection to UPS system in one of the oblenergo. This
was used later to push the substation into darkness to add more chill to the chaos.
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2015
Click to edit Master text styles Second level
Third level
Fourth level
Fifth level
9 STRICTLY PRIVATE & CONFIDENTIAL © 2015
6. Malicious firmware upgrade of the Switch Gears Attacker used the SCADA-DMS to open the breakers. At least 27
substations (the total number is probably higher) were taken offline across the three energy companies, impacting roughly 225,000 customers.
Simultaneously, attackers uploaded the malicious firmware to the serial‐to Ethernet devices controlling the Switch Gears. This ensured that even ‐if the operator workstations were recovered, remote commands could not be issued to bring the substations back online
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2015
Click to edit Master text styles Second level
Third level
Fourth level
Fifth level
10 STRICTLY PRIVATE & CONFIDENTIAL © 2015
7. Use of Kill Disk to render Operator Workstations Inoperable. Attacker used the Kill Disk software to delete the Master Boot Record of
compromised Operator Workstations. Kill Disk erased many other critical system files of the operator
workstation. This rendered the Operator workstations in-operable during the actual
attack Many of the Operators were locked out of their workstations making
them silent spectator to the hack.
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2015
Click to edit Master text styles Second level
Third level
Fourth level
Fifth level
11 STRICTLY PRIVATE & CONFIDENTIAL © 2015
8. Manipulation of the UPS Systems in one of the oblenergo In one of the oblenergo, attackers discovered a network connected to a
UPS Attacker reconfigured it so that when the attacker caused a power
outage, it was followed by an event that would impact the power in the substation as well.
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2015
Click to edit Master text styles Second level
Third level
Fourth level
Fifth level
12 STRICTLY PRIVATE & CONFIDENTIAL © 2015
9. Telephone DOS Attack on the Call Center As the power outage was in progress, attackers also used telephone
systems to generate thousands of calls to the energy company’s call center
This denied access to legitimate customers from reporting outages to the call center.
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2015
Click to edit Master text styles Second level
Third level
Fourth level
Fifth level
13 STRICTLY PRIVATE & CONFIDENTIAL © 2015
Cyber Kill Chain Mapping of the Hack
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2015
Click to edit Master text styles Second level
Third level
Fourth level
Fifth level
14 STRICTLY PRIVATE & CONFIDENTIAL © 2015
Lessons Learned End users should be made aware of phishing attacks. Phishing
simulation workshops should be part of a larger information security awareness program.
Use end point protection solutions with anti-malware and application whitelisting capabilities to detect and prevent installation of malicious software program
Use intel for active detection of IOC’s as part of the security monitoring of the network, systems and endpoints.
Use intel to detect anomalies in network traffic e.g. sudden increase in outgoing data size, unusual traffic protocols in use, new encrypted traffic etc.
Click to edit Master title style
STRICTLY PRIVATE & CONFIDENTIAL © 2015
Click to edit Master text styles Second level
Third level
Fourth level
Fifth level
15 STRICTLY PRIVATE & CONFIDENTIAL © 2015
Lessons Learned Adequately segregate IT network & SCADA network Use 2 factor authentication for VPN connections. Use a jump host with
NAC to avoid split tunneling from remote support employees. Implement sessions timeouts of VPN connections
Implement SOD in SCADA applications to limit privileges of a single role. Avoid allowing use of vendor default or shared userid & password in
Operator or Engineering workstations.
16 STRICTLY PRIVATE & CONFIDENTIAL © 2015 © 2015 PALADION NETWORKS PRIVATE LIMITED | WWW.PALADION.NET | CONFIDENTIAL16