According to the ICS-CERT MONITOR report, which summarizes the Industrial Control Systems Cyber Emergency Response Team’s (ICS-CERT) activities between May – August 2014, threat actors had access to the systems of an unnamed manufacturing organization for several months.
The attackers compromised the network of the organization and as explained in the report issued by the ICS-CERT a large number of hosts were compromised, the investigation also revealed a lateral movement of the intruders to extend their presence to the hacked architecture.
“A large critical manufacturing organization was compromised by multiple sophisticated threat actors over a period of several months. ICS-CERT received and analyzed digital media data provided by the organization and deployed an onsite incident response team to assist the organization with recovery efforts. “states the report.
The investigators discovered also that bad actors had managed to gain privileged access to machines by leveraging compromised domain accounts. The organization hit by the hackers has a large surface of attack, the experts discovered more than 100 entry and exit points connected to the Internet, a scenario not unusual for critical infrastructure.
Another typical problem in critical environments is that the overall architecture results composed by a numerous components that were added over the time making the infrastructure very heterogeneous and hard to control. As a result, the network is composed of a total of appliances and sometimes of entire networks that are integrated over time with little attention to security aspects.
“In this situation, re-architecting the network is the best approach to ensure that the company has a consistent security posture across its wide enterprise,” ICS-CERT said. “This organization is a conglomeration of multiple companies acquired in recent years. The acquisition and subsequent merging of multiple networks introduced latent weaknesses in network management and visibility, which allowed lateral movement from intruders to go largely undetected,” the report reads.
The document issued by the ICS-CERT also includes paragraph on Method of Exfiltration which specifically refers the Havex RAT, which has been used in the last months in cyber espionage campaigns. Researchers at FireEye in July have detected a new variant of Havex RAT, which scans SCADA network via Object linking and embedding for Process Control (OPC), their analysis confirmed the discovery made by security experts at F-Secure and Symantec which announced a surge of malicious campaigns based on “Havex” malware against critical infrastructure. The bad actors behind the Havex campaign mainly targeted companies in the energy industry with the intent to conduct industrial espionage against several American and European companies.
“Various reports have indicated that organizations in the energy, manufacturing, pharmaceutical and information technology sectors are among those targeted by this campaign. However, drawing conclusions about the specific intent of targeting is not well understood as all victims have not been identified. While the specific target and motive of the campaign is unclear, the situation elevates the presence of a new and potentially evolving threat against industries operating critical infrastructure,” ICS-CERT report .
Unfortunately incidents and cyber attacks to critical infrastructure are very frequent, a study from Unisys and the Ponemon Institute published in July revealed that 70% of 599 critical infrastructure analyzed had suffered at least one security breach in the last 12 months that caused disruption of operations or the loss of confidential data. In May US Congressmen Ed Markey and Henry Waxman issued the report “Electric grid vulnerability” on the level of security for US critical infrastructure which confirmed that US critical infrastructure under unceasing cyber attacks.
Security of critical infrastructure is a top priority for the US Government, recently the NIST has published a draft of cybersecurity framework , which outlines how private companies can protect themselves against cyberattacks, and security breaches.
(Security Affairs – Critical Infrastructure, ICS-CERT)