SlideShare a Scribd company logo

APT Attacks on Critical Infrastructure

Miroslav Stampar
Miroslav Stampar

These are the slides from a talk "APT Attacks on Critical Infrastructure" held at Cyber Defense Symposium 2017 (Mali Losinj / Croatia)

1 of 23
Download to read offline
APT Attacks onAPT Attacks on Critical InfrastructureCritical Infrastructure Miroslav Štampar (mstampar@zsis.hr) APT Attacks onAPT Attacks on Critical InfrastructureCritical Infrastructure Miroslav Štampar (mstampar@zsis.hr)
Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 2 DisclaimerDisclaimer I don’t do attribution. Majority of research data has been gathered from Western world sources (anti-virus companies, media, academia, etc.)
Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 3 Critical InfrastructureCritical Infrastructure …sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the <country> that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. [Department of Homeland SecurityDepartment of Homeland Security]
Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 4 Advanced Persistent Threat (APT)Advanced Persistent Threat (APT) “Advanced persistent threat is a military term adapted into the information security context that refers to attacks carried out by nation- states … It is also typical of APT attacks to go after a country’s infrastructure, such as its power grids, nuclear reactors, or fuel pipelines.” [Trend MicroTrend Micro]
Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 5 World Powers #cyberwarfare #apt #criticalWorld Powers #cyberwarfare #apt #critical
Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 6 Characteristics (1)Characteristics (1) Multi-modular (e.g. key sniffing, screenshot capturing, LAN MiTM, etc.) Larger size than regular malware (e.g. 10MB) Non-regular malware programming traits (e.g. LUA programming language) Support for multi-platform attacks (e.g. Windows OS, SIMATIC WinCC, etc.) Support for communication with industrial process controllers (e.g. PLCs)
Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 7 Characteristics (2)Characteristics (2) 9AM-5PM build / compilation timestamps 0-day exploits Support for infecting air-gapped networks Digitally signed components (e.g. drivers) Infection constraints (e.g. geo-location) Attacked (victim) organizations have geo- political importance (e.g. nuclear plant, electric grid, etc.) In short: APT modus operandi (attack vectors, etc.) + support for IPC
Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 8 Stuxnet (1)Stuxnet (1) Natanz nuclear enrichment lab in Iran
Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 9 Stuxnet (2)Stuxnet (2) USA and Israel targeting Iran (2005-2012) Attacked Windows OS (four 0-day vulnerabilities), Siemens PCS 7, WinCC, STEP7 and Siemens S7 PLC Silent if Siemens software was not found on infected computers Faked control sensor signals to prevent shutting down due to abnormal behavior Caused fast-spinning centrifuges to tear themselves apart (1064Hz→1410Hz→2000Hz) Around 1,000 centrifuges destroyed
Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 10 Stuxnet (3)Stuxnet (3) Zero Days (2016)
Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 11 Flame (1)Flame (1) USA and UK targeting Iran (2010-2012) “20 times” more complicated than Stuxnet Written in LUA (scripting language) and C++ Flame has only been one module’s name, along with: Boost, Flask, Jimmy, Munch, Snack, Spotter, Transport, Euphoria, Headache, etc. Believed to be Stuxnet’s successor Unlike Stuxnet, it is believed that Flame has been designed only (?) for cyber-espionage – collect and delete sensitive information (i.e. no destruction inside physical realm)
Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 12 Flame (2)Flame (2)
Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 13 DuquDuqu USA targeting Iran (2007-2011 and 2014- 2015) Probably related to the Stuxnet (same source code used) Caught in wild with payload for gathering information that could be used against ICS Uses JPEG files and encrypted dummy files (e.g. ~DQ7.tmp) to smuggle data (e.g. user digital certificates and private keys) Windows OS 0-day vulnerabilities and digitally signed components
Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 14 BlackEnergy (1)BlackEnergy (1) Russian Federation targeting Ukraine (2014- 2015) Russian cyber espionage group Sandworm Trojan (2007-...) used for DDoS, espionage, information destruction (KillDisk), etc. Starting with 2014 SCADA plugin targeting ICS (Industrial Control Systems) and energy markets worldwide Power facility Prykarpattya Oblenergo December 23rd 2015, 50% of homes in Ivano- Frankivsk region (population cca. 1.4 million) left without electricity for a few hours
Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 15 BlackEnergy (2)BlackEnergy (2)
Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 16 CleaverCleaver Iran targeting 16 countries (USA, Israel, China, Saudi Arabia, India, Germany, France, etc.) (2014) Military, oil and gas, energy and utilities, transportation, airlines, airports, hospitals and aerospace industries organizations worldwide Attacking wide range of platforms (Microsoft, Linux, Cisco VPNs, potentially ICS/SCADA, etc.) Probably a retaliation for Stuxnet et al. Demonstration of Iran’s cyber capabilities for additional geopolitical leverage (though, no 0- days were found)
Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 17 ReginRegin USA and UK targeting non-English speaking countries (including EU) (2011-2015) Persistent, long-term mass surveillance operations against targets Among all, attacking telecom providers (Belgacom) – to gain access to calls being routed through compromised infrastructure Parts (later) described in Snowden’s leak Encrypted virtual file system (EVFS), communication with C&C over ICMP, HTTP Cookies, custom TCP/UDP protocols, etc.
Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 18 DragonFly (1)DragonFly (1) Russian Federation targeting EU, USA and Canada (2011-2014) Also known as “Energetic Bear” Cyber-espionage attacks against aviation sector, energy sector and industrial control systems Phishing emails, watering hole attacks (Lightsout exploit kit) and update hijacks Remote Access Tool (RAT) Oldrea / Havex Hacked sites as C&Cs
Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 19 DragonFly (2)DragonFly (2)
Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 20 ShamoonShamoon Iran targeting countries in Persian Gulf (particularly Saudi Arabia) (2012 and 2016- 2017) Oil and energy-sector organizations Spear phishing attacks as main point of entry Designed to cause “mass destruction” in local network Stealing information and destroying infected machines (Master Boot Record – MBR) – Wiper module Saudi Aramco – damaged 30,000 computers
Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 21 Dust StormDust Storm China targeting Japan, South Korea, USA and EU (2010-2016) Cyber-espionage attacks against oil, gas, electric utilities and transportation companies, etc. Spear phishing attacks as main point of entry Android trojan(s) (forwarding SMS messages, exfiltration of files, etc.) Microsoft Windows trojan(s) (infection through IE, Word and Flash 0-day exploits)
Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 22 IndustroyerIndustroyer ??? (2016-2017) Specifically designed to attack electrical grids (four different industrial communication protocols) Maybe (???) used in the December 17th 2016 cyber-attack on Ukraine’s power grid – part of Kiev without power for one hour Considered to be a large-scale test for (potential) future attacks Tor communication with C&C Wiper and DoS (Siemens SIPROTECT) components
Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 23 Questions?Questions?

Recommended

WARNING: Do Not Feed the Bears
WARNING: Do Not Feed the BearsWARNING: Do Not Feed the Bears
WARNING: Do Not Feed the Bears
Miroslav Stampar
 
Information warfare, assurance and security in the energy sectors
Information warfare, assurance and security in the energy sectorsInformation warfare, assurance and security in the energy sectors
Information warfare, assurance and security in the energy sectors
Love Steven
 
NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...
NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...
NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...
NUS-ISS
 
Back to the future - cyber security, privacy and visions of the future
Back to the future - cyber security, privacy and visions of the futureBack to the future - cyber security, privacy and visions of the future
Back to the future - cyber security, privacy and visions of the future
b coatesworth
 
Understanding the Threat Landscape by SOPHOS
Understanding the Threat Landscape by SOPHOSUnderstanding the Threat Landscape by SOPHOS
Understanding the Threat Landscape by SOPHOS
Netpluz Asia Pte Ltd
 
On How the Darknet and its Access to SCADA is a Threat to National Critical I...
On How the Darknet and its Access to SCADA is a Threat to National Critical I...On How the Darknet and its Access to SCADA is a Threat to National Critical I...
On How the Darknet and its Access to SCADA is a Threat to National Critical I...
Matthew Kurnava
 
CERT-GOV-MD: Cyber Security in Moldova: Challenges and Responses
CERT-GOV-MD: Cyber Security in Moldova: Challenges and ResponsesCERT-GOV-MD: Cyber Security in Moldova: Challenges and Responses
CERT-GOV-MD: Cyber Security in Moldova: Challenges and Responses
S.E. CTS CERT-GOV-MD
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
INSIGHT FORENSIC
 

Recommended

WARNING: Do Not Feed the Bears
WARNING: Do Not Feed the BearsWARNING: Do Not Feed the Bears
WARNING: Do Not Feed the Bears
Miroslav Stampar
 
Information warfare, assurance and security in the energy sectors
Information warfare, assurance and security in the energy sectorsInformation warfare, assurance and security in the energy sectors
Information warfare, assurance and security in the energy sectors
Love Steven
 
NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...
NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...
NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...
NUS-ISS
 
Back to the future - cyber security, privacy and visions of the future
Back to the future - cyber security, privacy and visions of the futureBack to the future - cyber security, privacy and visions of the future
Back to the future - cyber security, privacy and visions of the future
b coatesworth
 
Understanding the Threat Landscape by SOPHOS
Understanding the Threat Landscape by SOPHOSUnderstanding the Threat Landscape by SOPHOS
Understanding the Threat Landscape by SOPHOS
Netpluz Asia Pte Ltd
 
On How the Darknet and its Access to SCADA is a Threat to National Critical I...
On How the Darknet and its Access to SCADA is a Threat to National Critical I...On How the Darknet and its Access to SCADA is a Threat to National Critical I...
On How the Darknet and its Access to SCADA is a Threat to National Critical I...
Matthew Kurnava
 
CERT-GOV-MD: Cyber Security in Moldova: Challenges and Responses
CERT-GOV-MD: Cyber Security in Moldova: Challenges and ResponsesCERT-GOV-MD: Cyber Security in Moldova: Challenges and Responses
CERT-GOV-MD: Cyber Security in Moldova: Challenges and Responses
S.E. CTS CERT-GOV-MD
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
INSIGHT FORENSIC
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
INSIGHT FORENSIC
 
Outlook Briefing 2016: Cyber Security
Outlook Briefing 2016: Cyber SecurityOutlook Briefing 2016: Cyber Security
Outlook Briefing 2016: Cyber Security
Mastel Indonesia
 
Secure Data Transfer Over Internet Using Image Crypto-Steganography
Secure Data Transfer Over Internet Using Image Crypto-SteganographySecure Data Transfer Over Internet Using Image Crypto-Steganography
Secure Data Transfer Over Internet Using Image Crypto-Steganography
Oluwatobiloba Oluwole
 
Dni nato cyber panel via the intercept
Dni nato cyber panel via the interceptDni nato cyber panel via the intercept
Dni nato cyber panel via the intercept
BaddddBoyyyy
 
Exp r35
Exp r35Exp r35
Exp r35
SelectedPresentations
 
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
Cybersecurity Education and Research Centre
 
The evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISOThe evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISO
isc2-hellenic
 
Cyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responsesCyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responses
blogzilla
 
Systemic cybersecurity risk
Systemic cybersecurity riskSystemic cybersecurity risk
Systemic cybersecurity risk
blogzilla
 
The Changing Security Landscape
The Changing Security LandscapeThe Changing Security Landscape
The Changing Security Landscape
Arrow ECS UK
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information Security
Eryk Budi Pratama
 
Cyberterrorism
CyberterrorismCyberterrorism
Cyberterrorism
blogzilla
 
Conférence ENGIE ACSS 2018
Conférence ENGIE ACSS 2018 Conférence ENGIE ACSS 2018
Conférence ENGIE ACSS 2018
African Cyber Security Summit
 
FINAL PAPER1FINAL PAPER1
FINAL PAPER1FINAL PAPER1FINAL PAPER1FINAL PAPER1
FINAL PAPER1FINAL PAPER1
ChereCheek752
 
Final paper1 final paper1
Final paper1 final paper1Final paper1 final paper1
Final paper1 final paper1
joney4
 
Surviving Cyber War April09
Surviving Cyber War April09Surviving Cyber War April09
Surviving Cyber War April09
Richard Stiennon
 
CyberTerrorism - Security in Cyberspace
CyberTerrorism - Security in CyberspaceCyberTerrorism - Security in Cyberspace
CyberTerrorism - Security in Cyberspace
Dr David Probert
 
Cyber Attacks List.pdf
Cyber Attacks List.pdfCyber Attacks List.pdf
Cyber Attacks List.pdf
William Ulicny
 
2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentation2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentation
isc2-hellenic
 
IT8073_Information Security_UNIT I _.pdf
IT8073_Information Security_UNIT I _.pdfIT8073_Information Security_UNIT I _.pdf
IT8073_Information Security_UNIT I _.pdf
Asst.prof M.Gokilavani
 
sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"
Miroslav Stampar
 
Blind WAF identification
Blind WAF identificationBlind WAF identification
Blind WAF identification
Miroslav Stampar
 

More Related Content

Similar to APT Attacks on Critical Infrastructure

(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
INSIGHT FORENSIC
 
Outlook Briefing 2016: Cyber Security
Outlook Briefing 2016: Cyber SecurityOutlook Briefing 2016: Cyber Security
Outlook Briefing 2016: Cyber Security
Mastel Indonesia
 
Secure Data Transfer Over Internet Using Image Crypto-Steganography
Secure Data Transfer Over Internet Using Image Crypto-SteganographySecure Data Transfer Over Internet Using Image Crypto-Steganography
Secure Data Transfer Over Internet Using Image Crypto-Steganography
Oluwatobiloba Oluwole
 
Dni nato cyber panel via the intercept
Dni nato cyber panel via the interceptDni nato cyber panel via the intercept
Dni nato cyber panel via the intercept
BaddddBoyyyy
 
Exp r35
Exp r35Exp r35
Exp r35
SelectedPresentations
 
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
Cybersecurity Education and Research Centre
 
The evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISOThe evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISO
isc2-hellenic
 
Cyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responsesCyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responses
blogzilla
 
Systemic cybersecurity risk
Systemic cybersecurity riskSystemic cybersecurity risk
Systemic cybersecurity risk
blogzilla
 
The Changing Security Landscape
The Changing Security LandscapeThe Changing Security Landscape
The Changing Security Landscape
Arrow ECS UK
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information Security
Eryk Budi Pratama
 
Cyberterrorism
CyberterrorismCyberterrorism
Cyberterrorism
blogzilla
 
Conférence ENGIE ACSS 2018
Conférence ENGIE ACSS 2018 Conférence ENGIE ACSS 2018
Conférence ENGIE ACSS 2018
African Cyber Security Summit
 
FINAL PAPER1FINAL PAPER1
FINAL PAPER1FINAL PAPER1FINAL PAPER1FINAL PAPER1
FINAL PAPER1FINAL PAPER1
ChereCheek752
 
Final paper1 final paper1
Final paper1 final paper1Final paper1 final paper1
Final paper1 final paper1
joney4
 
Surviving Cyber War April09
Surviving Cyber War April09Surviving Cyber War April09
Surviving Cyber War April09
Richard Stiennon
 
CyberTerrorism - Security in Cyberspace
CyberTerrorism - Security in CyberspaceCyberTerrorism - Security in Cyberspace
CyberTerrorism - Security in Cyberspace
Dr David Probert
 
Cyber Attacks List.pdf
Cyber Attacks List.pdfCyber Attacks List.pdf
Cyber Attacks List.pdf
William Ulicny
 
2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentation2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentation
isc2-hellenic
 
IT8073_Information Security_UNIT I _.pdf
IT8073_Information Security_UNIT I _.pdfIT8073_Information Security_UNIT I _.pdf
IT8073_Information Security_UNIT I _.pdf
Asst.prof M.Gokilavani
 

Similar to APT Attacks on Critical Infrastructure (20)

(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
 
Outlook Briefing 2016: Cyber Security
Outlook Briefing 2016: Cyber SecurityOutlook Briefing 2016: Cyber Security
Outlook Briefing 2016: Cyber Security
 
Secure Data Transfer Over Internet Using Image Crypto-Steganography
Secure Data Transfer Over Internet Using Image Crypto-SteganographySecure Data Transfer Over Internet Using Image Crypto-Steganography
Secure Data Transfer Over Internet Using Image Crypto-Steganography
 
Dni nato cyber panel via the intercept
Dni nato cyber panel via the interceptDni nato cyber panel via the intercept
Dni nato cyber panel via the intercept
 
Exp r35
Exp r35Exp r35
Exp r35
 
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
 
The evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISOThe evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISO
 
Cyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responsesCyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responses
 
Systemic cybersecurity risk
Systemic cybersecurity riskSystemic cybersecurity risk
Systemic cybersecurity risk
 
The Changing Security Landscape
The Changing Security LandscapeThe Changing Security Landscape
The Changing Security Landscape
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information Security
 
Cyberterrorism
CyberterrorismCyberterrorism
Cyberterrorism
 
Conférence ENGIE ACSS 2018
Conférence ENGIE ACSS 2018 Conférence ENGIE ACSS 2018
Conférence ENGIE ACSS 2018
 
FINAL PAPER1FINAL PAPER1
FINAL PAPER1FINAL PAPER1FINAL PAPER1FINAL PAPER1
FINAL PAPER1FINAL PAPER1
 
Final paper1 final paper1
Final paper1 final paper1Final paper1 final paper1
Final paper1 final paper1
 
Surviving Cyber War April09
Surviving Cyber War April09Surviving Cyber War April09
Surviving Cyber War April09
 
CyberTerrorism - Security in Cyberspace
CyberTerrorism - Security in CyberspaceCyberTerrorism - Security in Cyberspace
CyberTerrorism - Security in Cyberspace
 
Cyber Attacks List.pdf
Cyber Attacks List.pdfCyber Attacks List.pdf
Cyber Attacks List.pdf
 
2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentation2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentation
 
IT8073_Information Security_UNIT I _.pdf
IT8073_Information Security_UNIT I _.pdfIT8073_Information Security_UNIT I _.pdf
IT8073_Information Security_UNIT I _.pdf
 

More from Miroslav Stampar

sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"
Miroslav Stampar
 
Blind WAF identification
Blind WAF identificationBlind WAF identification
Blind WAF identification
Miroslav Stampar
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
Miroslav Stampar
 
Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?
Miroslav Stampar
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
Miroslav Stampar
 
Improving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic DenoiseImproving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic Denoise
Miroslav Stampar
 
Non-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & TricksNon-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & Tricks
Miroslav Stampar
 
sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?
Miroslav Stampar
 
2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)
Miroslav Stampar
 
Smashing the Buffer
Smashing the BufferSmashing the Buffer
Smashing the Buffer
Miroslav Stampar
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
Miroslav Stampar
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
Miroslav Stampar
 
Hash DoS Attack
Hash DoS AttackHash DoS Attack
Hash DoS Attack
Miroslav Stampar
 
Curious Case of SQLi
Curious Case of SQLiCurious Case of SQLi
Curious Case of SQLi
Miroslav Stampar
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmap
Miroslav Stampar
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the Hood
Miroslav Stampar
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web Vulnerability
Miroslav Stampar
 
Analysis of mass SQL injection attacks
Analysis of mass SQL injection attacksAnalysis of mass SQL injection attacks
Analysis of mass SQL injection attacks
Miroslav Stampar
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection Attacks
Miroslav Stampar
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
Miroslav Stampar
 

More from Miroslav Stampar (20)

sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"
 
Blind WAF identification
Blind WAF identificationBlind WAF identification
Blind WAF identification
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
 
Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
 
Improving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic DenoiseImproving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic Denoise
 
Non-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & TricksNon-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & Tricks
 
sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?
 
2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)
 
Smashing the Buffer
Smashing the BufferSmashing the Buffer
Smashing the Buffer
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
 
Hash DoS Attack
Hash DoS AttackHash DoS Attack
Hash DoS Attack
 
Curious Case of SQLi
Curious Case of SQLiCurious Case of SQLi
Curious Case of SQLi
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmap
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the Hood
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web Vulnerability
 
Analysis of mass SQL injection attacks
Analysis of mass SQL injection attacksAnalysis of mass SQL injection attacks
Analysis of mass SQL injection attacks
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection Attacks
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
 

Recently uploaded

怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 

Recently uploaded (12)

怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 

APT Attacks on Critical Infrastructure

  • 1. APT Attacks onAPT Attacks on Critical InfrastructureCritical Infrastructure Miroslav Štampar (mstampar@zsis.hr) APT Attacks onAPT Attacks on Critical InfrastructureCritical Infrastructure Miroslav Štampar (mstampar@zsis.hr)
  • 2. Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 2 DisclaimerDisclaimer I don’t do attribution. Majority of research data has been gathered from Western world sources (anti-virus companies, media, academia, etc.)
  • 3. Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 3 Critical InfrastructureCritical Infrastructure …sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the <country> that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. [Department of Homeland SecurityDepartment of Homeland Security]
  • 4. Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 4 Advanced Persistent Threat (APT)Advanced Persistent Threat (APT) “Advanced persistent threat is a military term adapted into the information security context that refers to attacks carried out by nation- states … It is also typical of APT attacks to go after a country’s infrastructure, such as its power grids, nuclear reactors, or fuel pipelines.” [Trend MicroTrend Micro]
  • 5. Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 5 World Powers #cyberwarfare #apt #criticalWorld Powers #cyberwarfare #apt #critical
  • 6. Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 6 Characteristics (1)Characteristics (1) Multi-modular (e.g. key sniffing, screenshot capturing, LAN MiTM, etc.) Larger size than regular malware (e.g. 10MB) Non-regular malware programming traits (e.g. LUA programming language) Support for multi-platform attacks (e.g. Windows OS, SIMATIC WinCC, etc.) Support for communication with industrial process controllers (e.g. PLCs)
  • 7. Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 7 Characteristics (2)Characteristics (2) 9AM-5PM build / compilation timestamps 0-day exploits Support for infecting air-gapped networks Digitally signed components (e.g. drivers) Infection constraints (e.g. geo-location) Attacked (victim) organizations have geo- political importance (e.g. nuclear plant, electric grid, etc.) In short: APT modus operandi (attack vectors, etc.) + support for IPC
  • 8. Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 8 Stuxnet (1)Stuxnet (1) Natanz nuclear enrichment lab in Iran
  • 9. Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 9 Stuxnet (2)Stuxnet (2) USA and Israel targeting Iran (2005-2012) Attacked Windows OS (four 0-day vulnerabilities), Siemens PCS 7, WinCC, STEP7 and Siemens S7 PLC Silent if Siemens software was not found on infected computers Faked control sensor signals to prevent shutting down due to abnormal behavior Caused fast-spinning centrifuges to tear themselves apart (1064Hz→1410Hz→2000Hz) Around 1,000 centrifuges destroyed
  • 10. Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 10 Stuxnet (3)Stuxnet (3) Zero Days (2016)
  • 11. Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 11 Flame (1)Flame (1) USA and UK targeting Iran (2010-2012) “20 times” more complicated than Stuxnet Written in LUA (scripting language) and C++ Flame has only been one module’s name, along with: Boost, Flask, Jimmy, Munch, Snack, Spotter, Transport, Euphoria, Headache, etc. Believed to be Stuxnet’s successor Unlike Stuxnet, it is believed that Flame has been designed only (?) for cyber-espionage – collect and delete sensitive information (i.e. no destruction inside physical realm)
  • 12. Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 12 Flame (2)Flame (2)
  • 13. Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 13 DuquDuqu USA targeting Iran (2007-2011 and 2014- 2015) Probably related to the Stuxnet (same source code used) Caught in wild with payload for gathering information that could be used against ICS Uses JPEG files and encrypted dummy files (e.g. ~DQ7.tmp) to smuggle data (e.g. user digital certificates and private keys) Windows OS 0-day vulnerabilities and digitally signed components
  • 14. Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 14 BlackEnergy (1)BlackEnergy (1) Russian Federation targeting Ukraine (2014- 2015) Russian cyber espionage group Sandworm Trojan (2007-...) used for DDoS, espionage, information destruction (KillDisk), etc. Starting with 2014 SCADA plugin targeting ICS (Industrial Control Systems) and energy markets worldwide Power facility Prykarpattya Oblenergo December 23rd 2015, 50% of homes in Ivano- Frankivsk region (population cca. 1.4 million) left without electricity for a few hours
  • 15. Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 15 BlackEnergy (2)BlackEnergy (2)
  • 16. Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 16 CleaverCleaver Iran targeting 16 countries (USA, Israel, China, Saudi Arabia, India, Germany, France, etc.) (2014) Military, oil and gas, energy and utilities, transportation, airlines, airports, hospitals and aerospace industries organizations worldwide Attacking wide range of platforms (Microsoft, Linux, Cisco VPNs, potentially ICS/SCADA, etc.) Probably a retaliation for Stuxnet et al. Demonstration of Iran’s cyber capabilities for additional geopolitical leverage (though, no 0- days were found)
  • 17. Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 17 ReginRegin USA and UK targeting non-English speaking countries (including EU) (2011-2015) Persistent, long-term mass surveillance operations against targets Among all, attacking telecom providers (Belgacom) – to gain access to calls being routed through compromised infrastructure Parts (later) described in Snowden’s leak Encrypted virtual file system (EVFS), communication with C&C over ICMP, HTTP Cookies, custom TCP/UDP protocols, etc.
  • 18. Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 18 DragonFly (1)DragonFly (1) Russian Federation targeting EU, USA and Canada (2011-2014) Also known as “Energetic Bear” Cyber-espionage attacks against aviation sector, energy sector and industrial control systems Phishing emails, watering hole attacks (Lightsout exploit kit) and update hijacks Remote Access Tool (RAT) Oldrea / Havex Hacked sites as C&Cs
  • 19. Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 19 DragonFly (2)DragonFly (2)
  • 20. Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 20 ShamoonShamoon Iran targeting countries in Persian Gulf (particularly Saudi Arabia) (2012 and 2016- 2017) Oil and energy-sector organizations Spear phishing attacks as main point of entry Designed to cause “mass destruction” in local network Stealing information and destroying infected machines (Master Boot Record – MBR) – Wiper module Saudi Aramco – damaged 30,000 computers
  • 21. Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 21 Dust StormDust Storm China targeting Japan, South Korea, USA and EU (2010-2016) Cyber-espionage attacks against oil, gas, electric utilities and transportation companies, etc. Spear phishing attacks as main point of entry Android trojan(s) (forwarding SMS messages, exfiltration of files, etc.) Microsoft Windows trojan(s) (infection through IE, Word and Flash 0-day exploits)
  • 22. Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 22 IndustroyerIndustroyer ??? (2016-2017) Specifically designed to attack electrical grids (four different industrial communication protocols) Maybe (???) used in the December 17th 2016 cyber-attack on Ukraine’s power grid – part of Kiev without power for one hour Considered to be a large-scale test for (potential) future attacks Tor communication with C&C Wiper and DoS (Siemens SIPROTECT) components
  • 23. Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 23 Questions?Questions?