An industrial control system was hacked through a multi-stage attack. An attacker first spearphished a user to gain access to the network. They then used remote desktop and remote access software to access the HMI and manipulate control points, disrupting industrial processes. The attack demonstrated tactics like phishing, credential dumping, lateral movement, and control manipulation. Improving security monitoring, hardening systems, limiting access, and increasing user awareness could help prevent similar attacks.
RSAC 2021 Spelunking Through the Steps of a Control System Hack
1. #RSAC
SESSION ID:
Spelunking Through the Steps of a Control System Hack
SBX4-XIL6
Tom VanNorman
Co-Founder
ICS Village
@ICS_Village
Dan Gunter
CEO & Founder
Insane Forensics
@insaneforensics
2. #RSAC
Tom VanNorman
11
Tom VanNorman has an extensive background in industrial controls and enjoys getting into
the field and making things work. Prior to joining GRIMM Tom held various roles all focused
on the operation, engineering and security of industrial control systems.
Tom started his career in the U.S. Air Force, eventually retiring with a total of 24 years
between Active Duty, Reserves and Air Guard. He spent the last half of his service serving on a
National Mission Team in a Cyber Operations Squadron. In addition to GRIMM, Tom is the co-
founder of the ICS Village and consults with SANS on the construction and operation of Cyber
Ranges. The ICS Village is a non-profit educational organization that equips industry and
policymakers to better defend industrial equipment through experiential awareness,
education, and training.
Tom calls the Lehigh Valley Pennsylvania home with his six kids. In his spare time, he enjoys
outdoor activities and riding motorcycles.
3. #RSAC
Dan Gunter
12
Dan Gunter is the founder and CEO of Insane Forensics, a San Antonio, Texas-based
technology company that provides a digital Forensics-as-a-Service platform for forward, at at-
home investigations, as well as tailored forensics services. Prior to Insane Forensics, Dan was
an early employee at Dragos, an industrial cybersecurity startup, where he established and
served as Director of Research and Development and as one of the first principal analysts
executing and advising on threat hunting in power, oil & gas, mining, and other critical
infrastructure environments. Before Dragos, Dan served as an officer in the United States Air
Force with a variety of offensive and defensive roles across DoD.
Education:
Graduate Certificate, Incident Response, SANS Institute
Master of Science, Computer Science, Univ of Louisville
Bachelor of Science, Computer Science, Baylor
Certifications:
SANS: GREM, GNFA, GCFA, GCIA, GCIH, GSEC
ISC2: CISSP
EC-Council: CEH
CompTIA: Sec+
Training:
MIT Innovation Leadership Bootcamp
Graduate, DoD Computer Network Operations Development Program
Distinguished Graduate, AFRL Rome ACE Cybersecurity Bootcamp
Publications:
SANS: A Practical Model for Conducting Cyber Threat Hunting
SANS: Hunting with Rigor: Quantifying the Breadth, Depth and
Threat Intelligence Coverage of a Threat Hunt in Industrial Control
System Environments
4. #RSAC
You are an on-call industrial cybersecurity professional. And your work phone starts ringing.
10. #RSAC
Spikes in Modbus and ENIP Traffic Before Steep Dive Appear between Three IP Addresses
11. #RSAC
Context of Three IP Addresses
20
192.168.100.100 (HMI) 192.168.100.50 (Micrologix PLC) 192.168.100.20 (Axc 1050 PLC)
12. #RSAC
T8031 - Manipulation of Control
Objective
Adversaries may manipulate physical process
control within the industrial environment.
Methods of manipulating control can include
changes to set point values, tags, or other
parameters.
Adversaries may manipulate control systems
devices or possibly leverage their own, to
communicate with and command physical
control processes.
The duration of manipulation may be
temporary or longer sustained, depending on
operator detection.
Source: https://collaborate.mitre.org/attackics/index.php/Technique/T0831
Known Attackers
Sandworm/Electrum
– Ukraine 2015 & Ukraine 2016
Equation
– Stuxnet
17. #RSAC
Windows Event Logs Show Successful Login From 192.168.100.23 At Time of Event
4624 Log
Username
Source IP
18. #RSAC
T1021.001 – Remote Services: Remote Desktop Protocol
Objective
Adversaries may use Valid Accounts to log into a computer
using the Remote Desktop Protocol (RDP). The adversary
may then perform actions as the logged-on user.
Remote desktop is a common feature in operating systems. It
allows a user to log into an interactive session with a system
desktop graphical user interface on a remote system.
Microsoft refers to its implementation of the Remote
Desktop Protocol (RDP) as Remote Desktop Services (RDS).
Adversaries may connect to a remote system over RDP/RDS
to expand access if the service is enabled and allows access
to accounts with known credentials. Adversaries will likely
use Credential Access techniques to acquire credentials to
use with RDP. Adversaries may also use RDP in conjunction
with the Accessibility Features technique for Persistence.
Source: https://attack.mitre.org/techniques/T1021/001/
Known Attackers
APT1
APT3
APT39
AP41
APT40/Leviathan
Lazarus Group
Oil Rig
21. #RSAC
Remote Access Solution Logs Show New Participants Joining
2021/04/29 09:11:53.478 736 25492 G1 VoIP: Sender: Session 1513804143: VoIP streams: Participant added: "Chrome (XXX XXX XXX)" [968607818,976214507]
22. #RSAC
T1219 – Remote Access Software
Objective
An adversary may use legitimate desktop support and remote
access software, such as Team Viewer, Go2Assist, LogMein,
AmmyyAdmin, etc, to establish an interactive command and
control channel to target systems within networks. These
services are commonly used as legitimate technical support
software, and may be allowed by application control within a
target environment. Remote access tools like VNC, Ammyy, and
Teamviewer are used frequently when compared with other
legitimate software commonly used by adversaries.
Remote access tools may be established and used post-
compromise as alternate communications channel for redundant
access or as a way to establish an interactive remote desktop
session with the target system. They may also be used as a
component of malware to establish a reverse connection or
back-connect to a service or adversary controlled system.
Admin tools such as TeamViewer have been used by several
groups targeting institutions in countries of interest to the
Russian state and criminal campaigns.
Source: https://attack.mitre.org/techniques/T1219/
Known Attackers
Sandworm Team/Electrum
– Ukraine 2015
Kimsuky
– Korea Hydro & Nuclear Power
Carbanak
28. #RSAC
T1566.002 – Phishing: Spearphishing Link
Objective
An adversary may use legitimate desktop support and remote
access software, such as Team Viewer, Go2Assist, LogMein,
AmmyyAdmin, etc, to establish an interactive command and
control channel to target systems within networks. These
services are commonly used as legitimate technical support
software, and may be allowed by application control within a
target environment. Remote access tools like VNC, Ammyy, and
Teamviewer are used frequently when compared with other
legitimate software commonly used by adversaries.
Remote access tools may be established and used post-
compromise as alternate communications channel for redundant
access or as a way to establish an interactive remote desktop
session with the target system. They may also be used as a
component of malware to establish a reverse connection or
back-connect to a service or adversary controlled system.
Admin tools such as TeamViewer have been used by several
groups targeting institutions in countries of interest to the
Russian state and criminal campaigns.
Source: https://attack.mitre.org/techniques/T1566/002/
Known Attackers
APT1
APT28
APT29
APT32
APT33
APT39
Dragonfly 2.0
Leviathan/APT40
OilRig
29. #RSAC
T1113 – Screen Capture
Objective
Adversaries may attempt to take screen captures of the
desktop to gather information over the course of an
operation. Screen capturing functionality may be included as
a feature of a remote access tool used in post-compromise
operations. Taking a screenshot is also typically possible
through native utilities or API calls, such as CopyFromScreen,
xwd, or screencapture.
Source: https://attack.mitre.org/techniques/T1113/
Known Attackers
APT28
APT29
APT39
Dragonfly 2.0
OilRig
31. #RSAC
How Do We Prevent, Detect, and Respond to this Type of Scenario
32. #RSAC
Four main questions from this incident
What happened?
What could have happened?
What did not happen?
What can be done to reduce the risk of this happening again?
33. #RSAC
What happened?
• An attacker successfully compromised a network using real world
TTP's.
• The attacker gained access to the Industrial Control System by
discovering an HMI with Remote Desktop enabled that they were
able to pivot to the HMI.
• The attacker changed critical setpoints of the control system via
the HMI.
• An intrusion did indeed happen and should not be taken lightly.
34. #RSAC
What could have happened?
• Nothing. The operator could have not opened the email and the
intrusion would not have happened.
• Attacker could have deployed ransomware.
• Attacker could have destroyed files or caused a denial of service
condition.
• Attacker could have impacted health, life, safety, and quality
issues by changing setpoints on the HMI.
35. #RSAC
What did not happen?
• A lot
• No loss of health, life, safety, or quality issues.
• While the process was not designed with Cyber Physical security
features it was designed with industry practice in mind.
•Good Engineering Practices (GEP)
•Good Engineering Practice (GEP) consists of proven and accepted engineering
methods, procedures, and practices that provide appropriate, cost-effective, and
well-documented solutions to meet user-requirements and compliance with
applicable regulations.
•Good Engineering Practices, Recognized And Generally Accepted Good
Engineering Practices (RAGAGEP)
•PSM Standard, 29 CFR 1910.119, directly references or implies the use of
RAGAGEP.
36. #RSAC
What can be done to reduce the risk of this happening again?
• Let's take a look at what happened step by step
37. #RSAC
Defending Against The Attack
47
Technique What We Saw How To Prevent How to Detect
T8031 - Manipulation of Control • Video of effect on ICS equipment
• Significant increase then drop in
ICS protocol network traffic
between HMI and PLCs
• Limit control traffic to/from
essential zones
• Regularly audit and harden
critical systems
• Validate industrial protocol
monitoring depth
• Review retention strategy
T1021.001 – Remote Services:
Remote Desktop Protocol
• Attacker pivoted from entry
point to HMI with RDP
• Audit remote desktop user
group
• Limit RDP traffic to/from
essential zones
• Monitor Windows Event 4624
records
• Profile user access behaviors
across network and host logs
T1219 – Remote Access
Software
• Attackers used remote access
software for initial access
• Monitor and limit scope
(where practical) of remote
access
• 2FA
• Audit access software network
and host logs
• Look for secondary behavior
(i.e. other attacker actions)
T1566.002 – Phishing:
Spearphishing Link
• Initial access gained via
spearphishing
• User awareness training
• Monitor outbound and
inbound email traffic to OT
zones
• Monitor for newness and odd
DNS/HTTP traffic
• Monitor user account usage for
compromise
T1113 – Screen Capture • Screen capture contained remote
access credentials to access
network
• Very challenging to prevent
due to being built in feature
• Very challenging to detect
• Monitoring clipboard might
help but doesn’t scale
• Look for binaries with screen
shot capabilities on OT network
38. #RSAC
Make Sure You Can Observe Deep Enough Into the Process and Correlate Process and Security Data
39. #RSAC
Take-Aways
49
Immediate Action:
– Understand current defense collection and analysis scope
– Assess the strengths and improvement areas of your people, process &
technology balance
– Understand what you need to protect and how your process works
– Develop a relationship with the operations and engineering department
– Security training for all personnel
3 Months From Now
– Improve collection and/or analysis scope to one more attack scenario
– Invest in additional people, process, or technology to improve your security
program
40. #RSAC
SESSION ID:
Thank You For Joining Us!
SBX4-XIL6
Tom VanNorman
Co-Founder
ICS Village
@ICS_Village
Dan Gunter
CEO & Founder
Insane Forensics
@insaneforensics
Editor's Notes
Helpful hints:
• Please do not begin your presentation with a description of your company (unless you are presenting a case study), or of your CV. Your session facilitator will introduce you.
• Your score matters! The score you receive at RSA Conference will weigh your future call for speakers submissions. Your high score this year will help your submission get accepted next year!
• Don’t put too many text slides in a row -- vary the visual input with graphs, graphics and photos.
• If you have more than 4 or 5 bullets, it's better to add a second slide with the second part of the information — this also allows you to maintain a consistent type size.
• Remember to review the abstract you submitted, to make sure that your session still reflects what the attendees are expecting.
• For more suggestions, download the “Guidelines for Preparing your PowerPoint Presentation” file from the Speaker Resource Center.
Image free for commercial use with no attribution required from: https://pixabay.com/photos/male-night-the-darkness-light-2013929/
Image free for commercial use with no attribution required from: https://pixabay.com/photos/male-night-the-darkness-light-2013929/
Image free for commercial use with no attribution required from: https://pixabay.com/photos/ball-of-string-string-yarn-ball-5447556/
Image free for commercial use with no attribution required from: https://pixabay.com/photos/man-boy-laptop-cafe-frustrated-1246277/
Image free for commercial use with no attribution required from: https://pixabay.com/photos/ball-of-string-string-yarn-ball-5447556/
Image free for commercial use with no attribution required from: https://pixabay.com/photos/ball-of-string-string-yarn-ball-5447556/
Image free for commercial use with no attribution required from: https://pixabay.com/photos/ball-of-string-string-yarn-ball-5447556/
Image free for commercial use with no attribution required from: https://pixabay.com/photos/padlock-shed-locked-lock-secure-690286/
Image free for commercial use with no attribution required from: https://pixabay.com/photos/architecture-steel-mill-2267789/