APT Attacks onAPT Attacks on
Critical InfrastructureCritical Infrastructure
Miroslav Štampar
(mstampar@zsis.hr)
APT Attacks onAPT Attacks on
Critical InfrastructureCritical Infrastructure
Miroslav Štampar
(mstampar@zsis.hr)

Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 2
DisclaimerDisclaimer
I don’t do attribution. Majority of research data
has been gathered from Western world sources
(anti-virus companies, media, academia, etc.)

Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 3
Critical InfrastructureCritical Infrastructure
…sectors whose assets, systems, and networks,
whether physical or virtual, are considered so vital to
the <country> that their incapacitation or destruction
would have a debilitating effect on security, national
economic security, national public health or safety, or
any combination thereof.
[Department of Homeland SecurityDepartment of Homeland Security]

Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 4
Advanced Persistent Threat (APT)Advanced Persistent Threat (APT)
“Advanced persistent threat is a military term
adapted into the information security context
that refers to attacks carried out by nation-
states … It is also typical of APT attacks to go
after a country’s infrastructure, such as its
power grids, nuclear reactors, or fuel
pipelines.”
[Trend MicroTrend Micro]

Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 5
World Powers #cyberwarfare #apt #criticalWorld Powers #cyberwarfare #apt #critical

Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 6
Characteristics (1)Characteristics (1)
Multi-modular (e.g. key sniffing, screenshot
capturing, LAN MiTM, etc.)
Larger size than regular malware (e.g.
10MB)
Non-regular malware programming traits
(e.g. LUA programming language)
Support for multi-platform attacks (e.g.
Windows OS, SIMATIC WinCC, etc.)
Support for communication with industrial
process controllers (e.g. PLCs)

Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 7
Characteristics (2)Characteristics (2)
9AM-5PM build / compilation timestamps
0-day exploits
Support for infecting air-gapped networks
Digitally signed components (e.g. drivers)
Infection constraints (e.g. geo-location)
Attacked (victim) organizations have geo-
political importance (e.g. nuclear plant,
electric grid, etc.)
In short: APT modus operandi (attack
vectors, etc.) + support for IPC

Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 8
Stuxnet (1)Stuxnet (1)
Natanz nuclear enrichment lab in Iran

Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 9
Stuxnet (2)Stuxnet (2)
USA and Israel targeting Iran (2005-2012)
Attacked Windows OS (four 0-day
vulnerabilities), Siemens PCS 7, WinCC, STEP7
and Siemens S7 PLC
Silent if Siemens software was not found on
infected computers
Faked control sensor signals to prevent
shutting down due to abnormal behavior
Caused fast-spinning centrifuges to tear
themselves apart (1064Hz→1410Hz→2000Hz)
Around 1,000 centrifuges destroyed

Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 10
Stuxnet (3)Stuxnet (3)
Zero Days (2016)

Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 11
Flame (1)Flame (1)
USA and UK targeting Iran (2010-2012)
“20 times” more complicated than Stuxnet
Written in LUA (scripting language) and C++
Flame has only been one module’s name,
along with: Boost, Flask, Jimmy, Munch, Snack,
Spotter, Transport, Euphoria, Headache, etc.
Believed to be Stuxnet’s successor
Unlike Stuxnet, it is believed that Flame has
been designed only (?) for cyber-espionage –
collect and delete sensitive information (i.e. no
destruction inside physical realm)

Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 12
Flame (2)Flame (2)

Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 13
DuquDuqu
USA targeting Iran (2007-2011 and 2014-
2015)
Probably related to the Stuxnet (same
source code used)
Caught in wild with payload for gathering
information that could be used against ICS
Uses JPEG files and encrypted dummy files
(e.g. ~DQ7.tmp) to smuggle data (e.g. user
digital certificates and private keys)
Windows OS 0-day vulnerabilities and
digitally signed components

Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 14
BlackEnergy (1)BlackEnergy (1)
Russian Federation targeting Ukraine (2014-
2015)
Russian cyber espionage group Sandworm
Trojan (2007-...) used for DDoS, espionage,
information destruction (KillDisk), etc.
Starting with 2014 SCADA plugin targeting ICS
(Industrial Control Systems) and energy
markets worldwide
Power facility Prykarpattya Oblenergo
December 23rd
2015, 50% of homes in Ivano-
Frankivsk region (population cca. 1.4 million)
left without electricity for a few hours

Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 15
BlackEnergy (2)BlackEnergy (2)

Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 16
CleaverCleaver
Iran targeting 16 countries (USA, Israel, China,
Saudi Arabia, India, Germany, France, etc.)
(2014)
Military, oil and gas, energy and utilities,
transportation, airlines, airports, hospitals and
aerospace industries organizations worldwide
Attacking wide range of platforms (Microsoft,
Linux, Cisco VPNs, potentially ICS/SCADA, etc.)
Probably a retaliation for Stuxnet et al.
Demonstration of Iran’s cyber capabilities for
additional geopolitical leverage (though, no 0-
days were found)

Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 17
ReginRegin
USA and UK targeting non-English speaking
countries (including EU) (2011-2015)
Persistent, long-term mass surveillance
operations against targets
Among all, attacking telecom providers
(Belgacom) – to gain access to calls being
routed through compromised infrastructure
Parts (later) described in Snowden’s leak
Encrypted virtual file system (EVFS),
communication with C&C over ICMP, HTTP
Cookies, custom TCP/UDP protocols, etc.

Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 18
DragonFly (1)DragonFly (1)
Russian Federation targeting EU, USA and
Canada (2011-2014)
Also known as “Energetic Bear”
Cyber-espionage attacks against aviation
sector, energy sector and industrial control
systems
Phishing emails, watering hole attacks
(Lightsout exploit kit) and update hijacks
Remote Access Tool (RAT) Oldrea / Havex
Hacked sites as C&Cs

Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 19
DragonFly (2)DragonFly (2)

Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 20
ShamoonShamoon
Iran targeting countries in Persian Gulf
(particularly Saudi Arabia) (2012 and 2016-
2017)
Oil and energy-sector organizations
Spear phishing attacks as main point of entry
Designed to cause “mass destruction” in local
network
Stealing information and destroying infected
machines (Master Boot Record – MBR) – Wiper
module
Saudi Aramco – damaged 30,000 computers

Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 21
Dust StormDust Storm
China targeting Japan, South Korea, USA and
EU (2010-2016)
Cyber-espionage attacks against oil, gas,
electric utilities and transportation companies,
etc.
Spear phishing attacks as main point of entry
Android trojan(s) (forwarding SMS messages,
exfiltration of files, etc.)
Microsoft Windows trojan(s) (infection through
IE, Word and Flash 0-day exploits)

Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 22
IndustroyerIndustroyer
??? (2016-2017)
Specifically designed to attack electrical grids
(four different industrial communication
protocols)
Maybe (???) used in the December 17th
2016
cyber-attack on Ukraine’s power grid – part of
Kiev without power for one hour
Considered to be a large-scale test for
(potential) future attacks
Tor communication with C&C
Wiper and DoS (Siemens SIPROTECT)
components

Cyber Defense Symposium, Mali Losinj (Croatia) August 19th, 2017 23
Questions?Questions?