We’re seeing a change in cybercrime and the way cyberattacks are being performed. A recent set of attacks against critical infrastructure entities expose a new approach to cybercrime and critical infrastructure hacks. Oil and gas pipeline operators, utilities and even some city and state governments; reveal the following new methods and motives.
Attackers were not out to steal data but were looking to disrupt services. Attackers used a new attack vector not previously seen. Instead of attacking primary targets directly, the attackers zeroed in on less secure vendors of those targets. We will be looking at how they did this along with how this can be prevented.
Step One – Reconnaissance
Before launching an attack, hackers first identify a vulnerable target and explore the best ways to exploit it. The initial target can be anyone in an organization. The attackers simply need a single point of entry to get started. Targeted phishing emails are common in this step, as an effective method of distributing malware.
The whole point of this phase is getting to know the target. The questions that hackers are answering at this stage are:
1. Who are the important people in the company?
They discover this information by looking at the company web site or LinkedIn.
2. Who do they do business with?
For this they may be able to use social engineering, by making a few “sales calls” to the company. Another way is good old-fashioned dumpster diving.
3. What public data is available about the company?
Hackers collect IP address information and run scans to determine what hardware and software are being used. They also commonly check the ICAAN web registry database.
The more time hackers research and spend time gaining information about the people and systems at the company they’re targeting, the more successful the hacking attempt will be.
Step Two - Weaponization
In this phase, the hacker uses the information they gathered in the previous phase to create what they need to get into the network. This could be creating believable Spear Phishing e-mails. These would look like e-mails employees of the targeted company could potentially receive from a known vendor or other business contact.
The next is step is creating Watering Holes, or fake web pages. These web pages will look identical to a vendor’s web page or even a bank’s web page. The sole purpose of this step is to capture your username and password, or to offer you a free download of a document or something else of interest.
The final thing the attacker will do in this stage is to collect the tools that they plan to use once they gain access to the network so that they can successfully exploit any vulnerabilities they find.
Step Three - Delivery
Now the attack starts. Phishing e-mails are sent, Watering Hole web pages are posted to the Internet and the attacker waits for all the data they need to start rolling in. If the Phishing e-mail contains a weaponized attachment, then the attacker waits for someone to open the attachment and the subsequent malware to call home.
Step Four - Exploitation
Now the ‘fun’ begins for the hacker. As usernames and passwords arrive, the hacker tries them against web-based e-mail systems or VPN connections to the target company network. If malware-laced attachments were sent, then the attacker remotely accesses the infected computers. The attacker explores the network and gains a better idea of the traffic flow on the network, what systems are connected and how they can be exploited.
Step Five - Installation
In this phase the attacker makes sure they continue to have access to the network. They will install a persistent backdoor, create Admin accounts on the network, disable firewall rules and perhaps even activate Remote Desktop access on Servers and other systems on the network. The intent at this point is to make sure that the attacker can stay in the system for as long as they need to.
Step Six – Command and Control
Now they have access to the network, administrator accounts, and all the needed tools are in place. They now have unfettered access to the entire network. They can look at anything, impersonate any user on the network, and even send e-mails from the CEO to all employees. At this point they are in control. They can lock you out of your entire network if they want to.
Step Seven – Achieve the End Goal
Now that they have total control, they can achieve their objectives or end goal. This could be stealing information on employees, customers, product designs, etc. or they can start interfering with the operations of the company. Remember, not all hackers are after monetizable data. Some hackers are out to just mess things up.
If you take online orders, they could shut down your order-taking system or delete orders from the system. They could even create orders and have them shipped to your customers. If you have an Industrial Control System and they gain access to it, they could shut down equipment, enter new set points, and disable alarms. Not all hackers want to steal your money, sell your information or post your incriminating e-mails on WikiLeaks. Some hackers just want to cause you pain.
So, what now?
What can you do to protect your network, your company, even your reputation? You need to prepare for an attack. Let’s face it, sooner or later hackers WILL come for you, it’s just a matter of when and how. Don’t let yourself think that you don’t have anything that they want. Trust us, you do.
A Proven Cybersecurity Partner You Can Trust
Velta Technology’s cybersecurity team combines traditional IT best practices with a deep understanding of the sixteen critical infrastructure sectors and the employed operational technologies (OT). These sixteen critical infrastructure sector assets, systems, and networks; whether physical or virtual, are considered vital to the United States. Their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.
Our team of experts draw on extensive knowledge and experience in all relevant areas including risk management, operations, and human factors. This helps ensure all testing and the suggested mitigation measures are tailored to the specific needs of your industry as well as your unique business.
To get a Network Vulnerability and Operational Integrity Risk Assessment of your OT environment contact us at firstname.lastname@example.org. Or schedule time to speak with one of our Senior Cybersecurity Specialists here. Prevent a cyberattack before it happens. Be proactive versus reactive.
You can also get a copy of our eBook, Inside the Mind of a Cybercriminal, here.