ICS Cyber Attack Trends:

Attacker Awareness and Security

Strategies in 2020
Sarah Freeman
Idaho National Laboratory
2019: A Year In Review Supply Chain &
Trusted Partner
Targeting

Cyber
Espionage

Increased Loss of
View Attacks

Adversary
Improvements

2
Cyber Espionage
Emergence of New Players

3
APT32: Vietnam-based Theft, February 2019
• Original Emergence – ~2014
• Increased presence in February 2019
• Targets: automotive manufactures, primarily in SE Asia and the U.S.
• Motivation: Theft of intellectual property and/or “corporate
operational information”
• Assessed activity in support of Vietnamese government’s stated domestic
vehicle and auto part manufacturing goals
• VinFast, first domestic manufacturer, released its flagship model in Sept. 2019
• Techniques: spear phishing an re-directs to compromised websites
Russian Reconnaissance: Xenotime,
March 2019
• Xenotime interests remain varied from the U.S. to SE Asia, electric
grid to ONG operations (March 2019)
• Analysis connects Xenotime to the Trisis compromise in Saudi Arabia in
September 2017
• Probing behavior and network enumeration attempts against U.S. utilities in
February 2019
• Significantly: “Dragos did not observe any of these attack attempts
result in a successful intrusion”
"Xenotime remains the most dangerous
• Multi-sector interest – disturbing cyberthreat in the world, with the capability
• Dragos responds to another intrusion and intent to kill people…“
Sergio Caltagirone, VP Threat Intelligence
• April 2019 Dragos
Nuclear Aspirations: Lazarus APT, Oct. 2019
• Dtrack – remote access tool (RAT) located within Kudankulam Nuclear
Power Plant (KNPP) IT systems
• Source code included hard-coded credentials to KNPP, indicating a targeted
attack
• Contains methods to collect browser history, passwords, host IPs, running
processes, and all files on disk volumes
• North Korean-based cyber actors attempt to access information
about India’s nuclear fuel yields at KNPP
• India’s civilian and military programs are closely intertwined
Turla Masquerades, Cyber False Flags
2018-2019
Supply Chain Ecosystem
Targeting Trusted Partners

8
Ransomware Norsk Hydro, March 2019
• 19 March 2019
• Intelligent Infection
• Malicious attachment mirrored
legitimate conversations with
customers
• Cyber Insurance
• Present, but insignificant
• As of October, only 6% of losses
had been received
China’s Access Campaign, July-August 2019
• 17 U.S. utilities are targeted by a malicious campaign
• Emails claimed to be from National Council of Examiners for
Engineering and Surveying (NCEES), a South Carolina-based nonprofit
• Second Set - Impersonates the Global Energy Certification (GEC)
• Embedded remote access trojan (RAT)
• Capable of a deleting files, screenshots, rebooting a machine, and deleting
itself from an infected network, etc.
• Low confidence attribution to China-based APT 10
• Targeted Japanese corporations in 2018
Example Email
China Targets Aviation, January 2019
• Initial Infection: VPN compromise via third parties to access Airbus’
networks
• Attackers sought technical documentation regarding the certification
process for components of the aircraft
• Activity also indicated an interest in Airbus-designed, military planes
Russian Reconnaissance: Turla
• Since 2014 - Turla (aka Snake) has been hacking into victims'
Microsoft Exchange servers
• Installing LightNeuron backdoor
• LightNeuron backdoor for Exchange:
• Allows Turla attackers to read and modify email messages, create and send
their own messages, and block messages to users at the victim organization
Operational Improvements
Maximizing Adversary Investment

14
Iranian VPN Vuln Weaponization, August 2019
• Iranian-based hackers targeted a variety of VPN users, including IT,
Telecommunication, Oil and Gas, Aviation, Government, and Security
companies
• Exploited not 0Days, but baby vulns
• Some as young as 1 day old
• Weaponized Vulns include:
• Pulse Secure "Connect" VPN (CVE-2019-11510);
• Fortinet FortiOS VPN (CVE-2018-13379);
• Palo Alto Networks "Global Protect" VPN (CVE-2019-1579); and
• Citrix "ADC" VPNs (CVE-2019-19781).
Weaponization, August 2019 STSRCheck
Self-developed
databases and open
ports mapping tool
Tool to scan
predefined
ports for an IP
address Port.exe - Self-developed
Tool to scan backdoor malware
predefined POWSSHNET for RDP-over-SSH
ports for an
Iranian VPN Vuln

tunneling
IP address.
Iranian
tools

An EXE file used to

open a socket- Socket-based Scripts to download TXT
Custom files from the C2 server
based connection backdoor
VBScripts and generate an
to a hardcoded IP over cs.exe
address executable file
OrangeWorm
• Dec. 2019 – IBM security team attributes ZeroCleare
wiper to Iran
• Multiple similarities with Shamoon malware family
• Includes EldoS RawDisk, a legitimate software toolkit for
interacting with files, disks, and partitions
• Access is achieved via brute force password hacking
• Typically followed with exploitation of a Sharepoint to install
a webshell
• LPE is followed with unpacking and launching of EldoS
RawDisk to wipe data
New Wiper Attacks at Bapco, Dec. 2019
• Emergence of Dustman
• Assessed to be an updated version of ZeroCleare (according to Saudi officials)
• Includes EldoS RawDisk, a legitimate software toolkit for interacting with
files, disks, and partitions
• Prior to this event – Iranian actors used Shamoon and ZeroCleare exclusively
to attack ONG
• Attack Specifics
• Victim: Bapco, Bahrain's national oil company
• Initial infection via the company’s VPN servers – July 2019
• Assessed as a “last-ditch effort” to hide/destroy cyber forensic
evidence
New Wiper Attacks at Bapco, Dec. 2019
Prevention Techniques
• If SSL VPN connections are operationally necessary:
• Implement a lockout mechanism for failed attempts (e.g., lockout after three failed
connection attempts)
• Validate the access control list (i.e., eliminate unused, default, test, and
retired/resigned accounts)
• Implement multi-factor authentication (MFA)
• Consider blocking access for administrators and high privilege users
• Ensure access logging is enabled for both failed and successful connection attempts
• Institutionalize a periodic review of access logs taking note of any potential
abnormalities:
• Unusual access times
• Unusual source locations
• High number of failed attempts
• Etc.
Limiting Visibility and
Communications
Disrupting Operations

20
 Brief History of Loss of View Attacks
2015,
Ukraine 2016,
• Moxa Serial- Lithuania
to-Ethernet • Widespread
converters DDoS against
2019, U.S.
disrupted unspecified • Wind farm
• HMI lockout targets visibility loss

2015, Baltics 2018, U.S. 2020, U.S.

• Serial-to- • Comms and • Commodity
Ethernet and data sharing ransomware
Internet interruptions at ONG facility
Gateway among
DDoS partners
21
Wind Farm Attack, March 2019
• “First of its kind” DoS attack in the U.S.
• sPower (Utah) experienced a series of lost connections between its
main control center and generation sites
• Adversary exploits a vuln in a firewall forcing unexpected reboots of
devices
• Results in a DOS condition at a low-impact control center and multiple remote
low-impact generation sites
• Results in brief communications outages (i.e., less than five minutes) between
field devices at sites and between sites and the control center
Operational Blindness, March 5 th

• Post-event Analysis –
• Vendor review of firewall logs identified that the
reboots were instigated by an external entity
exploiting a vulnerability

Recommended Best Practices

• Reduce and control your attack surface
• Limit internet facing devices
• Employ redundant solutions to provide resilience
• Sites with redundant pair maintained comms
• Use access control lists (ACLs) to filter inbound
traffic prior to handling by the firewall
Commodity Ransomware, February 2020
• Ransomware at a U.S. natural
gas facility results in a two day
voluntary, “deliberate and
controlled” shut down
• Access – spear-phishing
campaign
• Followed by the placement of
commodity malware in the IT and
OT networks
• Impacted systems – HMIs,
historians, polling servers
• Resulted in loss of view – no real
time data
Recommended Best Practices
• Contingency Operations –
Develop and practice an
emergency response plan
• Limit IT/OT Connections – May
challenge malware from
spreading
• Fail Over Manual Systems –
Consider installing
communications systems to
assist manual operations
 “Mysterious” Variants for 2020 - EKANS
• Emerged mid-December 2019
• Identifies 64 different software processes on victim systems for
termination
• Targeted processes include those associated with ICS systems
• Capable of encrypting data on which ICS rely
• No internal propagation method – requires user interaction
• Assessed to be non-state actors
File Name: update.exe
MD5: 3d1cc4ef33bad0e39c757fce317ef82a
SHA1: f34e4b7080aa2ee5cfee2dac38ec0c306203b4ac
SHA256:
e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60
What’s Next
• Past forecasting (for 2019) emphasized
a shift in target to safety systems (e.g.
protection systems, protective relays,
etc.)
• However, 2019 did not see an uptick in
those attacks – May indicate that Claudine Hellmuth/E&E News(illustration)
adversary programs are already
prepositioned within their victims
networks • Adversary interest in “financially”
• 2018 and 2019 also demonstrated optimizing operations
adversary desires to conduct wide scale
and far-reaching access and • Bespoke ICS attacks are interesting but
reconnaissance operations expensive and time consuming
• VPNFilter (2018) • Organizations should pay particular
• Iranian VPN compromises (2019-2020) attention to commodity products
• Turla Microsoft Outlook attacks (2014- whose wide distribution may be
2020)
attractive to targeting programs
Are ICS/OT Attacks Merging with IT Activity?
True OT attacks are fundamentally different from IT attacks but they
are still exceptionally rare.

• Majority of critical infrastructure in 2019 were attacks directed against

commercial, off-the-shelf IT components
• For critical infrastructure owners and operators: Should organizations roll in
OT security and emergency response to IT emergency operations?
• For threat analysts: Where in the IT-adopted OT architecture can adversaries
manipulate the physics of a process?
• How can we increase visibility in these devices/components/software?
Contact Info

?
Sarah Freeman
Idaho National Laboratory
Cybercore Integration Center
Sarah.Freeman@inl.gov
Reference Slides
SANS ICS Cyber Security Summit
2-3 March 2020

29
Dustman Malware - dustman.exe
Indicators of Compromise
Name dustman.exe
MD5 Hash 8AFA8A59EEBF43EF223BE52E08FCDC67
SHA-1 Hash E3AE32EBE8465C7DF1225A51234F13E8A44969CC
SHA-256 Hash F07B0C79A8C88A5760847226AF277CF34AB5508394A
58820DB4DB5A8D0340FC7
Size 264,704 (bytes)
Type 64-bit EXE
Compilation Date Sun Dec 29 08:57:19 2019 (GMT+3)

30
Dustman Malware - elrawdsk.sys
Indicators of Compromise
Name elrawdsk.sys
MD5 Hash 993E9CB95301126DEBDEA7DD66B9E121
SHA-1 Hash A7133C316C534D1331C801BBCD3F4C62141013A1
SHA-256 Hash 36A4E35ABF2217887E97041E3E0B17483AA4D2C1AEE
6FEADD48EF448BF1B9E6C
Size 24,576 (bytes)
Type 64-bit EXE
Compilation Date Sun Oct 14 10:43:19 2012(GMT+3)

31
Dustman Malware - assistant.sys
Indicators of Compromise
Name assistant.sys
MD5 Hash EAEA9CCB40C82AF8F3867CD0F4DD5E9D
SHA-1 Hash 7C1B25518DEE1E30B5A6EAA1EA8E4A3780C24D0C
SHA-256 Hash CF3A7D4285D65BF8688215407BCE1B51D7C6B22497
F09021F0FCE31CBEB78986
Size 68,288 (bytes)
Type 64-bit EXE
Compilation Date Sat May 31 05:18:53 2008 (GMT+3)

32
Dustman Malware - agent.exe
Indicators of Compromise
Name agent.exe
MD5 Hash F5F8160FE8468A77B6A495155C3DACEA
SHA-1 Hash 20D61C337653392EA472352931820DC60C37B2BC
SHA-256 Hash 44100C73C6E2529C591A10CD3668691D92DC024115
2EC82A72C6E63DA299D3A2
Size 116,224 (bytes)
Type 64-bit EXE
Compilation Date Sun Dec 29 08:56:27 2019 (GMT+3)

33