Anatomy of a Cyber Attack- ICS Cyber Kill Chain- Part 1

Anatomy of a Cyber Attack- ICS Cyber Kill Chain- Part 1

April 7, 2020

The extensive cyber intrusions on Oil and Gas companies have revealed that these intrusions are not just a one-off scenario to talk about, rather it demands a theoretical approach to understand the attack more precisely. There has been a wide range of cyber attacks on Oil and Gas companies starting from 2012- Shamoon attack, which damaged more than a 10000 servers, 2017- Triton Malware attack on an Oil and Gas company in Saudi Arabia,  where the attackers planted a malware which adversely took over the plant’s Safety Instrumented Systems, 2019- Ransomware attack on a Mexican Oil and Gas company and so on.  Cyber attacks on Oil and Gas companies become more pervasive and critical. There have been increased cyber attacks on the Oil and Gas companies now more than ever. The Oil and Gas companies have become a target for adversaries for almost a decade. The malware attacks from 2012 to today have shown a substantial increase in the technology and tools used to perform these, starting from a simple malware program to  APTs (Advanced Persistent Threats).

Breakdown of a Cyber Attack

Even though the malware used over the years are different, the stages of a cyber attack remain consistent. The breakdown of a cyber attack can be done using Cyber Kill Chain® developed by Lockheed Martin. It has been adapted to the ICS environment by Michael J.Assante and Robert M.Lee. The Cyber Kill Chain helps to understand, visualize and coordinating the steps for an adversary to achieve their targets. Let us go through the stages of a cyber-attack.

Cyber attack cyber kill chain

Planning and Preparation for Attack

The attacker selects the victim (organization, network, PC) based on their predefined goals expected rewards or according to instructions from whoever is directing that action. A cyber attack can be initiated also by an insider having a reason, a disgruntled employee or an expert hacker who is driven by a foreign country, a crime organization or a hostile commercial organization. The attacker may start with a phishing process targeting someone who corresponds with people working at the victim’s organization. They are sending emails from a spoofed identity along with malware hidden in an attached file (Word, JPG file, etc.). This action leads to launching a Trojan code in the victim’s computer (first one approached) and later in the IT network.

Cyber Intrusion – Attempt/ Success

Upon activation of the injected code to collect network details that malware will start scanning the victim’s IT network and all the accessible computers. Using this tool, the attacker steadily receives detailed information and builds a clear picture of the victim’s network, usernames, passwords, IP addresses, connection to wireless devices, privilege accounts, etc. Once they gain access to the victim’s network, they can spoof the identity of a network administrator, open their own account and start using their new email. Using an authorized account (like an ordinary employee) and after learning the administrator’s account’s credentials, the attacker can now upgrade their own “user account” and request additional privileges, which a regular user (employee) does not have. This may allow them to comply with security procedures like “least privilege” and “role-based access”.

Through this “authorized membership”, the attacker has now the needed privileges to compromise the firewall isolating between the IT network and the external internet. This will allow them to transfer command codes between the attacking computer (operated by hackers) connected through the internet to the IT network of the victim. The attacker can now continue with the process, obtain detailed information about the PLCs, Remote Terminal Units (RTU), used data protocols and IP addresses of the control devices (PLC, RTU) as accessible in the corporate IT network. Having “authorized presence”, the attacker may start planning the next steps of the attack process. At this stage, the attacker may slowly collect more data on the system architecture, processes considered as normal, as seen through the corporate IT network. Furthermore, to hide their activity, the attacker may prevent the detection of their actions within the victim’s network. They will also try hiding their own identity and delete all “traceable details”.

Once the attacker has adequate details on the IT network and obtained needed credentials, they can create a high-privilege (“admin”) account. This will allow them to access the segregating firewall between the IT and ICS networks and also compromise additional security measures which might prevent accessing the ICS network.

Management and Enablement

The attacker is ready to start with the final stage and compromise the segregating firewall between the corporate IT and the ICS networks. Once that barrier is removed, the attacker may directly communicate with the ICS network and “export” data (through the corporate network and the Internet) as needed for detailed planning of the attack process. The attacker may directly access all RTUs or PLCs and study the details of the control process; temperature, speed, pressure, vibration, flow, etc., and also analyze the data sent to the ICS Automation Servers and the HMI computer. This information will help the attacker to “create a false picture” of normal operation and transmit this “picture” to the operator HMI during the attack (similar to Stuxnet).

Sustainment, Entrenchment, Development & Execution

The attacker will modify the operation parameters of the RTUs or PLCs, change the control limits, modify control loops, compromise software-based protection, and generate the damage. While transmitting the false picture to the operator HMI (earlier recorded and stored) and showing normal conditions, the attacker is completing the task and destroying the critical machinery.

The theoretical approach to a cyber attack helps experts to understand the characteristics of the attack which can be a valuable knowledge base to prevent such attacks in the future. In each stage of the cyber attack, a countermeasure is being broken or a specific countermeasure is needed to stop it. The dynamics of a cyber attack can change from one scenario to another but the phases of it remain consistent throughout. But how does it help Cyber Security companies and organizations to design and develop countermeasures against such attacks? To be continued in Part 2

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

Your data will be safe!Your e-mail address will not be published. Also other data will not be shared with third person.