The number of cyberattacks against ICS SCADA (Industrial Control Systems Supervisory Control and Data Acquisition) system products used by industrial organizations worldwide has rapidly increased. Hence, many cybersecurity firms and whitehat hackers highlighted the risks of attack that target OT (Operational Technology) network used in utilities.
Among the most significant cyber-attack against industrial organizations are the 2015 attack on the electric grid in Ukraine and the 2017 Triton malware against a petrochemical plant in Saudi Arabia.
A cybersecurity firm recently made a demonstration how to successfully infiltrate the network of a North American utility company, hack its ICS, and turn off one of the smart meters.
The firm did trials to show off what tactics, procedures, and techniques can be used by threat actors to successfully breach the secured perimeter around the IT network and OT network.
In the attack’s initial phase, the researchers used techniques by TEMP.Veles, aka XENOTIME group to breach the operational technology network during the TRITON malware attack. The researchers highlighted that collecting info of the IT network and assets of the target victim is part of a crucial role in the initial stage of the attack. The reconnaissance phase for OT targeted attacks begins in the IT network, where the hackers obtain knowledge and resources to propagate from the initial compromise of the enterprise network to establish remote access to the OT network. The detailed information collected on their target, the security systems in place, their infrastructure environment can support the threat actor’s attempts to stay undetected while expanding the hacking operations.
The researcher team launched a spear-phishing attack to gain access within the targeted IT network. They used a combination of two phishing scenario:
- embedded link for a malicious file hosted by a server owned by the researcher team on the Internet
- an MS Office document email attachment with auto executable macro code
Lo and behold, the whitehat hackers achieved remote code execution on a workstation within the target enterprise network.
After achieving control over the workstations in the IT network environment, the whitehat hackers used publicly available commands and tools to promote privileges and obtain administrator-level access.
The researcher used the following tools in conducting the breach below:
- LDAP search to get information of the enterprise domain
- PowerSploit which enumerates security misconfigurations
- WMImplant to laterally move from a system to another within the internal network
- Mimikatz in extracting credentials of local users and domain administration accounts
At the next stage of the hack, the researcher team conducted internal reconnaissance in the enterprise network to determine targets of interest such as people, processes, and technology to find a way to jump from the IT network to the OT network.
Once the OT network gets mapped for the final stage, the researchers successfully steal the login credentials for the meter control infrastructure portal to issue a command that will disconnect the smart meter.
After the researchers accessed the domain controller in the core OT network, the credentials of high privilege administrator accounts were extracted. The researched used the stolen credentials to control the OT network management servers, operator workstations, and application servers.