Hackers found and cracked this fake electricity substation network in just two days

Nation states aren't the only threat to critical infrastructure.
Written by Danny Palmer, Senior Writer

A test by a security company has shown just how fast poorly-secured industrial control systems (ICS) can fall prey to hackers.

Researchers at Cybereason set up a honeypot masquerading as a power transmission substation of a major electricity provider and analysed the actions of attackers.

The cyber attacks which took out Ukraine's power grid have demonstrated the damage which can be done by hackers accessing critical infrastructure.

Cybereason's honeypot was set up to replicate the information and operational technology (OT) environments of an industrial control system, along with an interface protected by a firewall which connected the two and allowed people to use both environments.

To attract attackers, researchers made sure the system featured common vulnerabilities found in ICS environments, such as internet-facing servers, remote access services and weak passwords -- all with a registered DNS system that made it look as if the network belonged to a genuine electricity provider.

SEE: Cyberwar: A guide to the frightening future of online conflict

The honeypot went live on July 17 and it took just two days before a hacker had established themselves on the network and had installed malicious tools which enabled access and control. The black market seller who uncovered the honeypot site found it while conducting random internet reconnaissance.

While attacks against this sort of critical infrastructure are often viewed as the domain of nation-state attackers, the honeypot was apparently discovered by a standard cyber-crime group -- one with specialist interest in industrial control systems, but not necessarily the skills to take full advantage of what they gained access to.

"The seller was able to compromise a single machine in the honeypot and posted it for sale in a black market called xDedic, along with the network identifiers of that compromised environment, which disclosed its probable affiliation with a large utility provider," Cybereason CISO Israel Barak told ZDNet.

The attacker managed to compromise the remote desktop environment in such a way that it meant two users can be logged in at the same time, crucially allowing a hacker to continue access to the system without getting kicked off when a legitimate user logs in -- and vice versa.

In addition to this, the hacker looked to exploit the honeypot by installing backdoors into the system, allowing continued access.

Eventually ownership appeared to change hands, because after a week of silence, on July 27 a new owner accessed it by the backdoor.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Researchers say this new intruder was attempting to navigate the entire ICS environment and their first step was deactivating the security system -- one which was specifically installed to be simple to remove, but also test the attacker's skills.

"The largest mistake they made was being too aggressive in trying to avoid monitoring. They used the account that they purchased to uninstall the security software on the first compromised server. This not only immediately drew our attention, but would draw the attention of any security team," Ross Rustici, senior director of intelligence services at Cybereason told ZDNet.

Nonetheless, once inside the environment, this attacker only focused on the ICS and looked at how to remotely execute endpoints -- they had no interest in any other aspects of the system.

They weren't able to fully access the operations network, but that lack of skill could have been even more dangerous.

"The lack of sophistication makes their eventual access to the OT network more concerning. A mistake in that environment could lead to unintended real-world effects," said Rustici.

Organisations can protect against this by taking a proactive approach to their security and not just connecting items to the internet and forgetting about them -- strong passwords, secure systems and monitoring of the network can all prevent this type of attack happening.


Editorial standards