Recent and more conclusive reports on the cyberattack of a Ukrainian power grid, such as the article reported in Wired Magazine, confirmed the level of sophistication of this campaign. The net result of a mass power outage for hundreds of thousands of people is mind-blowing, but the highly coordinated events leading up to the outage were, perhaps, even more so. If one could call advanced persistent threats artists, this campaign would be up there as one of the hacking community’s best masterpieces to date.
Considerations for the Operational-Technology Attack Phase
The components of the OT portion of the combined IT-OT “pivoted” attack (which was the pathway used in the German steel mill hack of 2014) were precisely integrated and serve as evidence of the attackers’ deep knowledge of OT and this particular utility’s infrastructure. From the use of stolen credentials to access remote management applications (e.g., SSH) over VPN, to the use of quietly commandeered SCADA hosts to issue ICS protocols in an effort to open relays and corrupt firmware on serial-to-ethernet converters to the debilitation of remote SCADA systems via the KillDisk malware, all of these cyber components were pretty much unprecedented, at least in terms of a publicly disclosed and successful attack leading to a mass outage.
Reports indicate the utility did have a firewall at the IT-OT perimeter. Questions are raised if there was any more granular segmentation beyond the edge, and whether the firewall logs were being proactively monitored and analyzed. However, an important question is: Just what kind of firewall was this? If it was only a stateful inspection firewall, then it would not be too surprising that the attackers went undetected, given the rudimentary port and IP visibility offered by such legacy technology. Next-generation firewalls, on the other hand, provide visibility (and access control) at the application, protocol, user and content levels while simultaneously applying built-in threat prevention (exploits, viruses, C2 traffic). Perhaps it might have been helpful to identify and stop the OT-specific attacks, which used stolen accounts to maliciously utilize a range of business, remote management, and ICS protocols, and to deploy malware, like KillDisk, during its attack. Maybe. Maybe not. But is this the right area of focus for the post-mortem analysis?
Nip it in the Bud – Stopping the IT Attack Phase
What wasn’t clear in the reports was how quickly the OT portion of the operations was conducted. Given how skilled and knowledgeable these attackers were, it wouldn’t be a surprise if it happened over weeks or days (hours would be really impressive) in terms of the time from the initial OT breach to the time of the outage. What’s interesting is that the campaign seems to have started back in the spring of 2015 with social engineering activities to the IT infrastructure of the utility and its business partners. In other words, the attackers were running their reconnaissance operations for months before actually enacting the physical part of the attack. Rather than talking about how the OT portion of the attack could have been prevented, a more forward-thinking question is: What could have been done to prevent the attackers from breaching the IT network to begin with, and stop the theft of the credentials used to breach the OT?
What made the initial attack of this campaign very evasive was that the attackers used very effective social engineering and zero-day malware, repurposing old-school methods (trick the user to start embedded malicious macro) and pre-existing root kits (BlackEnergy) to successfully establish a beachhead into the utility organization. The simple fact that this particular malicious attachment had never been fingerprinted by host-antivirus or network-antivirus products allowed it to quietly circumvent existing security provisions. It is this zero-day element that many organizations are not capable of addressing because they don’t have the tools that can address attacks never seen before in the wild.
Given the rising ICS advanced-threat landscape and severe consequences involved with a breach to ICS (as was the case here), there is a strong argument to be made that operators of critical infrastructure need to make sure they can address similar campaigns, such as this, in the future, and develop more sophisticated security capabilities.
Accelerating Threat Intelligence in IT and OT with PAN-OS 7.1
We already covered in an earlier blog post how our WildFire and AutoFocus technologies help in detecting and preventing the zero-day threats, including BlackEnergy. With our latest PAN-OS 7.1 release, we are pleased to say that we have made these capabilities even more powerful.
WildFire, the service that allows the user to quickly identify zero-day threats and deploy protective measures has been beefed up with the ability to do these important functions 70 percent faster than before. Users can now detect and prevent zero-day attacks in as little as five minutes. In addition, its capabilities in stopping the universe of unknown threats has been improved with new machine-learning algorithms, which instantly stop variations of known malware, even if they have never been seen by WildFire. These algorithms also reduce analysis time for Personal Executable (PE) variants of known malware.
The new release of AutoFocus received an upgrade, which tightens its integration with PAN-OS 7.1 and Panorama. The new capabilities essentially bring more advanced-threat context to the entire organization, simplifying response efforts for the most critical attacks in a single, easy-to-use console. This puts the largest collection of unknown malware data at your fingertips, allowing you to automatically turn analysis efforts for unique, targeted attacks into proactive protections by blocking malicious domains, IP addresses, and URLs with AutoFocus and PAN-OS dynamic block lists. AutoFocus also adds the ability to bring threat intelligence into your existing security operations workflow with an improved API and support for the STIX information-sharing standard.
Advanced network security via a next-generation firewall is necessary; but to combat the more sophisticated threats that utilize zero-day attacks, one needs equally sophisticated capabilities. The threat intelligence cloud component (utilized by the WildFire and AutoFocus services) and Advanced Endpoint Protection of our Next-Generation Security Platform were designed to prevent attacks from such threats with as much automation as possible.
Learn more about our platform capabilities by reading this whitepaper on 21st Century SCADA Security and by visiting the resources below.
- PAN-OS 7.1 release
- Technical Documentation: Five Minute WildFire Updates
- Technical Documentation: PAN-OS Log Integration with AutoFocus
- Technical Documentation: AutoFocus API STIX Support
[Palo Alto Networks Research Center]