CREDC Industry Workshop Analyzing the Ukraine Cyber Attack March 28 - - PowerPoint PPT Presentation

CREDC Industry Workshop Analyzing the Ukraine Cyber Attack

March 28 2017

Ben Miller

• Current:
• Director Threat Operations Center @ Dragos, Inc.
• Previous:
• 6 years at NERC, Electricity ISAC
• 7 years at Constellation Energy Group
• Overall 18 years in security
• Emphasis on monitoring, incident response and forensics

Background

Some Frameworks and prior examples

ICS Kill Chain

Develop Test Deliver Install / Modify Execute ICS Attack Stage 2 – ICS Attack

Enabling Initiating Supporting Trigger Deliver Modify Inject Hide Amplify

Reconnaissance Targeting Weaponization Delivery Exploit Install / Modify C2 Act Stage 1 - Intrusion

Discovery

Capture Movement Collect Install & Execute Exfiltrate Launch Clean & Defend

Assante, Lee. Industrial Control Systems Cyber Kill Chain. Whitepaper, SANS, 2015.

Spectrum of State Responsibility

State prohibited State prohibited but inadequate State ignored State encouraged State shaped State coordinated State ordered State rogue conducted State executed State integrated

Jason Healey. A Fierce Domain. CCSA, 2013.

Past is prologue

Estonia, 2007

• Political Protest (Monument)
• Span course of ~20 days
• Multiple DDoS against

government, financial

• rganizations

Georgia, 2008

• Ground Invasion
• Span course of 4 days
• Planned and coordinated DDoS,

SQLi, XSS attacks across gov, news agencies and financial institutions

Jason Healey. A Fierce Domain. CCSA. 2013.

Ukraine

An Overview

Overview

• Capital: Kiev
• Population: ~42.5M
• Area: Comparable to Texas
• Neighbors: Russia, Belarus, Poland, Slovakia, Hungary, Romania, Moldova
• 27 regions (oblasts)
• Oblenergos (distribution) operate at oblast-level
• Ukrenergo – Statewide Transmission Company

Acknowledged Ukraine Victims

• Rail System
• Airports
• Mining Companies
• Electric Providers

Fireeye Blog. Strategic Analysis: As Russia-Ukraine Conflict Continues, Malware Activity Rises. May 28 2014.

FireEye Blog post uncovering OPC Havex July 17 2014 (F-Secure Blog Post) June 23 2014 UA June 26 2014 UA July 2 2014 KR & UA July 8 2014 UA July 15 2014 KR July 1 2014 (from US) April 17 2014

Havex

FI (from ZZ) June 29 2014 RU Dec 4 2014 ES July 2-3 2014 TrendMicro Blog post uncovering OPC Havex July 14 2014 IL Jan 06 2016

BlackEnergy

“[..] attackers behind the outages in two power facilities in Ukraine in December likely attempted similar attacks against a mining company and a large railway operator in Ukraine.”

KillDisk (f3e41eb94c4d72a98cd743bbb02d248f510ad925) Datetime (UTC+2) File name Source Country 2015-12-24 00:34:19 tsk.exe 73805832 (web) UA 2015-12-24 08:28:39 tsk.exe 883db971 (web) UA 2015-12-24 11:00:52 E:\Дмитрий\sample\tsk.exe 725be15c (api) UA Hash – SHA1 upload date (GMT) country of origin f3e41eb94c4d72a98cd743bbb02d248f510ad925 12/23/15 UA 8AD6F88C5813C2B4CD7ABAB1D6C056D95D6AC569 11/10/15 UA *u 16f44fac7e8bc94eccd7ad9692e6665ef540eec4 10/25/15 UA & FR * n 2d805bca41aa0eb1fc7ec3bd944efd7dba686ae1 11/6/15 UA *u 0B4BE96ADA3B54453BD37130087618EA90168D72 11/10/15 UA *u

KillDisk and BlackEnergy Are Not Just Energy Sector Threats. Trend Micro. February 11, 2016.

December 2015

Three Oblenergos (distribution utility) impacted

Analysis of the Cyber Attack on the Ukrainian Power Grid. Whitepaper, SANS & E-ISAC. 2016.

ICS Kill Chain - Stage 1

Reconnaissance Targeting Weaponization Delivery Exploit Install / Modify C2 Act Stage 1 - Intrusion

Stage 1 mimics a targeted and structured attack campaign

Discovery

Capture Movement Collect Install & Execute Exfiltrate Launch Clean & Defend

ICS Kill Chain – Stage 2

Develop Test Deliver Install / Modify Execute ICS Attack Stage 2 – ICS Attack

Stage 2 shows the steps associated with a material attack that requires high confidence

Enabling Initiating Supporting Trigger Deliver Modify Inject Hide Amplify

Full Ukraine Report: http://ics.sans.org/duc5

December 2016

1 Transmission Substation impacted

Official Statement

Північна

Ukrenergo Youtube video: https://www.youtube.com/watch?v=AUoiKZBqIo0&app=desktop

Lets revisit (Intent)

State prohibited State prohibited but inadequate State ignored State encouraged State shaped State coordinated State ordered State rogue conducted State executed State integrated

Jason Healey. A Fierce Domain. CCSA. 2013.

Recap

• 2015 Attack used the system as designed to cause impact.
• Amplified with destructive and distractive activities
• The Forgotten Fourth Oblenergo
• Causing accidental damage is possible but the damage we worry

about most requires much more than cyber prowess – it takes time and engineering

• (ICS networks are some of the most defensible on the planet)
• The Ukraine cyber attacks hold a number of lessons learned for all

industries

• (Coordinated attack by a funded group to stop operations)

How to prepare?

Another Model

Planning, establishing, and upkeep of systems with security in mind Systems added to the architecture to provide defense or insight against threats without human interaction The process of analysts monitoring for, responding to, and learning from adversaries internal to the network Collecting data, exploiting it into information, and producing Intelligence Legal countermeasures and self defense actions against an adverseary

• Lee. Sliding Scale of Cyber Security. Whitepaper, SANS. 2015.

There is no silver bullet

• Number one question: Will Multifactor VPN solve this?
• Information Sharing?
• CES21, CRISP

Defense

• Detection Methods:
• Internet Checks
• VPN Frequency
• Lateral Movement
• Remote Desktop Assistance usage
• Firmware Updates

Recommendations from 2012

“An organized cyber disruption disables or impairs the integrity of multiple control systems, or intruders take operating control of portions of the bulk power system such that generation or transmission system are damaged or

• perated improperly. “
• Transmission Operators report unexplained and persistent breaker operation that
• ccurs across a wide geographic area (i.e., within state/province and neighboring

state/province).

• Communications are disrupted, disabling Transmission Operator voice and data with

half their neighbors, their Reliability Coordinator, and Balancing Authority.

• Loss of load and generation causes widespread bulk power system instability, and

system collapse within state/province and neighboring state(s)/province(s). Portions

• f the bulk power system remain operational.
• Blackouts in several regions disrupt electricity supply to several million people.

CATF Report Recommendations (verbatim)

• Continue Work on Attack Tree
• Continue to Develop Security and Operations Staff Skills to Address

Increasingly Sophisticated Cyber Threats

• Augment Operator Training with Cyber Attack Scenarios
• Conservative Operations
• Conduct Transmission Planning Exercise
• Continue to Endorse Existing NERC Initiatives That Help Entities Prepare for

and Respond to a Cyber Attack

• Increase Awareness for Department of Energy Initiatives
• Continue to Extend Public / Private Partnership

Suggested Reading

Books

• A Fierce Domain by Healey
• Cyber Silhouettes by Thomas
• The Cuckoo’s Egg by Stoll

Whitepapers Industrial Control Systems Cyber Kill Chain. sans.org. Assante, Lee. 2015 NERC High Impact Low Frequency Report. nerc.com. 2009 NERC Cyber Attack Task Force Report. nerc.com. 2012 NERC Alert – Manipulation of ICS (non-public). E-ISAC. 2016

Assante, Lee. Industrial Control Systems Cyber Kill Chain. Whitepaper, SANS, 2015.

Questions?

Stay in Touch: @electricfork BMiller@Dragos.com