CREDC Industry Workshop Analyzing the Ukraine Cyber Attack March 28 - PowerPoint PPT Presentation

CREDC Industry Workshop Analyzing the Ukraine Cyber Attack March 28 2017

Ben Miller • Current: • Director Threat Operations Center @ Dragos, Inc. • Previous: • 6 years at NERC, Electricity ISAC • 7 years at Constellation Energy Group • Overall 18 years in security • Emphasis on monitoring, incident response and forensics

Background Some Frameworks and prior examples

Stage 1 - Intrusion Stage 2 – ICS Attack Reconnaissance Develop Weaponization Targeting Test Delivery Deliver Exploit Install / Modify Install / Modify Execute ICS Attack C2 Initiating Supporting Enabling Trigger Modify Hide Act Deliver Inject Amplify Install & Movement Launch Discovery Execute ICS Kill Chain Clean & Capture Collect Exfiltrate Defend Assante, Lee. Industrial Control Systems Cyber Kill Chain. Whitepaper, SANS, 2015.

Spectrum of State Responsibility State prohibited State prohibited but inadequate State ignored State encouraged State shaped State coordinated State ordered State rogue conducted State executed State integrated Jason Healey. A Fierce Domain. CCSA, 2013.

Past is prologue Estonia, 2007 Georgia, 2008 • Political Protest (Monument) • Ground Invasion • Span course of ~20 days • Span course of 4 days • Multiple DDoS against • Planned and coordinated DDoS, government, financial SQLi, XSS attacks across gov, organizations news agencies and financial institutions Jason Healey. A Fierce Domain. CCSA. 2013.

Ukraine An Overview

Overview • Capital: Kiev • Population: ~42.5M • Area: Comparable to Texas • Neighbors: Russia, Belarus, Poland, Slovakia, Hungary, Romania, Moldova • 27 regions (oblasts) • Oblenergos (distribution) operate at oblast-level • Ukrenergo – Statewide Transmission Company

Acknowledged Ukraine Victims • Rail System • Airports • Mining Companies • Electric Providers Fireeye Blog. Strategic Analysis: As Russia-Ukraine Conflict Continues, Malware Activity Rises. May 28 2014.

FireEye Blog post IL (F-Secure Blog uncovering OPC Jan 06 2016 KR & UA Post) Havex July 8 2014 June 23 2014 UA UA July 17 2014 July 2 2014 July 15 2014 FI UA June 26 2014 Havex KR July 1 2014 TrendMicro Blog ES post uncovering (from US) RU July 2-3 2014 (from ZZ) OPC Havex April 17 2014 Dec 4 2014 June 29 2014 July 14 2014

BlackEnergy “[..] attackers behind the outages in two power facilities in Ukraine in December likely attempted similar attacks against a mining company and a large railway operator in Ukraine.” KillDisk (f3e41eb94c4d72a98cd743bbb02d248f510ad925) Datetime (UTC+2) File name Source Country 2015-12-24 00:34:19 tsk.exe 73805832 (web) UA 2015-12-24 08:28:39 tsk.exe 883db971 (web) UA E:\ Дмитрий \sample\tsk.exe 2015-12-24 11:00:52 725be15c (api) UA Hash – SHA1 upload date (GMT) country of origin f3e41eb94c4d72a98cd743bbb02d248f510ad925 12/23/15 UA 8AD6F88C5813C2B4CD7ABAB1D6C056D95D6AC569 11/10/15 UA *u 16f44fac7e8bc94eccd7ad9692e6665ef540eec4 10/25/15 UA & FR * n 2d805bca41aa0eb1fc7ec3bd944efd7dba686ae1 11/6/15 UA *u 0B4BE96ADA3B54453BD37130087618EA90168D72 11/10/15 UA *u KillDisk and BlackEnergy Are Not Just Energy Sector Threats. Trend Micro. February 11, 2016.

December 2015 Three Oblenergos (distribution utility) impacted Analysis of the Cyber Attack on the Ukrainian Power Grid. Whitepaper, SANS & E-ISAC. 2016.

Stage 1 - Intrusion Reconnaissance Stage 1 mimics a targeted and Weaponization Targeting structured attack campaign Delivery Exploit Install / Modify C2 Act Install & Movement Launch Discovery Execute Clean & Capture Collect Exfiltrate ICS Kill Chain - Stage 1 Defend

Stage 2 – ICS Attack Stage 2 shows Develop the steps associated with Test a material attack that Deliver requires high confidence Install / Modify Execute ICS Attack Initiating Supporting Enabling Trigger Modify Hide Deliver Inject Amplify ICS Kill Chain – Stage 2

Full Ukraine Report: http://ics.sans.org/duc5

December 2016 1 Transmission Substation impacted

Official Statement

Північна Ukrenergo Youtube video: https://www.youtube.com/watch?v=AUoiKZBqIo0&app=desktop

Lets revisit (Intent) State prohibited State prohibited but inadequate State ignored State encouraged State shaped State coordinated State ordered State rogue conducted State executed State integrated Jason Healey. A Fierce Domain. CCSA. 2013.

Recap • 2015 Attack used the system as designed to cause impact. • Amplified with destructive and distractive activities • The Forgotten Fourth Oblenergo • Causing accidental damage is possible but the damage we worry about most requires much more than cyber prowess – it takes time and engineering • (ICS networks are some of the most defensible on the planet) • The Ukraine cyber attacks hold a number of lessons learned for all industries • (Coordinated attack by a funded group to stop operations)

How to prepare?

Another Model Systems added to the architecture to Collecting data, exploiting it into provide defense or information, and insight against producing threats without Intelligence human interaction Planning, establishing, The process of Legal and upkeep of systems analysts monitoring countermeasures with security in mind for, responding to, and self defense and learning from actions against an adversaries internal adverseary to the network Lee. Sliding Scale of Cyber Security. Whitepaper, SANS. 2015.

There is no silver bullet • Number one question: Will Multifactor VPN solve this? • Information Sharing? • CES21, CRISP

Defense • Detection Methods: • Internet Checks • VPN Frequency • Lateral Movement • Remote Desktop Assistance usage • Firmware Updates

Recommendations from 2012 “An organized cyber disruption disables or impairs the integrity of multiple control systems, or intruders take operating control of portions of the bulk power system such that generation or transmission system are damaged or operated improperly. “ • Transmission Operators report unexplained and persistent breaker operation that occurs across a wide geographic area (i.e., within state/province and neighboring state/province). • Communications are disrupted, disabling Transmission Operator voice and data with half their neighbors, their Reliability Coordinator, and Balancing Authority. • Loss of load and generation causes widespread bulk power system instability, and system collapse within state/province and neighboring state(s)/province(s). Portions of the bulk power system remain operational. • Blackouts in several regions disrupt electricity supply to several million people.

CATF Report Recommendations (verbatim) • Continue Work on Attack Tree • Continue to Develop Security and Operations Staff Skills to Address Increasingly Sophisticated Cyber Threats • Augment Operator Training with Cyber Attack Scenarios • Conservative Operations • Conduct Transmission Planning Exercise • Continue to Endorse Existing NERC Initiatives That Help Entities Prepare for and Respond to a Cyber Attack • Increase Awareness for Department of Energy Initiatives • Continue to Extend Public / Private Partnership

Suggested Reading Books • A Fierce Domain by Healey • Cyber Silhouettes by Thomas • The Cuckoo’s Egg by Stoll Whitepapers Industrial Control Systems Cyber Kill Chain. sans.org. Assante, Lee. 2015 NERC High Impact Low Frequency Report . nerc.com. 2009 NERC Cyber Attack Task Force Report . nerc.com. 2012 NERC Alert – Manipulation of ICS (non-public) . E-ISAC. 2016 Assante, Lee. Industrial Control Systems Cyber Kill Chain. Whitepaper, SANS, 2015.

Questions? Stay in Touch: @electricfork BMiller@Dragos.com