Energy

(19) attackers < Back

Understanding the cyber threat:

There are three characteristics that make the sector particularly vulnerable to contemporary cyber threats:

 

• First, an increased number of threats and actors targeting public services: state actors seeking to cause security and economic disruption, cyber criminals who understand the economic value represented by the sector, and hacktivists seeking to publicly express their opposition to general utility projects or programs

 

• Second, the extensive and growing attack surface of utilities, resulting from their geographic and organizational complexity, inclunding the decentralized nature of many organizations’ cyber security leadership

 

• Finally, the electricity and gas sector’s unique interdependencies between physical and cyber infrastructure make companies vulnerable to exploitation

 

​• The Power Sector is in transition. Global trends are creating an environment of disruption and driving the need for digital industrial software and services for the energy industry to become more efficient, reliable, secure, and sustainable.

 

• At the end of 2018, more than 456 commercial nuclear power reactors (>400 GW) are in operation and provide about 12 percent of the world’s electricity. More than 140 GW of new capacity are foreseen by 2025.

 

• Organizations in the sector are thus expanding their networks and making them more efficient and dedicated through increased digitalization. This implies an extension and a strengthening of SCADA and ICS systems.

 

Thales: Cyber Threats in the Energy Sector

​In early May 2021, the Colonial Pipeline suffered a ransomware attack that forced it to shut down its entire network to prevent the malware from spreading.

 

Indeed, Colonial Pipeline, the largest oil pipeline in the United States, halted its operations after suffering what is believed to be a ransomware attack. Colonial Pipeline transports refined petroleum products between refineries on the Gulf Coast and markets in the southern and eastern United States. The company transports 2.5 million barrels per day through its 5,500- mile pipeline and supplies 45% of all fuel consumed on the East Coast.

Thales: Cyber Threats in the Energy Sector

  • Interestingly, the malware used by Darkside does not seem to target CIS (Community of Independent States) countries and has a very good debugger and detection of virtual environments. The sample was found in multiple versions, using multiple packers, which may indicate that the attacker is running tests. One uncommon thing is that the URL of the data is in the hardcoded ransom note, which indicates that the malware was compiled after the data was stolen.

 

  •  High profile attacks previously conducted by the DarkSide gang include CompuCom, Discount Car and Truck Rentals, Brookfield Residential, and Brazil’s Companhia Paranaense de Energia (Copel).

This attack demonstrates how a cybercriminal attack can affect the national security of a state. Indeed, the attack forced the company to shut down 5,500 miles of fuel lines, and led the Federal Motor Carrier Safety Administration (FMCSA) to issue a regional emergency declaration affecting 17 east coast states and the District of Columbia.

In 2015, Ukraine also suffered a cyberattack that had dramatic consequences for national security, causing a major electrical blackout in the west of the country. This incident is a landmark as it was the first successful cyberattack on a power grid. Hackers managed to access the systems of three energy distribution companies, forcing them to temporarily shut down their operations.

​In order to describe the threat landscape, we need to distinguish between two major types of attacks:

 

  • Non-Targeted attacks: Not Power Sector specific. Could be targeting and overall vulnerability in an IT and / or OT system. Main intention is to maximize, spread the attack surface to multiple targets. Often IT focused, via Internet / Email, but also seen on OT / ICS equipment

 

  • Targeted attacks: Specialized on the target or the industry. Often is tailored to infiltrate a specific type of equipment and using tailored attack methods. Actors are often extensively planning the attack in detail, have access to above average resources and using unknown method
     

Thales: Cyber Threats in the Energy Sector

​• The relatively small userbase of the OT local area control network and lack of a direct connection to the internet or email greatly diminishes the attack surface available to ambitious cybercriminals compared to the much more exposed IT environment.

 

• This difference tends to influencehackers to utilize the IT network as an easier attack vector into OT (indirect attack). Forensic analysis of some focused attacks on critical infrastructures show that access to the control network was gained by first compromising the more exposed IT network

 

• The preferred attack vector is often a successful email phishing campaign that either sophisticated malware to be installed which later allows successful harvesting of usernames and passwords and network architecture

 

Thales: Cyber Threats in the Energy Sector

  •  Industrial control systems (ICS) and Supervisory Control And Data Acquisition (SCADA) systems play a critical role in critical infrastructure and industrial sector

 

  • The number of vulnerabilities discovered in industrial control system (ICS) products in 2020 (893 flaws) was 24,72% higher compared to 2019 (716 flaws)

 

  • 449 vulnerabilities were disclosed affecting ICS products from 59 vendors in the second half of 2020. The situation is worrisome considering that more than 70 percent of the issues received a high or critical CVSS (Common Vulnerability Scoring System) score

 

  • The most affected critical in - frastructure sectors in the se - cond half of 2020 are manufac - turing (194 vulnerabilities), energy (186), water and wastewater (111), and commercial facilities (108)

  • June 6, 2020: Disruption of the company’s internal computer network

 

  • June 7, 2020: Confirmation of the attack. The incident is the work of ransomware operators EKANS (SNAKE). Enel has not commented on the name of the ransomware used in the attack, but security researcher Milkream found a SNAKE / EKANS sample submitted to VirusTotal on 7 June that shows it is looking for the domain «enelint.global» •

 

  • June 8, 2020: All connectivity has been safely restored

• EKANS is an obfuscated ran - somware written in the Go pro - gramming language, first obser - ved in late December 2019. Its activity is similar to MEGACOR - TEX version 2 which appeared in mid-2019

 

• It checks for the existence of a Mutex value, «EKANS», on the victim

 

• • If present, the ransomware will stop with an «already encryp - ted!» message and if present the encryption proceeds using stan - dard encryption library functions

 

• The main functionality on vic - tim systems is achieved via WMI (Windows Management Instru - mentations) calls

 

• Before data encryption: EKANS stops the processes listed by pro - cess name in a hard-coded list in the malware’s coded strings for the majority of listed processes, databases, data backup solutions or ICS-related processes

 

• After that EKANS displays a ransom note

  • IIT-focused ransomware could impact control system environments if it could migrate to Win - dows parts of control system networks, thus disrupting operations

 

  • EKANS modifies this narrative seen above as ICS-specific functionality is directly referenced in the malware

 

  • Some of these processes may reside in typical corporate computer networks, such as : - Proficy servers or Microsoft SQL servers

          - the inclusion of GUI software

 

  • All of this indicates minimal knowledge of the processes and functionality of the control system environment

 

Thales: Cyber Threats in the Energy Sector

X Reset

ATK41

> Alias

APT 10

APT10

...

> Suspected origin countries

China

> Suspected targeted countries

Belgium

China

...

> Target sectors

Aerospace

Defense

...

> Motivations

Espionage

ATK51

> Alias

MERCURY

MobhaM

...

> Suspected origin countries

Iran

> Suspected targeted countries

Austria

Azerbaijan

...

> Target sectors

Defense

Education

...

> Motivations

Espionage

ATK14

> Alias

Black Energy

BlackEnergy

...

> Suspected origin countries

Russia

> Suspected targeted countries

Estonia

France

...

> Target sectors

Energy

Government and administration agencies

...

> Motivations

Espionage

Sabotage

ATK117

> Alias

APT 38

APT38

...

> Suspected origin countries

North Korea

> Suspected targeted countries

Bangladesh

Brazil

...

> Target sectors

Aerospace

Energy

...

> Motivations

Financial Gain

ATK3

> Alias

COVELLITE

Hidden Cobra

...

> Suspected origin countries

North Korea

> Suspected targeted countries

Korea, Republic of

United States Of America

> Target sectors

Aerospace

Energy

...

> Motivations

ATK6

> Alias

Crouching Yeti

CrouchingYeti

...

> Suspected origin countries

Russia

> Suspected targeted countries

Belgium

Canada

...

> Target sectors

Aviation

Defense

...

> Motivations

Espionage

ATK88

> Alias

FIN6

ITG08

...

> Suspected origin countries

Unknown

> Suspected targeted countries

United States Of America

> Target sectors

Energy

Financial Services

...

> Motivations

Financial Gain

ATK89

> Alias

Extreme Jackal

Gaza Hackers Team

...

> Suspected origin countries

State of Palestine

> Suspected targeted countries

Afghanistan

Algeria

...

> Target sectors

Aerospace

Defense

...

> Motivations

Ideology

ATK4

> Alias

APT 37

APT37

...

> Suspected origin countries

North Korea

> Suspected targeted countries

China

Nepal

...

> Target sectors

Aerospace

Chemicals

...

> Motivations

Espionage

ATK116

> Alias

Cloud Atlas

Inception group

> Suspected origin countries

> Suspected targeted countries

Afghanistan

Armenia

...

> Target sectors

Aerospace

Energy

...

> Motivations

Espionage

ATK5

> Alias

APT 28

APT28

...

> Suspected origin countries

Russia

> Suspected targeted countries

Afghanistan

Armenia

...

> Target sectors

Aerospace

Defense

...

> Motivations

Espionage

Political Manipulation

ATK23

> Alias

Dagger Panda

Ice Fog

...

> Suspected origin countries

China

> Suspected targeted countries

Australia

Austria

...

> Target sectors

Aerospace

Defense

...

> Motivations

Espionage

ATK91

> Alias

TEMP.Veles

TRITON group

...

> Suspected origin countries

Russia

> Suspected targeted countries

Saudi Arabia

> Target sectors

Energy

> Motivations

Espionage

Sabotage

ATK35

> Alias

APT 33

APT33

...

> Suspected origin countries

Iran

> Suspected targeted countries

Iran, Islamic Republic Of

Iraq

...

> Target sectors

Aerospace

Aviation

...

> Motivations

Espionage

ATK32

> Alias

FIN7

GOLD NIAGARA

...

> Suspected origin countries

Ukraine

Russia

> Suspected targeted countries

Australia

France

...

> Target sectors

Casino & Gaming

Communication

...

> Motivations

Financial Gain

ATK103

> Alias

GOLD TAHOE

GRACEFUL SPIDER

...

> Suspected origin countries

> Suspected targeted countries

Canada

Chile

...

> Target sectors

Education

Energy

...

> Motivations

Financial Gain

ATK11

> Alias

APT-C-09

Chinastrats

...

> Suspected origin countries

India

> Suspected targeted countries

Bangladesh

China

...

> Target sectors

Aviation

Embassies

...

> Motivations

Espionage

Information theft

ATK120

> Alias

Cobalt Lyceum

HEXANE

> Suspected origin countries

Unknown

> Suspected targeted countries

Kuwait

South Africa

> Target sectors

Energy

> Motivations

Sabotage

ATK40

> Alias

APT 34

APT34

...

> Suspected origin countries

Iran

> Suspected targeted countries

Azerbaijan

Mauritius

...

> Target sectors

Aerospace

Aviation

...

> Motivations

Espionage