Bringing cybersecurity globally to critical and complex key activities
Understanding the cyber threat:
There are three characteristics that make the sector particularly vulnerable to contemporary cyber threats:
• First, an increased number of threats and actors targeting public services: state actors seeking to cause security and economic disruption, cyber criminals who understand the economic value represented by the sector, and hacktivists seeking to publicly express their opposition to general utility projects or programs
• Second, the extensive and growing attack surface of utilities, resulting from their geographic and organizational complexity, inclunding the decentralized nature of many organizations’ cyber security leadership
• Finally, the electricity and gas sector’s unique interdependencies between physical and cyber infrastructure make companies vulnerable to exploitation
• The Power Sector is in transition. Global trends are creating an environment of disruption and driving the need for digital industrial software and services for the energy industry to become more efficient, reliable, secure, and sustainable.
• At the end of 2018, more than 456 commercial nuclear power reactors (>400 GW) are in operation and provide about 12 percent of the world’s electricity. More than 140 GW of new capacity are foreseen by 2025.
• Organizations in the sector are thus expanding their networks and making them more efficient and dedicated through increased digitalization. This implies an extension and a strengthening of SCADA and ICS systems.
In early May 2021, the Colonial Pipeline suffered a ransomware attack that forced it to shut down its entire network to prevent the malware from spreading.
Indeed, Colonial Pipeline, the largest oil pipeline in the United States, halted its operations after suffering what is believed to be a ransomware attack. Colonial Pipeline transports refined petroleum products between refineries on the Gulf Coast and markets in the southern and eastern United States. The company transports 2.5 million barrels per day through its 5,500- mile pipeline and supplies 45% of all fuel consumed on the East Coast.
This attack demonstrates how a cybercriminal attack can affect the national security of a state. Indeed, the attack forced the company to shut down 5,500 miles of fuel lines, and led the Federal Motor Carrier Safety Administration (FMCSA) to issue a regional emergency declaration affecting 17 east coast states and the District of Columbia.
In 2015, Ukraine also suffered a cyberattack that had dramatic consequences for national security, causing a major electrical blackout in the west of the country. This incident is a landmark as it was the first successful cyberattack on a power grid. Hackers managed to access the systems of three energy distribution companies, forcing them to temporarily shut down their operations.
In order to describe the threat landscape, we need to distinguish between two major types of attacks:
• The relatively small userbase of the OT local area control network and lack of a direct connection to the internet or email greatly diminishes the attack surface available to ambitious cybercriminals compared to the much more exposed IT environment.
• This difference tends to influencehackers to utilize the IT network as an easier attack vector into OT (indirect attack). Forensic analysis of some focused attacks on critical infrastructures show that access to the control network was gained by first compromising the more exposed IT network
• The preferred attack vector is often a successful email phishing campaign that either sophisticated malware to be installed which later allows successful harvesting of usernames and passwords and network architecture
• EKANS is an obfuscated ran - somware written in the Go pro - gramming language, first obser - ved in late December 2019. Its activity is similar to MEGACOR - TEX version 2 which appeared in mid-2019
• It checks for the existence of a Mutex value, «EKANS», on the victim
• • If present, the ransomware will stop with an «already encryp - ted!» message and if present the encryption proceeds using stan - dard encryption library functions
• The main functionality on vic - tim systems is achieved via WMI (Windows Management Instru - mentations) calls
• Before data encryption: EKANS stops the processes listed by pro - cess name in a hard-coded list in the malware’s coded strings for the majority of listed processes, databases, data backup solutions or ICS-related processes
• After that EKANS displays a ransom note
- the inclusion of GUI software
ATK41
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK51
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK14
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK117
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK3
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK6
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK88
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK89
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK4
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK116
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK5
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK23
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK91
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK35
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK32
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK103
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK11
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK40
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations
ATK120
> Alias
> Suspected origin countries
> Suspected targeted countries
> Target sectors
> Motivations