1. Operation GhoulIn August 2016, researchers at Kaspersky Lab uncovered "Operation Ghoul," a spear-phishing campaign targeting industrial organizations in the Middle East. Each attack began with a phishing email that appeared to come from the Emirates NBD, a bank based in the United Arab Emirates. In reality, the email was a fake. It came with an attached document laced with HawkEye, malware which collects victims' keystrokes, clipboard data and other information on behalf of the attackers. At the time of discovery, Kaspersky had identified 130 victims of Operation Ghoul. Most of those organizations operated in the petrochemical, naval, military, aerospace and heavy machinery industries located in Spain, Pakistan, the United Arab Emirates, India, Egypt, and elsewhere around the Middle East.
ICS security incidents #1: What We Should LearnLane Thames, a software development engineer and security researcher with Tripwire’s Vulnerability and Exposure Research Team (VERT), feels Operation Ghoul highlights the security industry's ongoing need to address human error when defending against digital attacks:
2. BlackEnergy-Borne Power OutageOn December 23, 2015, the western Ukrainian power company Prykarpattyaoblenergo reported a power outage that affected an area including the regional capital Ivano-Frankivsk. An investigation later determined that attackers had leveraged a Microsoft Excel document containing malicious macros to compromise an employee's workstation and inject BlackEnergy malware into the company's network. The malware provided "interference" while the attackers cut off power to the affected region.
ICS security incidents #2: What We Should LearnPavel Oreški, an IT analyst at Tripwire's parent company Belden, says the attack demonstrates how spam mail still continues to pose a serious threat to organizations:
3. Iranian Dam AttackOn March 24, 2016, officials at the Department of Justice publicly accused an Iranian hacker of gaining unauthorized access to the Bowman Avenue Dam, "a very, very small" structure used for flood control near Rye, NY. Law enforcement launched an investigation into the incident and determined that the hacker never succeeded in gaining control of the dam. They did find, however, that the hacker probably learned critical information about how the structure operates. The hacker belonged to a group of criminals who with the likely sponsorship of Iran’s Islamic Revolutionary Guard is believed to have leveraged distributed denial-of-service (DDoS) attacks to block access to the websites of 46 separate institutions, including JPMorgan Chase, Bank of America, the New York Stock Exchange and Capital One.
ICS security incidents #3: What We Should LearnKeirsten Brager, CISSP, CASP, a Tripwire Resident Engineer at a major power utility, notes there's a lot going on in this story but that organizations can take steps to protect themselves:
Malware: Defend, Detect, Respond
- Keep patches up-to-date on systems AND applications. In one of the incidents, Symantec reported that the RIG exploit kit was used to check for vulnerabilities in IE, Silverlight, Adobe, and Java. Unpatched machines were then infected with malware.
- Since malware continues to evade network security defenses, organizations should continuously evaluate their endpoint detection and response capabilities. Tripwire has a free Endpoint Security guide to help you: https://www.tripwire.com/state-of-security/incident-detection/advanced-malware-detection-and-response-begins-at-the-endpoint/
- Deploy web app firewalls, such as Imperva, to automatically block known attacks against web apps.
- Change default passwords to prevent devices from becoming part of a botnet. Malware was used to scan the internet for default passwords on IoT devices that were then used as part of a botnet in the recent DDoS attacks against security researcher Brian Krebs and internet infrastructure company Dyn.
- Use services such as OpenDNS to distribute denial-of-service traffic across multiple nodes to lessen the impact on the infrastructure behind it.
- Deploy routers and/or firewalls that can detect DoS attacks and filter traffic to drop packets that match attack patterns.
The Case for Multi-factor Authentication Investments
- The alleged attacker in the Bowman Avenue Dam in Rye, NY maintained continued remote access to their computer systems without multi-factor authentication.
- One of the largest attacks against banking critical infrastructure (JP Morgan Chase) was mainly attributed to the lack of two-factor authentication.
- Booz Allen’s latest threat briefing concluded that the biggest points of failure in the successful DDoS attack against Ukraine’s electricity grid were remote access to the ICS environment and lack of multi-factor authentication.