Potential cyber attacks have a lot of people worried thanks to the recent conflict in Ukraine. So it might be appropriate to review what happened when cybersecurity firm FireEye’s Mandiant team demonstrated how to infiltrate the network of a North American utility. During this exercise, Mandiant hacked into the utility’s industrial control systems and switched off one of its smart meters.
A point to note is that most large industrial firms wall-off their industrial networks from their ordinary IT networks somehow. And the utility that Mandiant stress-
tested thought it had protected its network this way. These measures slowed Mandiant down but didn’t stop its researchers from eventually owning the industrial network.
In the first phase of the attack, the Mandiant team adopted techniques used by Iranian hackers to breach an industrial network in an attack on a Saudi petrochemical plant. The usual approach, says Mandiant, is to first break into the company IT network, rather than the industrial network, to collect information about security operations.
The way Mandiant hacked into the network during its exercise was almost embarrassingly simple: It embedded a link for a malicious file in an email attachment to a Microsoft Office document containing auto-executable macro code. This got the white-hat hackers to a point where they could execute code on a single user workstation connected to the IT side of the network. Then they used a set of publicly available offensive security tools to make it look as though their code had the privileges of a domain administrator.
It is interesting to review some of the tools they employed, all of which are publicly available. One called ldapsearch retrieves information from LDAP servers (which often stores usernames and passwords). Another called PowerSploit is a collection of programs written in the PowerShell scripting language used to manage IT resources. Typical PowerSploit tasks include listing installed security packages, impersonating logon tokens, and creating logons without triggering suspicious event warnings.
To get from the initial compromised workstation out to other equipment installed on the network, the Mandiant hackers used a program called WMImplant, also written in PowerShell, to access remote servers and run programs or issue commands on them. Then a program called Mimikatz extracted credentials for local user and domain administrator accounts.
Once they had free run of the IT network, Mandiant’s team determined targets of interest (people, processes, or technology) and looked for avenues from the IT to the industrial network. There turned out to be several ways of getting control of the industrial side. Perhaps most obvious was to get someone to copy a malicious file onto a USB stick which then got plugged into the industrial network. Mandiant also found that some applications on the industrial network accessed data and services on the compromised IT side; similarly, some applications on the compromised IT side could get to the industrial server.
Perhaps the biggest security screw-up was that the industrial utility used a single centralized admin that handled resources on both the IT and industrial network. This software resided on the IT network. So once Mandiant got control of the IT network, it pretty much had admin status on everything. That made it easy for researchers to steal login credentials for the meter control infrastructure and issue a command to disconnect the smart meter.
For a bit of irony, consider that back in 2015 a popular TV series called Mr. Robot depicted a hack of a climate control system. The show was praised at the time because experts claimed it’s hacking approach was realistic. The hack hinged on issuing bogus commands from a rogue controller spliced onto the industrial network which could be accessed via an ordinary internet connection.
Today, sophisticated firewalls between IT and industrial networks, VPNs, and similar measures are supposed to thwart such antics. But clearly even companies that should know better are still susceptible to the Mr. Robots of the world.
