.png?width=40&height=40&name=search%201%20(1).png){kind=small}
September 2017 has been a bad month for Americans.
Here’s what has consumed the news so far:
Attacks against Industrial Ethernet deployments aren’t new (we talked about the late-2015 Ukraine incident when it occurred). But this is the first time we’ve seen such advanced threats hit home—now what do we do?
On September 6, 2017, Symantec released a report about how Dragonfly, a state-sponsored hacker group tied to the Russian government, gained access to dozens (and possibly more) operational networks throughout the United States.
This is more than a little concerning for critical infrastructure companies just now embracing Industrial Ethernet. Turning back against Industrial Ethernet isn’t an option, so we have to understand what went wrong in the Dragonfly attacks.
According to Symantec, the earliest known piece of this campaign against the U.S. power grid was launched in December 2015 (around the same time as the Ukraine attack) when malicious emails targeted specific stakeholders in the American energy sector. These spear phishing attacks continued as infected attachments and links leaked Industrial Ethernet network credentials to an external server.
It wasn’t until July 2017 that researchers discovered that Dragonfly was using a publicly-available toolkit, Phishery, to continue stealing credentials. In addition to Phishery-based email attacks, Dragonfly compromised specific websites that energy-sector stakeholders were known to visit in an effort to steal more credentials.
The main objective for Dragonfly was to collect as many credentials as possible to increase the success rate of escalation. Symantec found one compromised stakeholder who visited an infected server was hit with a backdoor that gave attackers remote access to their operational systems.
Backdoor access to Industrial Ethernet networks gives attackers two opportunities. First, to understand more about the inner-workings of critical infrastructure companies. And second, to potentially shut down sectors of the power grid at will.
We haven’t seen a widespread power grid shutdown. But we might if we don’t do something to cut these types of attacks off right now!
These Dragonfly attacks make for a scary story, that’s for sure. However, let’s take note of a few key details.
Understand that these attacks didn’t take advantage of a single zero-day threat. It’s so easy to think that attackers are coming up with these innovative, never-before-seen ways of compromising networks. But here’s Dragonfly using a set of publicly-available tools and getting through Industrial Ethernet deployments just fine.
The real point that can’t be overlooked is how long these attacks have been taking place. Dragonfly didn’t suddenly hack into American power companies on September 6, 2017. Credentials have been collected since as early as 2015, meaning network traffic has been compromised for almost two years (that Symantec knows of).
How can we let attackers sit in our Industrial Ethernet deployments for years without being noticed? It’s because so many operational networks are being built without visibility in mind.
In the instance of the Dragonfly attacks, the backdoor collection of data from external sites could have been avoided with the deployment of passive, listen only network TAPs. These TAPs are uni-directional and do not have the ability to send any data into a live network. Critical infrastructure, like the power grid as well as government and military installations require this type of network design to ensure ‘no injection’ can be made.
Without a baseline for Industrial Ethernet traffic, it’s impossible to see when the network has been compromised and put a stop to attacks. Now that Industrial Ethernet attacks have hit home, it’s time to do something about them.
