###### Whitepaper ### HOW DRAGOS ACTIVITY GROUPS OBTAIN INITIAL ACCESS INTO INDUSTRIAL ENVIRONMENTS ###### Conor McLaren Senior Threat Intelligence Analyst Threat Intelligence | Dragos, Inc. **[info@dragos.com](mailto:?subject=)** **[@DragosInc](http://www.twitter.com/DragosInc)** ###### Whitepaper ### HOW DRAGOS ACTIVITY GROUPS OBTAIN INITIAL ACCESS INTO INDUSTRIAL ENVIRONMENTS ----- As the threat landscape continues to evolve with a perpetual influx of new network anomalies and Indicators of Compromise (IOC), prudent defenders must focus on more actionable elements of attack characteristics, such as Tactics, Techniques and Procedures (TTPs). One such example of this is the Initial Access Tactic. An adversary uses Initial Access techniques to gain an initial foothold within a victim environment.[1] This is perhaps one of the most crucial tactics that adversaries use as part of an intrusion, as most attacks (excluding those such as denial of service) are not successful without first obtaining this access into the target environment. As such, defenders consider it a critical dependency of all other tactics. While some adversaries see initial access as the means to perform further actions on objectives, a number of Dragos Activity Groups focus on developing and obtaining initial access against industrial organizations. A prime example of this is PARISITE’s exploitation of known VPN vulnerabilities in order to obtain initial access and enable further operations for the MAGNALLIUM Activity Group.[2] Given this characteristic, eliminating (or reducing) initial access vectors can prove to be a successful method of thwarting many intrusion attempts, particularly when there is consistency in the underlying adversarial techniques. This white paper steps through the most common initial access techniques Dragos observes being utilized by activity groups in order to equip defenders with some of the vital elements of threat behavior knowledge and thus address the associated risks. ###### Industrial Control Systems/Operational Technology (ICS/OT) organizations should be well-versed in Initial Access Techniques for the following reasons: • Initial access is the pre-requisite to further stages of an attack and therefore focusing on this tactic can aid in the prioritization of efforts for defenders. • The rapidly changing nature of network anomalies and IOCs mandates the focus on threat behaviors, such as the more slowly changing TTPs. • While direct access to an ICS/OT environment is considered the code red of initial access scenarios, gaining access to a corporate/ IT network can act as a precursor to an ICS/OT pivot. • Numerous Dragos-tracked Activity Groups have been known to explicitly target/develop initial access to industrial organization environments. ----- ###### MITRE ATT&CK FOR ICS Initial Access [TA0001] **•** **Drive-By Compromise [T0817]** **•** **Exploit Public-Facing** **Infrastructure [T0819]** **•** **Exploitation Of Remote Services [T0866]** **•** **External Remote Services [T0822]** **•** **Internet Accessible Device [T0883]** **•** **Remote Services [T0886]** **•** **Replication Through** **Removable Media [T0847]** **•** **Rogue Master [T0848]** **•** **Spearfishing Attachment [T0865]** **•** **Supply Chain Compromise [T0862]** **•** **Transient Cyber Asset [T0864]** **•** **Wireless Compromise [T0860]** ----- ##### OBSERVED INITIAL ACCESS TECHNIQUES BY KNOWN ACTIVITY GROUPS **Figure 1: High** Level Structure of the SOFIT Ontology. **Figure 1: High** S..b,ctt funclt...nlll:lofEng,ncainobM Level Structure __j~IWQf i!}Ru...«Notice-d0Orted II pau or fail only ~ttM:low fol"i:nfoanuioii.onhowtoprcx:cedwi.ththtlicensin&P"O«$$in yourm,1c. Wi:wida ywcontlnued suc«ninyourtu«r. funky- Younsincerdy ...... ~ 0q>UUnml ofRqiw-uioa and wmin.uion PO Box 30670. Lansina MI 48909 Td,:phon '1,rnbtt- 17-241-9288 Emlil· X NCEES Ad,,mcin& Llcmsuu for m&in«n md rur•eyon ----- ----- Given that both the exploitation of public-facing applications and/or remote services techniques often involve the existence of known vulnerabilities, adopting a regular patching routine is paramount to reduce the incidence of this vector. However, in some scenarios, patching alone may not suffice, thus placing a greater reliance on the additional controls and mitigations such as multi-layered security paired with proactive threat hunting and the application of threat intelligence products. ----- The Drive-By Compromise technique has been leveraged by at least four out of the 15 Dragos Activity Groups to obtain initial access. **0** f ~~ ~ Cortt'.t soipU ,. \I ~ - n1:,01 - □ !Of , o • -n(JH).; - -...., (t,ui:o--u rt-t"""r. o{t) • #..i"'l(tlO""(t., II (o(tl r) { - -oidl • r-- ~ ) _r- : O)_ - ~:ffll ) 21'1 )(·vri.ors'"., (}).~~({ ###### ,. 21,. " .. .. ..... ,.ion: ·J.,.s·. aoct,@: <-cv,riS,,t: e ~ ·ow.-iP· : ... leD Drnb ·i1oe.1"",. il'\lsO,kt-""tv (:loiro«.rv,- 1111 )) Jl1J 1 117) , f "I("~¼-=-(t, ,., ") ( 2114 v.,. -t • -tl(l5) - ......__...... U'1 n-, , ., o .. 111(40) I· **•(N)** _•C>~_ _.........._ nn , - n<•>• 1171 t.it.>t:ict'1.s • c£"' flcc.r., "' it ,-) 11 ,,,..,tiOf'l(t) { - ""'PJ-.900il