_I am artificial intelligence._ _The driving force behind the hunt for cyberattackers._ _I am Cognito._ # The hidden threat of cyberattacks in the energy and utilities industry ## 2018 Spotlight Report ----- #### TABLE OF CONTENTS ##### Analysis and lifecycle of an attack on critical infrastructure.. . . . . . . . . . . . . . . . . 3 Command and control.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Internal reconnaissance.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Lateral movement.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Targeting the ICS and SCADA Infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 ##### Analysis of cyberattacker behaviors in the energy and utilities industry.. . . . . 4 A chilling reminder to monitor the network for attacker behaviors.. . . . . . . . . . . 9 About the Cognito platform from Vectra. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 ----- [Since at least March 2016, Russian government cyber](https://www.us-cert.gov/ncas/alerts/TA18-074A) [actors targeted government entities and multiple U.S. critical](https://www.us-cert.gov/ncas/alerts/TA18-074A) [infrastructure sectors, including the energy, nuclear, commercial](https://www.us-cert.gov/ncas/alerts/TA18-074A) facilities, water, aviation, and critical manufacturing sectors. An analysis by the U.S. Department of Homeland Security (DHS) and FBI provides insight into the attacker behaviors related to this [malicious activity. The report, Dragonfly: Western energy sector](https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks) _[targeted by sophisticated attack group, released by Symantec on](https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks)_ Sept. 6, 2017, provides additional information about this ongoing cyber campaign. Unfortunately, this is not new. But it highlights an important distinction in attacks that target the energy and utilities industry. There is a difference between attacks that probe IT networks for information and access about critical infrastructure versus attacks against the industrial control system (ICS) on which the critical infrastructure operates. The two are interconnected, but the targeted assets are different. Cybercriminals have been testing and mapping-out attacks against energy and utilities networks for years. These slow, quiet reconnaissance missions involve observing operator behaviors and building a unique plan of attack. The attack that shut down the Ukraine power grid in 2015 was reportedly planned many months in advance by highly skilled and sophisticated cybercriminals. Although the ICS is in the crosshairs, most attacks against the energy and utilities industry occur and succeed inside the enterprise IT network – not in the critical infrastructure. This underscores the importance of identifying hidden attackers inside IT networks before they cause damage to the ICS and steal critical infrastructure blueprints. This spotlight report focuses on those specific cyberattacker behaviors as they relate to the latest attack campaigns used to steal vital ICS information. #### Analysis and lifecycle of an attack on critical infrastructure [A U.S. government alert known as TA18-074A, released by the](https://www.us-cert.gov/ncas/alerts/TA18-074A) DHS computer emergency readiness team in March 2018, outlines Russian government cyber activity targeting energy and other critical infrastructure sectors. The attack campaign detailed in TA18-074A involves two categories of victims: Staging and intended targets. The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks. Threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. The National Cybersecurity & Communications Integration Center (NCCIC), which is part of the DHS, and the FBI determined that the objective of this attack was to compromise organizational networks. ##### Command and control To carry out this attack, threat actors created web shells on the intended targets’ publicly accessible email and web servers. They used three different file names – global.aspx, autodiscover. aspx and index.aspx – for two different web shells. The difference between the two groups was the public-string password field. The DHS and FBI determined that threat actors leveraged remote access services and infrastructure such as VPN, Remote Desktop Protocol (RDP) and Outlook Web Access (OWA). Threat actors used the infrastructure of staging targets to connect to several intended targets. This command-and-control behavior is _known as external remote access._ ##### Internal reconnaissance Upon gaining access to the intended victims, the threat actors launched reconnaissance operations inside the network. DHS observed the threat actors identifying and browsing file servers within the intended victim’s network. These reconnaissance _behaviors are known as file-share enumeration and RDP recon._ ##### Lateral movement Once inside the targeted network, threat actors used privileged credentials to access the victim’s domain controller, typically using RDP. Once on the domain controller, threat actors used dc.bat and dit.bat batch scripts to enumerate host devices, users and additional information about the environment. This type of lateral _movement behavior is known as suspicious admin._ In at least two instances, threat actors used batch scripts labeled pss.bat and psc.bat to run the PsExec tool. In addition, threat actors changed the name of the PsExec tool to ps.exe. _This type of lateral movement behavior is known as suspicious_ _remote execution._ ##### Targeting the ICS and SCADA Infrastructure In multiple instances, threat actors accessed workstations and servers on a corporate network that contained data output from the ICS inside energy generation facilities. This involved suspicious _admin and suspicious Kerberos account behaviors._ ----- The threat actors accessed files pertaining to ICS or supervisory control and data acquisition (SCADA) systems. Based on a DHS analysis of existing compromises, these file names included ICS vendor labels and ICS reference documents pertaining to the organization, such as SCADA WIRING DIAGRAM.pdf and SCADA _PANEL LAYOUTS.xlsx. These types of actions are known as data_ _smuggler behaviors._ [Figure 1: In the federal alert known as TA18-074A, the DHS reconstructed samples of data](https://www.us-cert.gov/ncas/alerts/TA18-074A) extracted from energy and utilities organizations by attackers #### Analysis of cyberattacker behaviors in the energy and utilities industry The information in this spotlight report is based on observations [and data from the 2018 Black Hat Edition of the Attacker Behavior](https://info.vectra.ai/abir-2018-blackhat-edition) [Industry Report from Vectra[®]. The report reveals attacker behaviors](https://info.vectra.ai/abir-2018-blackhat-edition) and trends in networks from over 250 opt-in customers in manufacturing and eight other industries. From January-June 2018, the Cognito™ cyberattack-detection and threat-hunting platform from Vectra monitored network traffic and collected rich metadata from more than 4 million devices and workloads from customer cloud, data center and enterprise environments. The analysis of this metadata provides a better understanding about attacker behaviors and trends as well as business risks, enabling Vectra energy and utilities customers to avoid catastrophic data breaches. |Col1|Col2| |---|---| |Command and Control|| ||| |External Remote Access (194 detections) Attackers installed tools to carry out operations against intended victims including VPN, RDP, and OWA|| |Col1|Col2| |---|---| |Reconnaissance|| ||| |File Share Enumeration (93 detections) RDP Recon (54 detections) Attackers identified file servers within the network; enumerated hosts, users, and additional environmental data|| |Col1|Col2| |---|---| |Lateral Movement|| ||| |Suspicious Remote Execution (314 detections) Suspiciuos Admin (37 detections) Suspiciuos Kerberos Account (2 detections) Attackers used priviledged credentials to access domain controllers via RDP, accessed workstations and servers containing data output from control systems|| |Col1|Col2| |---|---| |Exfiltration|| ||| |Data Smuggler (293 detections) Attackers accessed files pertaining to ICS or SCADA|| Figure 2: Monthly number of attacker behaviors in the energy and utilities industry per 10,000 devices and workloads The Cognito platform observed that cyberattackers used the same types of threat behaviors to spy, spread, and steal data from energy and utilities enterprise networks. Every industry has a profile of network and user behaviors specific to their industry because of their business model, applications and processes. These behavior profiles allow attackers to hide, making it difficult for anomaly detection to succeed because their behaviors blend in with traffic from legitimate users. ----- ### Command-and-control attacker behaviors 600 500 400 18 29 300 108 200 66 100 0 All Industries Energy and Utilities External Remote Access Hidden DNS CnC Tunnel Hidden HTTP CnC Tunnel Hidden HTTPS CnC Tunnel Malware Update Peer-to-Peer Pulling Instructions Stealth HTTP Post Suspicious Relay Threat Intelligence Match CnC TOR Activity Figure 3: Command-and-control attacker behaviors in the energy and utilities industry per 10,000 host devices Every cyberattack begins with some form of command and control, and one of the most dangerous forms is external remote access. The Cognito platform detected 194 command-and-control attack behaviors for every 10,000 host devices inside energy and utilities networks, as shown in Figure 3. With external remote access, attackers directly control host devices rather than using an automated form of command and control. External remote access behaviors can involve internal host devices connecting to an external server. In this case, the traffic pattern is inverse from normal client-to-server traffic. Clients receive instructions from the server and a human on the outside controls the exchange. Energy and utilities organizations use forms of remote access technology to improve productivity and it can be a legitimate command-and control behavior. However, the presence of remote network access traffic introduces a risk because it enables attackers to blend in while performing the same types of external remote access for nefarious deeds. This is especially true when attackers leverage commonly-used remote access tools like FortiClient VPN. ----- ### Internal reconnaissance attacker behaviors 1000 800 57 600 192 400 140 54 200 0 All Industries Energy and Utilities File Share Enumeration Internal Darknet Scan Kerberos Account Scan Port Scan Port Sweep RDP Recon SMB Account Scan Suspicious LDAP Query Figure 4: Reconnaissance attacker behaviors in the energy and utilities industry per 10,000 host devices Reconnaissance inside a network is a precursor to the more risky and damaging stages of active attacks that ultimately exposes an organization to the substantial risk of data acquisition and exfiltration. The two most prevalent reconnaissance behaviors in the DHS report are file-share enumeration and RDP recon activity. As shown in Figure 4, the Cognito platform detected 93 file-share enumeration attempts in energy and utilities per 10,000 host devices and workloads. RDP recon activity occurred 54 times per 10,000 host devices and workloads. File-share enumeration behaviors occur when a host device accesses inordinately more file-shares than normal. Enumeration might indicate a host device is accessing many file-shares as a user attempts to find a file or directory. However, enumerating file-shares on a network is also an effective way for attackers to find data to exfiltrate or data that helps further the attack. In conjunction with file-share enumeration, a scan via RDP is an effective way for an attacker to determine the accounts available within an organization’s network and the RDP servers that accept logins via the accounts. File-share enumeration and RDP reconnaissance are quiet, less noticeable forms of reconnaissance behavior than port sweeps or port scans. As a result, attackers often feel they can use these tools with relatively low risk of detection. ----- ### Lateral movement attacker behaviors 1200 1000 800 113 600 139 400 48 152 200 0 All Industries Energy and Utilities Automated Replication Brute-Force Attack (internal) Kerberos Brute Force Kerberos Server Access Shell Knocker Client Shell Knocker Server SMB Brute-Force Attack SQL Injection Activity Suspicious Admin Suspicious Kerberos Account Suspicious Kerberos Client Suspicious Remote Execution Threat Intelligence Match Lateral Figure 5: Lateral movement attacker behaviors in the energy and utilities industry per 10,000 host devices Lateral movement inside a network exposes a larger attack surface to cybercriminals and substantially increases the risk of data acquisition and data exfiltration. Unexplained and unusual patterns of use of host devices, domain controllers and services are involved in almost all major breaches. Attacks carried out by insiders will often exhibit unusual patterns of use as well. The compromised host devices and services accessed provide perspective on the potential business impact. As reported by the [TA18-074A alert issued by the DHS, the most common lateral movement behaviors inside energy and utilities companies were suspicious](https://www.us-cert.gov/ncas/alerts/TA18-074A) remote execution. As shown in Figure 5, the Cognito platform detected 314 suspicious remote execution behaviors per 10,000 workloads and devices. The suspicious use of Kerberos accounts was detected two times per 10,000 host devices and workloads, while suspicious administrative activity was observed 37 times per 10,000 host devices and workloads. Lateral movement via remote execution is a key element of many different attacks and the server message block (SMB) channel allows the copying of executables and executing them via remote procedure call (RPC). Systems that are authorized to perform remote execution should be monitored because they enable attackers to hide in plain sight. ----- A Kerberos account is suspicious when it is used differently than expected in one or more ways. This includes connecting to unusual domain controllers, using unusual host devices and accessing unusual services, or generating unusual volumes of Kerberos requests using normal domain controllers, usual host devices and usual services. More importantly, administrative protocols are a favorite tool of attackers because they allow cybercriminals to move laterally inside networks where they have already established a durable foothold. Because administrative connections are typically used in conjunction with administrative credentials, attackers often have unconstrained access to systems and data that are critical to energy and utilities organizations. Unexpected and unexplained administrative connections represent a huge potential risk in the lifecycle of a major breach. ### Data exfiltration attacker behaviors 450 22 400 37 350 105 65 300 250 92 200 150 293 100 173 50 0 All Industries Energy and Utilities Data Smuggler Hidden DNS Exfil Tunnel Hidden HTTP Exfil Tunnel Hidden HTTPS Exfil Tunnel Smash and Grab Figure 6: Exfiltration attacker behaviors in the energy and utilities industry per 10,000 host devices Energy and utilities networks exhibit significant behaviors in which internal host devices acquire large amounts of data from one or more internal servers and send large amounts of data to an external system. These behaviors alone do not necessarily indicate an attack. An attack is likely when exfiltration behaviors correlate with other attacker behaviors in different phases of the attack lifecycle, such as command and control, reconnaissance or lateral movement. It is also critical to ensure that systems communicate only to approved locations. As shown in Figure 6, these exfiltration behaviors, described as data smuggler, were detected by the Cognito platform inside energy and utilities networks 293 times per 10,000 host devices and workloads. ----- To understand if these potential threat behaviors are of concern, the internal servers from which the data was retrieved can provide some indication of the type of data that was acquired. If those servers contain valuable information and the external service to which data was uploaded is not an IT-authorized service, the potential business risk is exceptionally high. #### A chilling reminder to monitor the network for attacker behaviors Monitoring the network for attacker behaviors may provide the only clues to tracking their steps since the attacker may have erased evidence on endpoints as well as logs. [Based on the TA18-074A alert released by the DHS about the](https://www.us-cert.gov/ncas/alerts/TA18-074A) Russian government attack campaign against energy and other critical infrastructure sectors, threat actors in multiple instances created new accounts on staging targets to perform cleanup operations. The accounts were used to clear the following Windows event logs: System, security, terminal services, remote services, and audit. The threat actors also removed applications they installed while they were in the network along with any logs produced. For example, the Fortinet client installed at one commercial facility was deleted along with the logs that were produced from its use. Finally, data generated by other accounts used on the accessed systems were deleted. Threat actors cleaned up the target networks by deleting created screenshots and specific registry keys. Through forensic analysis, the DHS determined that threat actors deleted the registry key associated with a terminal server client that tracks connections made to remote systems. Threat actors also deleted all batch scripts, output text documents and tools they brought into the environment, such as scr.exe. #### About the Cognito platform from Vectra To combat attacks in the energy and utilities industry, the Cognito platform from Vectra inspects rich metadata from all network traffic to identify attacker behaviors in real time, even when cybercriminals try to cover their tracks. The Cognito platform uses AI – including supervised and unsupervised machine learning techniques – to perform non-stop, automated threat detection. Always-learning behavioral models are driven by AI to quickly and efficiently find hidden and unknown attackers before they do damage. Cognito provides full visibility into attacker behaviors, from cloud and data center workloads to user and internet-of-things devices, leaving attackers with nowhere to hide. Cognito Detect™ and its AI counterpart, Cognito Recall™, are the cornerstones of the Cognito platform. Cognito Detect automates the real-time detection of hidden attackers while giving Cognito Recall a logical starting point to perform AI-assisted threat hunting and conclusive incident investigations. To learn more about other cyberattacker behaviors seen in real world cloud, data center and enterprise environments, get the [2018 Black Hat Edition of the Attacker Behavior Industry Report](https://info.vectra.ai/abir-2018-blackhat-edition) from Vectra. ----- _I am artificial intelligence._ _The driving force behind the hunt for cyberattackers._ _I am Cognito._ **Email info@vectra.ai Phone +1 408-326-2020** [vectra.ai](http://vectra.ai) © 2018 Vectra Networks, Inc. All rights reserved. Vectra, the Vectra Networks logo, Security that thinks and Cognito are registered trademarks and Cognito Detect, Cognito Recall, the Vectra Threat -----