Nov 13 2023


Category: Grid Vulnerabilitiesdisc7 @ 9:11 am

Living-off-the-land (LotL) techniques in cyber attacks refer to the use of legitimate, native tools already present in the target system to carry out malicious activities. This approach is particularly stealthy because it leverages tools and processes that are typically trusted and thus less likely to raise alarms. In the context of Operational Technology (OT) or Industrial Control Systems (ICS), such attacks can be especially dangerous due to the critical nature of the systems involved. Here’s how such an attack might work, with examples:


  • Example: A phishing email is sent to an employee in the OT/ICS environment. The email contains a seemingly harmless document that, when opened, executes a PowerShell script (a native Windows tool) to create a backdoor.


  • Example: Once inside the network, attackers might use legitimate system administration tools like Windows Management Instrumentation (WMI) or Remote Desktop Protocol (RDP) to move laterally across the network, searching for critical OT/ICS components.


  • Example: Attackers might use built-in tools like Netstat to identify security software or firewall settings and then use other native scripts or commands to disable these defenses, or to elevate their access privileges within the system.


  • Example: Tools like Tasklist or Systeminfo (native to Windows) are used to gather information about the system, such as running processes, installed software, or network configurations relevant to the OT/ICS environment.


  • Example: In an ICS environment, attackers might use standard industrial communication protocols like Modbus or DNP3 (which are legitimate and essential for normal operations) to send malicious commands to control systems, potentially disrupting physical processes like power generation or water treatment.


  • Example: Attackers could use standard data transfer tools like FTP or even Windows BITS (Background Intelligent Transfer Service) to exfiltrate stolen data, or to maintain persistence by regularly updating malware or downloading additional tools.


  • Example: To erase their tracks, attackers might use native cleanup tools or scripts to delete logs or any evidence of their activities, making detection and forensics much more difficult.

In late 2022, a significant cyber-physical incident occurred in Ukraine, attributed to the Russia-linked threat actor Sandworm. This event targeted Ukrainian critical infrastructure and utilized a multi-event cyber attack strategy, incorporating innovative techniques to impact industrial control systems (ICS) and operational technology (OT). The Sandworm actor employed OT-level living-off-the-land (LotL) techniques, likely causing a substation’s circuit breakers to trip and resulting in an unplanned power outage. This outage coincided with mass missile strikes across Ukraine’s critical infrastructure. Additionally, Sandworm executed a second disruptive event by deploying a new variant of CADDYWIPER malware in the victim’s IT environment.

This attack exemplifies the latest advancements in Russia’s cyber-physical attack capabilities, particularly visible since Russia’s invasion of Ukraine. The techniques used indicate a maturing offensive OT arsenal, capable of identifying novel OT threat vectors, developing new capabilities, and leveraging various types of OT infrastructure for attacks. Utilizing LotL techniques likely reduced the time and resources required for the cyber-physical attack. Although the initial intrusion point remains undetermined, the rapid development of the OT component of this attack suggests the actor’s ability to swiftly create similar capabilities against other OT systems globally.

Sandworm, active since at least 2009, is a versatile threat actor conducting espionage, influence, and attack operations, primarily supporting Russia’s Main Intelligence Directorate (GRU). The group’s primary focus has been Ukraine, where it has orchestrated disruptive and destructive attacks using wiper malware, especially during Russia’s re-invasion in 2022. However, Sandworm’s activities extend globally, underlining the Russian military’s extensive ambitions and interests in various regions. The group’s global threat activity and novel OT capabilities necessitate proactive measures from OT asset owners to mitigate potential risks.

As per mandiant research, the 2022 intrusion began or prior to June 2022, culminating in two disruptive events on October 10 and 12. Sandworm accessed the OT environment via a hypervisor hosting a SCADA management instance for a substation, potentially having SCADA system access for up to three months. On October 10, Sandworm used an optical disc (ISO) image, “a.iso,” to execute a native MicroSCADA binary, likely for malicious control commands to switch off substations. The attackers, got into the operational technology (OT) system through a key piece of software (a hypervisor) that managed the control system (SCADA) of a power substation. This means they had access to the system that controls how the power substation works. For up to three months, they could have been inside this system without being detected. On October 10, they used a special file (an ISO image named “a.iso”) to run a command in the control system that was likely intended to turn off power substations.

This case underscores the evolving nature of cyber threats, particularly in critical infrastructure sectors. The increasing sophistication and rapid development of such attacks highlight the need for enhanced cybersecurity measures, continuous monitoring, and preparedness against novel and complex cyber threats in OT and ICS environments.

In OT/ICS environments, such LotL attacks are particularly concerning because they:

  • Are harder to detect due to the use of legitimate tools.
  • Can cause significant physical and operational damage.
  • May bypass traditional security measures that don’t account for malicious use of native tools.

Defending against such attacks requires a combination of robust cybersecurity practices, including employee training, network segmentation, constant monitoring for anomalous behaviors, and regular updating and patching of all systems.

Business internet safety guide

Prepare Your Home for a Sudden Grid-Down Situation: Take Self-Reliance to the Next Level with Proven Methods and Strategies to Survive a Grid-Down … the Modern Family to Prepare for Any Crisis)

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Grid Vulnerabilities, Power grid vulnerabilities

Aug 16 2022

Clop Ransomware Gang Breaches Water Utility, Just Not the Right One

South Staffordshire in the UK has acknowledged it was targeted in a cyberattack, but Clop ransomware appears to be shaking down the wrong water company.

Uk man hole cover

South Staffordshire plc, a UK water-supply company, has acknowledged it was the victim of a cyberattack. Around the same time, the Clop ransomware group started threatening Thames Water that it would release data it has stolen from the utility unless Thames Water paid up.

The problem? Thames Water wasn’t breached. 

Apparently, Clop got its UK water companies confused. 

South Staffordshire serves about 1.6 million customers and recently reported that it was targeted in a cyberattack and was “experiencing a disruption to out corporate IT network and our teams are working to resolve this as quickly as possible.” It added there has been no disruption on service. 

“This incident has not affected our ability to supply safe water, and we can confirm we are still supplying safe water to all of our Cambridge Water and South Staffs Water customers,” the water company said. 

Meanwhile, Thames Water, the UK’s largest water supplier to more than 15 million people, was forced to deny it was breached by Clop ransomware attackers, who threatened they now had the ability to tamper with the water supply, according to reports. 

“As providers of critical national infrastructure, we take the security of our networks and systems very seriously and are focused on protecting them, so that we can continue to provide resilient services to our customers and the environment,” the larger water company told the UK Mirror

While Clop seems to have its records all wrong, both water utilities mounted capable responses to the ransomware group’s attack on critical infrastructure, according to Edward Liebig, global director of cyber ecosystem at Hexagon Asset Lifecycle Intelligence. 

“I’m impressed by South Staffordshire Water’s ability to defend against the cyberattack in the IT systems and buffer the OT systems from impact,” Liebeg said. “And had Thames Water not done an investigation of the ‘proof of compromise,’ they may very well have decided to negotiate further. In both instances, each organization did their due diligence.”

Ransomware Protection Playbook

Tags: ransomware attacks, Ransomware Protection Playbook

Apr 19 2021

Experts demonstrated how to hack a utility and take over a smart meter

Category: Grid VulnerabilitiesDISC @ 3:19 pm

Researchers from the FireEye’s Mandiant team have breached the network of a North American utility and turn off one of its smart meters.

Over the years, the number of attacks against ICS/SCADA systems used by industrial organizations worldwide has rapidly increased. Many security firms highlighted the risks related to attacks targeting OT networks used in utilities.

Among the most clamorous attacks against industrial organizations, there is the 2015 attack against the electric grid in Ukraine and the 2017 Triton attack against a Saudi petrochemical plant.

Recently FireEye’s incident response unit Mandiant demonstrated how to infiltrate the network of a North American utility and hack into its industrial control systems to turn off one of its smart meters.

The scope of the test was to demonstrate tactics, techniques, and procedures used by threat actors to breach the protected perimeter between an IT network and an OT network.

In the first phase of the attack, the Mandiant team adopted techniques used by TEMP.Veles to breach the OT network during the TRITON attack.

“Mandiant’s experience during red team engagements highlights that collecting information from IT network assets plays a crucial role in targeted OT attacks. As a result, the internal reconnaissance phase for OT targeted attacks begins in the enterprise network, where the actor obtains knowledge and resources to propagate from an initial compromise in the IT network to remote access in the OT network.” states the FireEye’s report. “Detailed information collected about the target, their security operations, and their environment can also support an actor’s attempts at remaining undetected while expanding operations.”

Mandiant’s red team initially targeted the external-facing IT network, then attempted to gain access to the OT network.

Tags: Smart meters

Feb 04 2021

Smart meters and hackers

Category: cyber security,Grid VulnerabilitiesDISC @ 5:08 pm

Hackproofing smart meters

Tags: Smart meters

Jul 03 2019

US wants to isolate power grids with ‘retro’ technology to limit cyber-attacks

Category: Grid VulnerabilitiesDISC @ 2:04 pm

SEIA bill, inspired by the 2015 cyber-attack on Ukraine’s power grid, passes Senate.

Source: US wants to isolate power grids with ‘retro’ technology to limit cyber-attacks | ZDNet

US power grid increasingly vulnerable to cyber threats

Enter your email address:

Delivered by FeedBurner

Tags: OT security, Power grid vulnerabilities, Utility security