Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

“Прикарпаттяобленерго”: The “First” Attack On Infrastructure

leave a comment »

Screenshot from 2016-03-04 11:21:42

The Attack:

Well there has been a great hubbub about the “first” true cyber attack on an infrastructure system(s) in Ukraine and while I agree that it may be the first (admitted to) it is not something that is on par with the attack on Natanz frankly. As the reports keep coming out and feeds like Wired write kitschy articles about the super scary world we now live in, I thought it would be interesting to cut the bullshit and just put some data out there with some commentary on this event.

So yeah, 225k people were without power for a little while and overall this attack does in fact show us all just how probable this is on select targets, it should also show just how much work it takes to perform one of these. It should also show us all how segmented the systems are and how hard it would be to have an apocalypse event ala “Lights Out” happen anywhere in the world never mind America. The fact that the power was restored fairly quickly and that even when the attackers had tried to keep them down for longer, the systems are also resilient enough and manual enough to keep the lights on. It’s not all cyber and nor should it ever be.

What should be surprising if not galling is that the pre-attack work carried out by the adversaries (*cough Russia cough*) was easily successful and allowed access for the teams to recon the facilities, gain further access, and launch the attack in the end without every being detected and perhaps stopped. Why was this the case? Because this company, even with “robust firewalls” was not doing the due diligence is watching it’s network and did not have a SOC (Security Operations Center) that could monitor the traffic to determine bad actors within. What should worry you even more is that in talking to insiders in the power industry and from personal experience, these people were much better at security than the majority of the companies out there today including many in the US.

Meh.

At the end of the day some of this is interesting but the majority of this attack is pedestrian in the grander scheme. This was a soft target and it was more than likely that it was Russia, a nation state at either the behest of Putin or Putin at the behest of his oligarch pals that did this. This is to say that any reasonably monied group could hire hacker teams to do the same anywhere else. This was a big fuck you to the power company and to Ukraine. It had thinly veiled Russian connection(s) and it has yet to be seen what if any response this will garner from Ukraine and the companies involved who may or may not be seeking to diversify their power generation and transmission.

There will be games…

STAGE 1

So what happened in this attack?

  • The adversary foot-printed the power company and went after the weak points (users in the network) with phishing emails
  • The phish consisted of MACRO based word documents (VBA) that connected to C2 and got modules to further compromise the networks
  • The adversary then mapped the network and performed recon
  • The adversary gained access to VPN’s as well to remotely connect to ICS systems that lacked 2FA
  • The adversary planned their attack and set the stage to not only shut down the power but also to DoS the call center in an effort to muddy the waters and extend the attack

STAGE 2

  • The adversary launches the attack
    • They take down the power systems by controlling systems with stolen creds (RDP)
    • They over-write firmware with garbage to further prevent the attack from being thwarted and to cause a longer outage
    • They DoS the phone system (call center)
    • They killdisk things to make it harder to come back up
    • Basically they tried a fire sale but they failed because of manual systems

While this attack was effective and is a cautionary tale, once again, this is not an extinction level event here. It was well planned and it went off pretty well but remember that the target made it easy and I am afraid that that is the state of affairs everywhere today. So that should be something for you to mull over as you think about this attack.

My Own Recon:

I wanted to know just how easy a target the “Прикарпаттяобленерго” systems were or should I say are? I went out and did some recon of my own with some tools to see and I was not surprised by the results. For the most part this company shared a lot of information through metadata and an open network infrastructure. I did not attempt to run any other kind of vulnerability scan but you can see from the data below that it would be easy enough to profile the company, their security posture, and their network just from tools like Foca.

Screenshot from 2016-03-04 15:41:38Users and naming conventions

 

Screenshot from 2016-03-05 06:51:17System types and vulnerabilities

 

Screenshot from 2016-03-05 06:35:22186 documents downloaded via Google with metadata

 

Screenshot from 2016-03-05 06:34:28Users

 

Screenshot from 2016-03-05 06:34:09File structure and folders

Screenshot from 2016-03-05 06:33:42Email addresses

Screenshot from 2016-03-05 06:33:33Systems by OS (note Xp)

 

Just by using Foca I was able to really get an idea of what they had in the network and how I would formulate an attack to get inside and map things out some more. This type of information is not uncommon to find on the internet and frankly I could have honed in more by using things like LinkedIN and VK to search people and work the OSINT. Let’s just say that this was an easy target and they were unaware of the OSINT they were just giving up by placing all this stuff online.

Reports:

I also downloaded reports from numerous sources out there trying to get market share by putting together these pdf’s on the malware and C2’s used in the attacks. Once again, really nothing new here kids. Sure they re-packed the malware to have new hashes that would not be easily detected but for the most part nothing novel here. They phished people with common doc and excel files that we all get in our daily lives in the corporate security world. Honestly these attacks could be mitigated by just taking admin away from the users and now allowing them to run macro’s when asked to in broken English (or Russian) but hey, who does that kind of security today huh?

Anity

Trend

Sentinel

Eset

Knownsec

DATA

http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/
https://www.virustotal.com/en/file/11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80/analysis/
https://www.virustotal.com/en/file/b924f6fad16fa48d9c0f0a91f427d75db09415d592922bd0f5dacafe24bd4357/analysis/
https://www.virustotal.com/en/file/f6e239b6ecbeb4e727df0cc7221407595cf897fb9be282022b1da94a0a1060b3/analysis/
https://www.hybrid-analysis.com/sample/11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80?environmentId=2

HASHES
FileHash-SHA1     c7e919622d6d8ea2491ed392a0f8457e4483eae9
FileHash-SHA1     a427b264c1bd2712d1178912753bac051a7a2f6c
FileHash-SHA1     166d71c63d0eb609c4f77499112965db7d9a51bb
FileHash-SHA1     be319672a87d0dd1f055ad1221b6ffd8c226a6e2
FileHash-SHA1     502bd7662a553397bbdcfa27b585d740a20c49fc
FileHash-SHA1     f3e41eb94c4d72a98cd743bbb02d248f510ad925
FileHash-SHA1     b05e577e002c510e7ab11b996a1cd8fe8fdada0c
FileHash-SHA1     069163e1fb606c6178e23066e0ac7b7f0e18506b
FileHash-SHA1     e5a2204f085c07250da07d71cb4e48769328d7dc
FileHash-SHA1     20901cc767055f29ca3b676550164a66f85e2a42
FileHash-SHA1     84248bc0ac1f2f42a41cfffa70b21b347ddc70e9
FileHash-SHA1     16f44fac7e8bc94eccd7ad9692e6665ef540eec4
FileHash-SHA1     4c424d5c8cfedf8d2164b9f833f7c631f94c5a4c
FileHash-SHA1     1cbe4e22b034ee8ea8567e3f8eb9426b30d4affe
FileHash-SHA1     1a716bf5532c13fa0dc407d00acdc4a457fa87cd
FileHash-SHA1     4bc2bbd1809c8b66eecd7c28ac319b948577de7b
FileHash-SHA1     2c1260fd5ceaef3b5cb11d702edc4cdd1610c2ed
FileHash-SHA1     e40f0d402fdcba6dd7467c1366d040b02a44628c
FileHash-SHA1     a9aca6f541555619159640d3ebc570cdcdce0a0d
FileHash-SHA1     bd87cf5b66e36506f1d6774fd40c2c92a196e278
FileHash-SHA1     e1c2b28e6a35aeadb508c60a9d09ab7b1041afb8
FileHash-SHA1     1a86f7ef10849da7d36ca27d0c9b1d686768e177
FileHash-SHA1     2d805bca41aa0eb1fc7ec3bd944efd7dba686ae1
FileHash-SHA1     6d6ba221da5b1ae1e910bbeaa07bd44aff26a7c0
FileHash-SHA1     72d0b326410e1d0705281fde83cb7c33c67bc8ca
FileHash-SHA1     cd07036416b3a344a34f4571ce6a1df3cbb5783f
FileHash-SHA1     896fcacff6310bbe5335677e99e4c3d370f73d96
FileHash-SHA1     672f5f332a6303080d807200a7f258c8155c54af
FileHash-SHA1     aa67ca4fb712374f5301d1d2bab0ac66107a4df1
FileHash-SHA1     0b4be96ada3b54453bd37130087618ea90168d72
FileHash-SHA1     d91e6bb091551e773b3933be5985f91711d6ac3b
FileHash-SHA1     8ad6f88c5813c2b4cd7abab1d6c056d95d6ac569

C2

IPv4     5.9.32.230
IPv4     31.210.111.154
IPv4     5.149.254.114
IPv4     188.40.8.72
IPv4     88.198.25.92
IPv4     146.0.74.7

You all can comb through the C2’s and the PE files yourselves. It’s pretty common and certainly is not on par with Stuxnet. It did however do the job and once again I have to remind you that this shit should not really work in a properly secured environment with awareness for employees and some semblance of a SOC and some HIDS/NIDS right? I mean the C2’s are well known for being dirty so they should have been caught or blocked already. Take a look at the C2’s in the Netherlands and elsewhere and they have quite the bad history. Once again, this adversary did not have to work that hard.

Actors?

Now on to the big “attribution” game that everyone likes to play. I looked at the C2’s and at the data around them with a jaundiced eye. It is clear that whoever did this had some money for teams of people to do the work but maybe they got the access from spammer/phishers already out there who maybe sold the access to start. It became clear though that two of the C2 addresses had quite the past with romance scams and pharma schemes online over the years.

Screenshot from 2016-03-04 15:10:04Euegene and Andrey (both pseudonyms) registered sites out of the UK

 

Screenshot from 2016-03-04 15:36:41Romance scammer emails found used circa 2012

 

Screenshot from 2016-03-04 09:41:39All the pharma attached to Eugene

 

Screenshot from 2016-03-04 09:37:31Eugene’s addresses all point back to a brownstone in the UK

 

Screenshot from 2016-03-04 09:27:13malware reported by drive by at C2 address

 

Screenshot from 2016-03-04 09:07:55A poor bastard being targeted in the Romance scam on VK

I will say that all of the backstop data seems to imply a Russian connection and if you look at the politics of the region as well as the fact that the Oligarchs and Pooty are in charge, it is not hard to make the conclusion. It is a conclusion though and not proof in any way. So, this attack likely was Russia but no one, let me repeat, no one, can tell you for sure. I am sure that in the RSA week last week many a vendor was trying to make a sale with sure-fire attribution that it was Russia SO BUY MY PRODUCT!

No.. Just no.

What Have We Learned?

What have we learned? Well, I learned that this is nothing new, nothing spectacular, and nothing really to write home about. I know that I could probably hire someone like Nickerson and his team to do the same thing to a like target so really this could be nation state or it could be some person with money or a grudge. What you all learn from this depends on the level of investigation and thought you put into it. As many of my readers are in the business, you are likely coming up with much the same assessment as I have. This was bad but it was bad because the security was lacking at the facilities. A soft target is a soft target so really this should not be some hyped up story for a new Kim Zetter novella.

Here’s what you really should learn from this:

  • Generally today infrastructure security sucks
  • An all out fire sale like you saw in Die Hard is not likely because of manual systems still in place and segmentation
  • You should have a backup plan for power just like you should if you live in an area that gets snow and ice that knocks out power

Everyone seems to be all worked up about cyber war and frankly the gleam in too many people’s eyes makes me kind of sick. Lately I have been mulling over in my head the fact that no matter the technology humans always seek to weaponize it or use it against one another and that just sucks. We are our own worst enemies because we create this stuff insecurely, we manage it insecurely and we leverage it against one another for personal, political, or monetary gain. In short; “This is why we can’t have anything nice”

K.

Written by Krypt3ia

2016/03/05 at 22:12

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: