Ukraine Attack Path

This model is a slimmed model of a SCADA environment example model and is intended at showing the essence of the Ukraine attack. It is not covering all details of a SCADA environment since it is mainly intended to be digestable in a demo situation. A more complete model of a SCADA environment, along with corresponding documentation is found at https://community.securicad.com/scada-reference-architecture/

The Ukraine attack methodology

The starting point of the attack on the Ukraine power systems were focused on information gathering and collecting login credentials. It was conducted during December 2015 and the core of it was a trojan called BlackEnergy.

This gave foothold in work stations in the “non-industrial” Office network zone which was then used as a platform for collecting user credentials.

The second round of the Ukraine attack was focused on actually activating the attack, using the knowledge and credentials given by BlackEnergy. This part of the attack was conducted during December 2016 and was based on a piece of malware labeled CrashOverride or Industroyer.

The Ukraine attack path

Looking at the attack path securiCAD is producing, we find the following chain of events. For visibility, we have arranged the involved attack steps into different types of operations.

Main attack path of the Ukraine attack.

Generally speaking, the upper half of the picture is related to the BlackEnergy attack and the lower part is related to the CrashOverride/Inustroyer attack.

Objects are labeled using two lines; the uppen one being the object name, and the lower line/word being the attack step accomplished.

The top left box, labeled “Starting point”, is the attacker’s starting point, having compromised the “Previously Compromised” host.

From there, the next activity is “Low Privilege Pivoting”, which essentially is about finding low-privilege credentials and accessing login to the Domain Controller.

With the right low privileged credentials, it is possible to log in to other work stations and some have a VPN connection to the SCADA service itself. The communication is encrypted, but the attacker now has access to the “Windows 7 workstation” running the “SCADA Client” VPN-enabled software, which in turn gives access to the “SCADA VPN” dataflow.

In parallel with this, we have the “Privilege escalation” area. This contains a set of attack steps related to “Popping the AD”, like in any office environment. This can according to the attack path be done in two main ways; using misconfigurations or using software weaknesses. If we look at attitional/secondary attack paths in securiCAD Enterprise (using the “Details” lever), we see that exploiting software (missing patches) on the AD system will show up as a parallel alternative to the ExploitMisconfiguration attack step here.

This is also seen in the following image where additional attack steps are often related to FindExploit, DeployExploit and BypassAntiMalware, which are related to software vulnerabilities.

In the lower box, “SCADA login & compromise”, the attacker will combine access to the “SCADA VPN” dataflow and the acquired “AD SSO Admin” credentials to log in to the “SCADA Service”. This will in turn provide the attacker with Admin/root access to the “SCADA” host itself since the “SCADA Service” is running as a high privileged user on that system.

Having compromised the “SCADA” system, the attacker will have access to the “Process” network zone where the “RTU” host and service reside. The RTU is, from an IT security perspective, considered being a low-security system responsible of controlling/interfacing the actual hardware. The access control is weak or non-existent, since the attacker is not expected to reach this point in the architecture.

So, the attacker’s goal is “Compromise” on a service or a host. What the attacker will then use the “Compromise” capability to is a separate question. Either it could use it to just trash the system and underlying equipment, which is not so sophisticated since that will in most cases be a one-shot operation and will also reveal the attack. Or, the attacker could use this position to learn the system they have reached, control it, and possibly threaten to crash it at a point in time that will do the most harm considering other external factors, mainly depending on the attacker’s agenda. Such considerations are however more of a business consideration and are in most cases beyond (or “below”) the scope of the threat modeling and attack simulation analysis.

Downloads

The securiCAD model of the slimmed Ukraine attack.

The securiCAD SCADA Components pack.