How Cyber Criminals Collect Confidential Intelligence on Industrial Victims

26 Aug 2020

“You can’t fight what you can’t see” is a cliche that has been worn down by the cybersecurity community. What we really need to say is: you can’t fight what you don’t understand.

Understanding how your opponent thinks and operates is key in every challenge - from chess to cybersecurity. If you really know the opposition, you know their vulnerabilities; you can predict their course of action, and you trick them in order to gain the upper hand.

In one of our recent blogs we discussed the psychological aspects of dealing with cyber criminals. Today, we are going to present some of the ways cyber criminals collect information about their victims (industrial companies in particular), in order to initiate a harmful attack: 

1. Use legitimate scanners such as Shodan, Censys and BinaryEdge

By using the search operators, and by combining information about assets, the cyber criminals can look for their desirable victim from the specific country. These scanners legitimately scan the internet for connected servers, machines and devices, and then read and store their metadata (internet banner, IP, ASN, etc.). 

In addition to identifying digital assets, an attacker can use Shodan or similar scanners, to find remote connectivity services such as VNC, RDP or x11 that were not configured to be secured. In the case of industrial businesses, those solutions are often used to allow engineers and production floor operators to contact the HMI’s of their machines through portable devices or PCs. In an attempt to access or manipulate production, malicious actors can find accessible HMIs used in the production floor itself. In some cases, they will be able to see exactly what company this HMI belongs to, and can find strategic processes they can easily manipulate to create disruption and damage. Even worse, some HMI controllers have the direct ability to shut down the machine/process.

What would sound surprising, is that still thousands of ICS assets are exposed to the internet over specific ports used only for ICS, making them easy to identify and classify. By searching Shodan it’s easy to see that almost every port of industrial protocol is opened in controllers around the world. Unique ports can be 44818 (Rockwell), 1962 (Phoenix Contact), 102 for Siemens, and more. Once these ports are open, any party can try to communicate with the device over the port. This allows attackers to take over devices, and in case there are known and unpatched vulnerabilities for that specific device, exploit them.

What you should do:

  • Use the same legitimate tools to monitor if your company (or its assets) are exposed. If you find out that any of your assets is exposed, consider additional security measures: restrict unnecessary ports, implement authentication mechanisms to access the service, or completely take down the asset.
  • In the case of an exposed control panel/HMI through a remote connection service, where the attacker can execute commands to the machine, the best practice would be to take it down. If necessary to keep it available online, implement security measures like access authentication.
  • To detect and manage the organization’s exposure over “industrial ports”, one may use Shodan’s ICS Radar, or use Shodan’s ICS search modifiers.

Check for exposed assets if there are vulnerabilities and public exploits

After mapping the ICS inventory, one can use databases like NIST to discover known vulnerabilities, and find the relevant ICS advisories in CISA or at the vendor’s website. Almost every common controller that is produced by industrial vendors like Siemens, Schneider Electric, Phoenix Contact and hundreds of others, has documented CVEs and in some cases there are even known exploits.

What you should do: read ICS advisories and vendors’ remediation suggestions carefully - and make sure you follow through on their guidance. If you are short on experienced staff, hire a cybersecurity services company to inspect and implement required fixes. Having said that, the Industry 4.0 revolution will result in an increase in advanced and interconnected ICS, so organizations that expect digital growth should consider automated solutions for visibility, detection and response.

2. Checking subdomains of the victim

Cybercriminals know the names of their victims and their geographical information. They use open source tools such as BGPview to find all the subdomains of the victims. Subdomains can give more options to find exposed assets and bring more information about the victim. In some unique cases attackers can even find a domain that allows employees to access the SCADA system portal. After checking the IP address of these subdomains in Shodan, they can determine the specific SCADA software that is implemented in the victim environment and broaden their investigation from there. 

What you should do: run periodic risk-assessments to map all your subdomains, and use a legitimate penetration testing company to check if they can be hacked.

3. Use the information they gathered to broaden their insights about the victim and about the supply chain by using official websites services providers and LinkedIn

By checking the systems and services of their victims, hackers can search the internet for details about contracts, and installation of the services in several plants of the victim. LinkedIn can provide extra intelligence that sometimes people share to show their experience. Hackers can find more information about the victim’s systems and you can understand who is the integrator who installed this industrial environment at the victim’s plants. This information can be used in order to spread the attack to the victim’s customers, partners or suppliers. In many cyber-attacks, “patient zero” (the first infected company) was not the main target of the attack, but was rather used as a stepping stone to reach another company (or companies). 

What you should do: First, you need to understand that even if your company does everything right - you can still be infected by one of your partners. Share cyber best-practices with your partners; Make sure that they adhere to the same strict security measures that you are; Don’t give suppliers and partners unrestricted access to your production floor - and monitor every interaction with 3rd parties; lastly, apply segmentation in order to minimize the risk in the case of a cyber attack. 

Ran Finkelstein
Threat Intelligence Researcher