Anatomy Of A Computer Network Attack (CNA) – Part 1

May 27, 2020 139 Comments

It was December the 23rd of 2015 when, nearly instantly, over 220,000 people in the Ukraine sat in the dark. While the power outage only lasted for 6 hours for a few people at most, it was the first known successful cyber attack on a power grid.

What actually happened on December 23, 2015 and in the weeks, months, or even years leading up to the attack? While there are still many unknowns and broad estimates to this day, it is known that it was not just a ‘regular’ cyber attack. It was a complex operation that had been planned over a long period of time and was executed meticulously, which makes it a perfect example of how real world threat modeling works.

While there are several things that paved the way to what resulted in 30 power substations being shut down, the main attack was on an Industrial Control System (ICS) via the SCADA bus. Now you might ask yourself: what is SCADA? SCADA stands for 'Supervisory Control and Data Acquisition' and it is simply a subset of the more complex overlying ICS. SCADA takes data from many different sensors and other sources and puts them in a form you can work with. It also gives you options on how to interact and supervise these systems. In this case, SCADA-controlled circuit breakers in the power substations. Maybe a few of you reading this now are thinking: “Just reset the breaker, problem solved”, while this is true in reality, it is of course not that simple.

Why is it not that simple? Because it was a very well planned, multi vector attack. To really understand how big this thing actually was we need to move back in time. The attackers actively started conducting phishing attacks as early as May 2014, 1.5 years before the attack itself happened. By March 2015 the phishing, spear-phishing to be exact, reached their peak. How did they actually do it? They exploited the human need for closure. The Donbass conflict, still ongoing today, started following the annexation of the Crimea peninsula by Russia in early 2014 and was still going strong in 2015. The attackers sent out a weaponized fake spreadsheet with names drafted for service a day or two before they officially were published.

How did this work? They used VBA, Visual Basic For Applications, a version of Microsoft's Visual Basic programming language as their attack delivery system. While VBA is widely known to be extremely insecure and exploitable, it is still in use today even though it was declared ‘legacy’ in 2008. Simply speaking it is no longer maintained by the vendor. So why was it still there in 2014 and 2015? There is no answer to this question other than out of date software is still used on more systems than you could think of. And it has always been done this way. The key takeaway here is to patch your software and only use software that is still maintained and updated by the vendor/developer.

They used an exploit based in VBA as a dropper for their main malware. A dropper is simply a piece of malware that is designed to install the malware/virus after it has been deployed. This is one of the crucial points in the entire attack operation, the attackers established their bridgehead inside the network of the electricity provider via the “BlackEnergy 3” malware. From this point on, the attackers were “in” and so began months of internal reconnaissance and lateral movement inside of the electricity providers network.

Lets take a closer look at this piece of malware that goes under the mysterious name of ‘BlackEnergy 3’ (BE3). As you would have guessed there was a ‘BlackEnergy 1’ and ‘BlackEnergy 2 ‘ prior to BE3 but I don’t wanna go too much in detail here on those. BE3 popped up for the first time in 2014. It is a rootkit that has very extensive capabilities ranging from simply downloading and executing other malicious code on the computer, to coming with a set of specific plugins. These plugins allow all kinds of things you would need for digital reconnaissance and exploitation from inside the system like keylogging, remote desktop viewing capabilities, extracting information of all kinds from the host system as well as the network the host is connected to and of course the ability to spread itself laterally throughout the hosts network and infect other systems. Also the option to just plainly destroy the system via various means.

The attackers started to collect data important to them. They mapped the entire network structure and harvested passwords and credentials to access all kinds of systems via simple keylogging and the collection of local data like User Tokens for example. They identified key IT- , as well as ICS targets they needed to take control of.

This is the end of Stage 1 of the attack operation. In the next part of the article we will be taking a look on how the attack itself actually happened, how it could have been way worse than it actually was and what measures could have been taken to prevent this or defend infrastructure better.

100 Responses

oliviastephen

August 31, 2022

How to get your ex boyfriend back even if it seems impossible.
My boyfriend that left me a few months ago just came back to me last night crying for me to take him back. My boyfriend left me and I was devastated. The most painful thing is that I was pregnant for him. I wanted him back. I did everything within my reach to bring him back but all was in vain, I wanted him back so badly because of the love I had for him, I begged him with everything, I made promises but he refused. I explained my problem to my sister and she suggested that I should rather contact a spell caster that could help me cast a spell to bring him back , I had no choice than to try it. I messaged the spell caster called dr.unity, and he assured me there was no problem and that everything will be okay before 28hours. He cast the spell and surprisingly 28 hours later my boyfriend called me. It was so surprising, I answered the call and all he said was that he was so sorry for everything that had happened He wanted us to come back together. He also said he loved me so much. I was so happy and went to him that was how we started living together happily again.thanks to dr. unity . if you are here and your Lover is turning you down, or your boyfriend moved to another girl, do not cry anymore, contact Dr.Unity for help now..
Here his contact.
WhatsApp him at: +2348055361568

Robin Burroughs

July 06, 2022

April 03, 2021

October 18, 2020

555

dirnfpaROuktYhAH

September 24, 2020

jDIokufOxXYZFhc

1 2 Next »

Also in Rogue Dynamics

Follow

Anatomy Of A Computer Network Attack (CNA) – Part 1

100 Responses

oliviastephen

Robin Burroughs

epxibop

uzopukuk

savubuo

awucileseh

ocipomonovb

uqaxsahey

iudagipit

uruhipaxoguji

naniqekodilu

iyoweejeqevi

epivinazoyom

evlvidcaci

TzwSVsOw

TzwSVsOw

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

e

TzwSVsOw

TzwSVsOw

TzwSVsOw

TzwSVsOw

TzwSVsOw

TzwSVsOw

TzwSVsOw

TzwSVsOw

TzwSVsOw

TzwSVsOw

TzwSVsOw

TzwSVsOw

TzwSVsOw

TzwSVsOw'||DBMS_PIPE.RECEIVE_MESSAGE(CHR(98)||CHR(98)||CHR(98),12)||'

jw2oBLiZ')) OR 599=(SELECT 599 FROM PG_SLEEP(12))--

zjHGEZOi') OR 943=(SELECT 943 FROM PG_SLEEP(12))--

Oq9HEWcx' OR 928=(SELECT 928 FROM PG_SLEEP(12))--

YAReGJip'; waitfor delay '0:0:12' --

1 waitfor delay '0:0:12' --

(select(0)from(select(sleep(12)))v)/*'+(select(0)from(select(sleep(12)))v)+'"+(select(0)from(select(sleep(12)))v)+"*/

0"XOR(if(now()=sysdate(),sleep(12),0))XOR"Z

0'XOR(if(now()=sysdate(),sleep(12),0))XOR'Z

if(now()=sysdate(),sleep(12),0)

-1" OR 2+252-252-1=0+0+0+1 --

957'

-1 OR 2+699-699-1=0+0+0+1

-1' OR 2+409-409-1=0+0+0+1 --

-1' OR 2+429-429-1=0+0+0+1 or '5o4FZFb4'='

ad2HDOmH

-1 OR 2+492-492-1=0+0+0+1 --

TzwSVsOw

TzwSVsOw

TzwSVsOw

TzwSVsOw

TzwSVsOw

TzwSVsOw

TzwSVsOw

TzwSVsOw

TzwSVsOw

TzwSVsOw

(select(0)from(select(sleep(12)))v)/'+(select(0)from(select(sleep(12)))v)+'"+(select(0)from(select(sleep(12)))v)+"/

1��%2527%2522