Anatomy Of A Computer Network Attack (CNA) – Part 1

May 27, 2020 30 Comments

It was December the 23rd of 2015 when, nearly instantly, over 220,000 people in the Ukraine sat in the dark. While the power outage only lasted for 6 hours for a few people at most, it was the first known successful cyber attack on a power grid.

What actually happened on December 23, 2015 and in the weeks, months, or even years leading up to the attack? While there are still many unknowns and broad estimates to this day, it is known that it was not just a ‘regular’ cyber attack. It was a complex operation that had been planned over a long period of time and was executed meticulously, which makes it a perfect example of how real world threat modeling works.

While there are several things that paved the way to what resulted in 30 power substations being shut down, the main attack was on an Industrial Control System (ICS) via the SCADA bus. Now you might ask yourself: what is SCADA? SCADA stands for 'Supervisory Control and Data Acquisition' and it is simply a subset of the more complex overlying ICS. SCADA takes data from many different sensors and other sources and puts them in a form you can work with. It also gives you options on how to interact and supervise these systems. In this case, SCADA-controlled circuit breakers in the power substations. Maybe a few of you reading this now are thinking: “Just reset the breaker, problem solved”, while this is true in reality, it is of course not that simple.

Why is it not that simple? Because it was a very well planned, multi vector attack. To really understand how big this thing actually was we need to move back in time. The attackers actively started conducting phishing attacks as early as May 2014, 1.5 years before the attack itself happened. By March 2015 the phishing, spear-phishing to be exact, reached their peak. How did they actually do it? They exploited the human need for closure. The Donbass conflict, still ongoing today, started following the annexation of the Crimea peninsula by Russia in early 2014 and was still going strong in 2015. The attackers sent out a weaponized fake spreadsheet with names drafted for service a day or two before they officially were published.

How did this work? They used VBA, Visual Basic For Applications, a version of Microsoft's Visual Basic programming language as their attack delivery system. While VBA is widely known to be extremely insecure and exploitable, it is still in use today even though it was declared ‘legacy’ in 2008. Simply speaking it is no longer maintained by the vendor. So why was it still there in 2014 and 2015? There is no answer to this question other than out of date software is still used on more systems than you could think of. And it has always been done this way. The key takeaway here is to patch your software and only use software that is still maintained and updated by the vendor/developer.

They used an exploit based in VBA as a dropper for their main malware. A dropper is simply a piece of malware that is designed to install the malware/virus after it has been deployed. This is one of the crucial points in the entire attack operation, the attackers established their bridgehead inside the network of the electricity provider via the “BlackEnergy 3” malware. From this point on, the attackers were “in” and so began months of internal reconnaissance and lateral movement inside of the electricity providers network.

Lets take a closer look at this piece of malware that goes under the mysterious name of ‘BlackEnergy 3’ (BE3). As you would have guessed there was a ‘BlackEnergy 1’ and ‘BlackEnergy 2 ‘ prior to BE3 but I don’t wanna go too much in detail here on those. BE3 popped up for the first time in 2014. It is a rootkit that has very extensive capabilities ranging from simply downloading and executing other malicious code on the computer, to coming with a set of specific plugins. These plugins allow all kinds of things you would need for digital reconnaissance and exploitation from inside the system like keylogging, remote desktop viewing capabilities, extracting information of all kinds from the host system as well as the network the host is connected to and of course the ability to spread itself laterally throughout the hosts network and infect other systems. Also the option to just plainly destroy the system via various means.

The attackers started to collect data important to them. They mapped the entire network structure and harvested passwords and credentials to access all kinds of systems via simple keylogging and the collection of local data like User Tokens for example. They identified key IT- , as well as ICS targets they needed to take control of.

This is the end of Stage 1 of the attack operation. In the next part of the article we will be taking a look on how the attack itself actually happened, how it could have been way worse than it actually was and what measures could have been taken to prevent this or defend infrastructure better.

30 Responses

Credit Card Hack software

October 01, 2023

machine !!! , we provide programmed ATM cards that can be used to raise cash in ATMs or push, shops and businesses. We sell these cards to all our customers and interested buyers worldwide, the cards have a daily withdrawal limit of $ 5000 at ATM and up to $ 100,000 spending limit in the stores. Visit our website on noveltydmvexperts.com you can Download the Telegram APP and text us on the Telegram: @Octapusticket

We also offer the following services:

CALIFORNIA REAL DRIVER LICENSE
FAKE BANK STATEMENT FOR LOAN
DIPLOMATIC DOCUMENTS PROCESSED
FICO CREDIT INCREASE
BANK STATEMENT SERVICES
BANKNOTES PRODUCTION
BANK TO BANK FLIPS
CRYPTOCURRENCY MINING
QUALITY FAKE DRIVERS LICENSE
REAL ESTATE LICENSE
EXPUNGEMENT SERVICES
BITCOIN INVESTMENTS
REMOVAL OF NAME FROM DEBIT RECORD AND CRIMINAL RECORDING
DMV ID SERVICES
BANK HACKING
ZELLE FLIP
PAYPAL FLIP
UNDETECTED FAKE DRIVING DOCUMENTS
CASHAPP FLIPPS
ALL COUNTRIES DLs, IDs, SSN.
PASSPORT SERVICES
Telegram: @Octapusticket

how to get a fake birth certificate with raised seal that works

October 01, 2023

Where to easily obtain Fake birth certificate with raised seal . you can also get fake divorce papers , Forged Passports , False Passport , Fake UK Documents , Valid German driving Licence , Welcome to Octapustickets Group of Experts Best Producers of High Undetected Drivers License . We produce two types of documents qualities.  We have the Real registered Fake birth Certificate, Fake Divorce papers , and good quality Fake Driver License will be verify from any other country database system with no problems involved, meanwhile with the camouflage quality Fake drivers License , non of your biometric details will be under the government system, but it can not be detected as fake with naked eyes, except with the use of machines.
We also help provide easy methods on How to become a real Portuguese citizenship smoothly. the use of machines. We also help you Clear your Criminal record from any countries court system or criminal records database system.

Download the Telegram APP and Text us at : @OCTAPUSTICKET for more informations an orders.
Visit our website on octapustickets.com

Thanks and waiting to Hear from you soonense.

yolanda

September 23, 2023

HOW I RECOVERED MY STOLEN CRYPTO BITCOIN 2023

EthicRefinance is a lifesaver! They helped me recover my stolen 105,000 dollars worth of bitcoin effortlessly. Their service is not only quick but professional and reliable. As someone who was skeptical about the process, I was pleasantly surprised to see my bitcoins returned in such a swift and hassle-free manner. EthicRefinance truly goes above and beyond to ensure their clients’ satisfaction. I recommend them to anyone who’s in a similar situation. I couldn’t be more grateful for their assistance. Thank you, EthicRefinance!
YOU CAN CONTACT THEM VIA:

EMAIL:ethicsrefinance @g m a i l. com
WEBISTE:www.ethicsrefinance.com

yolanda

September 16, 2023

BITCOIN RECOVERY IS REAL

EthicRefinance is a lifesaver! They helped me recover my stolen 34,000 dollars worth of bitcoin effortlessly. Their service is not only quick but professional and reliable. As someone who was skeptical about the process, I was pleasantly surprised to see my bitcoins returned in such a swift and hassle-free manner. EthicRefinance truly goes above and beyond to ensure their clients’ satisfaction. I recommend them to anyone who’s in a similar situation. I couldn’t be more grateful for their assistance. Thank you, EthicRefinance!
YOU CAN CONTACT THEM VIA:

EMAIL:ethicsrefinance @g m a i l. com
WEBISTE:www.ethicsrefinance.com
WHATSAPP:+63 985 495 1759
You can also contact them for the service below
Western Union/MoneyGram Transfer
Bank Transfer
PayPal / Skrill Transfer
Crypto Mining
CashApp Transfer
Bitcoin Loans
Recover Stolen/Missing Crypto/Funds/Assets

Mac Allen

September 16, 2023

ARE YOU A VICTIM OF A LOST/STOLEN CRYPTO? RECOVER YOUR MONEY NOW

Hello to everyone. My name is Mac Allen. I strongly recommend OMEGA CRYPTO SPECIALIST for all bitcoin and digital asset recovery needs. I was one of their clients, and with their assistance, I was able to reclaim my funds. When it comes to cryptocurrency recovery, they truly are the best. I had invested my money in a cryptocurrency trading platform that crashed earlier this month. When I came across OMEGA CRYPTO SPECIALIST, they were able to reclaim my funds from the crashed platform.

Contact info;
Email; Omegacryptos@consultant.com
Phone/Whatsapp; +1,2,5,1,2,1,0,8,6,4,4

Remember to mention that Mac Allen referred you.

Merindah L Geraldton

August 30, 2023

“Whatsapp: +1-2-5-2-5-1-2-0-3-9-1”“Cybergenie (@) Cyberservices. Com”My way of showing CYBER GENIE exactly how thankful I am for everything they did for me at one of the worst times of my life is by uploading this rating. When I was having concerns about turning over $150,000 worth of Bitcoin theft, Cyber Genie Hack Pro was courteous. My concerns about the likelihood of finding or recovering my misplaced money were reinforced by the irrefutable evidence provided by Cyber Genie. After a few sessions with, Cyber Genie boss, I feel confident in the decisions I took. Despite the fact that it took an extended period, I ultimately got every penny I thought I had lost to Bitcoin investment theft. When I felt like my entire world had smashed down around me, their expertise and vast knowledge were very much appreciated. Cyber Genie crypto recovery team is informed about it, and I wholeheartedly recommend it.

Winnie Huffel

August 27, 2023

HOW TO RECOVER STOLEN CRYPTOCURRENCY FROM SCAMMERS.

Greetings,
I am Winnie Huffel, a Poland born living in Boston, USA. Losing one’s Digital Assets or Cryptocurrency to Scammers tends to be complicated and Frustrating too. I happened to fall victim After being swindled off $230,000 of Crypto by a fraudulent Company’s website that had guaranteed me to double my Investment in a week. When I finally came to realize I had lost my funds, I immediately took action as this was all my savings, that’s when I came across CAPTAIN WEBGENESIS, a legitimate Crypto Expert specializing in Cryptocurrency and Assets Recovery. I immediately contacted the Expert through
email (Captainwebgenesis@hackermail.com). Even though the Expert was only able to retrieve 80% of my Crypto, I’m nevertheless happy because I didn’t think it would be possible.
Web Add https://captainwebgenesis.com/
WhatsApp Contact +1 (447) 442-0456.

HOW TO RECOVER STOLEN CRYPTOCURRENCY FROM SCAMMERS.

Dylan Twine

August 22, 2023

SCAM VICTIMS RECOVERS THEIR MONEY THROUGH CAPTAIN WEBGENESIS.

My name is Dylan. Here’s my recommendation:
To anyone who has been a scam victim and you been looking for Means and ways to recover your lost Assets or lost Bitcoin Wallets I must recommend Captain WebGenesis a licensed Crypto Recovery specialist Helping Victims recover their lost Crypto and providing safe ways to protect your wallets from online fraudsters. I must say before my 3.9Btc in my Trezor wallet was recovered by Captain WebGenesis, I was drowning in depression and had lost all hope in life. To anyone who is a victim too of losing your Crypto share your issue with the Expert and have your funds recovered.
for more info email: Captainwebgenesis@hackermail.com
Web Add; Www.captainwebgenesis.com
WhatsAp +1 (447) 442-0456.

Winfred Hale

August 21, 2023

How to Recover Cryptocurrency from fraudulent investment platforms.

Have you ever been a victim of a scam? or have you Suffered a loss from a Fraudulent Ponzi Scheme? I implore you to Contact Captain WebGenesis, A Certified Cryptocurrency Assets Recovery Expert. I once fell victim to an online imposter who convinced me to invest in a Bogus Cryptocurrency scheme by claiming to have made large profits from the plan. My Mycelium wallet contained $369,000 in Crypto that I lost, I had been reporting to the Authorities tirelessly for a longtime without getting assistance before I finally got in touch with Captain WebGenesis. Fortunately after a serious long chat with Captain WebGenesis all my funds were recovered back.
I recommend this Expert to any victim who has lost Crypto to any fake online Schemes.

Talk to Captain WebGenesis Through ;
Mail Captainwebgenesis@hackermail.com
WhatsApp, +1 (447) 442-0456.

Winfred Hale

August 21, 2023

How to Recover Cryptocurrency from fraudulent investment platforms.

Talk to Captain WebGenesis Through ;
Mail Captainwebgenesis@hackermail.com
WhatsApp, +1 (447) 442-0456.

Winfred Hale

August 21, 2023

How to Recover Cryptocurrency from fraudulent investment platforms.

Talk to Captain WebGenesis Through ;
Mail Captainwebgenesis@hackermail.com
WhatsApp, +1 (447) 442-0456.

Winfred Hale

August 21, 2023

How to Recover Cryptocurrency from fraudulent investment platforms.

Talk to Captain WebGenesis Through ;
Mail Captainwebgenesis@hackermail.com
WhatsApp, +1 (447) 442-0456.

Jamie Hawke

August 19, 2023

FOR BITCOIN RECOVERY CONSULT AN EXPERT/ CAPTAIN WEBGENESIS.

Hello, my name is Jamie Hawke – Managing editor (Securityweek)
I was involved in a bitcoin trading scam, I came across a company website that promised a big return on investment. I was completely sold. The website was excellent, and after much coaxing, I opted to invest 278,000 USD, which unfortunately ended up in the wrong hands. I was frustrated until I sought the counsel of a Crypto Expert CAPTAIN WEBGENESIS. I had no notion there were techniques for reclaiming stolen funds. I emailed the highly rated expert. I explained my case to Expert and provided all the required information and to my amazement, CAPTAIN WEBGENESIS refunded 90% of my BITCOIN to my wallet within a few working days, which I didn’t think was possible. I was startled as well as relieved.

With folks like CAPTAIN WEBGENESIS on your side, Crypto recovery is possible.
Visit: www.captainwebgenesis.com
Mail: Captainwebgenesis@hackermail.com

Jamie Hawke

August 14, 2023

FOR BITCOIN RECOVERY CONSULT AN EXPERT/ CAPTAIN WEBGENESIS.

With folks like CAPTAIN WEBGENESIS on your side, Crypto recovery is possible.
Visit: www.captainwebgenesis.com
Mail: Captainwebgenesis@hackermail.com

Matthew Alden

August 11, 2023

I’m a victim of the LIQULDOHN cryptocurrency investment scam, I was asked to deposit £700 which I did and it tripled to £2200 within 1 hour. That got my interest, The next deposit was £3,500 and my profit shot up to £18,200. I was amazed at how little money can make you crazy profits. I invested more and more. When I tried to cash out, I was asked to pay taxes and other complicated fees. My profits had accumulated to £531,000 as it would show on the trading website but I could not access it. By the time it got to me that the company is illegitimate, l had already lost a total of £190,000. I decided to do proper research about the company to ease my fears that I might have been conned and that’s when I found out that they have been stealing from harmless Americans and individuals around the globe. While reading more about the company in pain, I stumbled upon a United States veteran article on how this same fake crypto investment website took his money but was able to recover it back from them with the help of an Ethical hacker. I inquired more about this Ethical hacker and that’s when I was introduced to CYBER GENIE HACK-PRO. I am writing this positive review to affirm that, Recovering stolen Bitcoin from scammers is real and can be achieved when done by the right expert. If by any means you are a victim of a Crypto Investment scam and wish to get your funds and profits back, I highly recommend (Cybergenie(@)Cyberservices(.)Com) OR (Whats-App (+1252) 5120391), you know why, I am living testimony of their greatness.

Sophia Adams

July 04, 2023

Lost Crypto Recovery Expert Ultimate Hacker Jerry.

I am Sophia Adams a Sweden born programmer living in Phoenix. After mining 100 btc worth $2.6M early 2022, I decided to sell off my old laptop and had to save all the wallets, private keys and passwords in the laptop to a small hard drive known as Iron keys. Unluckily the drive got lost. I tried several times to access my wallet with no luck. After trying several of my frequently used passwords with no luck, I had to look for a hacker’s help to revive my wallet Back.. That’s when I came across an article about Ultimate Hacker Jerry, a modernized expert in crypto Recovery Services. After submitting my case to Hacker Jerry, the expert worked on my case and my wallet was retrieved back with all my funds intact. I Must recommend Ultimate Hacker Jerry for the good and reliable services.