Anatomy Of A Computer Network Attack (CNA) – Part 1

Anatomy Of A Computer Network Attack (CNA) – Part 1

May 27, 2020 125 Comments

It was December the 23rd of 2015 when, nearly instantly, over 220,000 people in the Ukraine sat in the dark. While the power outage only lasted for 6 hours for a few people at most, it was the first known successful cyber attack on a power grid.

What actually happened on December 23, 2015 and in the weeks, months, or even years leading up to the attack? While there are still many unknowns and broad estimates to this day, it is known that it was not just a ‘regular’ cyber attack. It was a complex operation that had been planned over a long period of time and was executed meticulously, which makes it a perfect example of how real world threat modeling works.

While there are several things that paved the way to what resulted in 30 power substations being shut down, the main attack was on an Industrial Control System (ICS) via the SCADA bus. Now you might ask yourself: what is SCADA? SCADA stands for 'Supervisory Control and Data Acquisition' and it is simply a subset of the more complex overlying ICS. SCADA takes data from many different sensors and other sources and puts them in a form you can work with. It also gives you options on how to interact and supervise these systems. In this case, SCADA-controlled circuit breakers in the power substations.  Maybe a few of you reading this now are thinking: “Just reset the breaker, problem solved”, while this is true in reality, it is of course not that simple.

Why is it not that simple? Because it was a very well planned, multi vector attack. To really understand how big this thing actually was we need to move back in time. The attackers actively started conducting phishing attacks as early as May 2014, 1.5 years before the attack itself happened. By March 2015 the phishing, spear-phishing to be exact, reached their peak. How did they actually do it? They exploited the human need for closure. The Donbass conflict, still ongoing today, started following the annexation of the Crimea peninsula by Russia in early 2014 and was still going strong in 2015. The attackers sent out a weaponized fake spreadsheet with names drafted for service a day or two before they officially were published.

How did this work? They used VBA, Visual Basic For Applications, a version of Microsoft's Visual Basic programming language as their attack delivery system. While VBA is widely known to be extremely insecure and exploitable, it is still in use today even though it was declared ‘legacy’ in 2008. Simply speaking it is no longer maintained by the vendor. So why was it still there in 2014 and 2015? There is no answer to this question other than out of date software is still used on more systems than you could think of.  And it has always been done this way.  The key takeaway here is to patch your software and only use software that is still maintained and updated by the vendor/developer.

They used an exploit based in VBA as a dropper for their main malware. A dropper is simply a piece of malware that is designed to install the malware/virus after it has been deployed. This is one of the crucial points in the entire attack operation, the attackers established their bridgehead inside the network of the electricity provider via the “BlackEnergy 3” malware. From this point on, the attackers were “in” and so began months of internal reconnaissance and lateral movement inside of the electricity providers network.

Lets take a closer look at this piece of malware that goes under the mysterious name of ‘BlackEnergy 3’ (BE3). As you would have guessed there was a ‘BlackEnergy 1’ and ‘BlackEnergy 2 ‘ prior to BE3 but I don’t wanna go too much in detail here on those. BE3 popped up for the first time in 2014. It is a rootkit that has very extensive capabilities ranging from simply downloading and executing other malicious code on the computer, to coming with a set of specific plugins. These plugins allow all kinds of things you would need for digital reconnaissance and exploitation from inside the system like keylogging, remote desktop viewing capabilities, extracting information of all kinds from the host system as well as the network the host is connected to and of course the ability to spread itself laterally throughout the hosts network and infect other systems. Also the option to just plainly destroy the system via various means.

The attackers started to collect data important to them. They mapped the entire network structure and harvested passwords and credentials to access all kinds of systems via simple keylogging and the collection of local data like User Tokens for example. They identified key IT- , as well as ICS targets they needed to take control of.

This is the end of Stage 1 of the attack operation. In the next part of the article we will be taking a look on how the attack itself actually happened, how it could have been way worse than it actually was and what measures could have been taken to prevent this or defend infrastructure better.



25 Responses

VQHcLvpOXYgldCP
VQHcLvpOXYgldCP

August 29, 2020

EvZPFieHkCGIcjU

qZpTBIACrwU
qZpTBIACrwU

August 28, 2020

zgNnXhPDLuRAfi

aTLhkMymR
aTLhkMymR

August 28, 2020

TKigxWPsmuq

lyYQwLSUp
lyYQwLSUp

August 20, 2020

HFMwnSBh

qOabvYQDnyPXZIrg
qOabvYQDnyPXZIrg

August 20, 2020

NUQhBuESpqGkKz

CgkJBdjx
CgkJBdjx

August 13, 2020

YWmdyVrEPe

OgqbfjuvnlFaDM
OgqbfjuvnlFaDM

August 13, 2020

CXcVLFyK

bmteiWpvoOHyBlKX
bmteiWpvoOHyBlKX

August 12, 2020

PcgOYpGDfyhw

qpyUvVROHwfbhnjJ
qpyUvVROHwfbhnjJ

August 12, 2020

xSyrBEqcsAvC

TIqNgKfpxV
TIqNgKfpxV

August 04, 2020

lKhdvkGqaDApg

HTlrzKcDMxsRA
HTlrzKcDMxsRA

August 04, 2020

RZNqOmGuEbITQLo

BHxuVDOPlgZtvpAR
BHxuVDOPlgZtvpAR

August 03, 2020

nXzTewWB

qdNsJzCmxfaiP
qdNsJzCmxfaiP

August 03, 2020

fmbVPOHy

ujfkTqAgXCOV
ujfkTqAgXCOV

July 31, 2020

cqHXeNUvMFuWhVD

HMYDIGJmep
HMYDIGJmep

July 31, 2020

aedxutrWnZU

cMojerJzCpgu
cMojerJzCpgu

July 30, 2020

EoTSLQCUD

xGVNWYMbFuzXJS
xGVNWYMbFuzXJS

July 30, 2020

kRMuiKWIbzPHwVX

bByKjxMXwYAcWqp
bByKjxMXwYAcWqp

July 28, 2020

zgNYrVBMq

ZMCPOEWV
ZMCPOEWV

July 28, 2020

YpyRgNJGQoBjSswr

HvOwBSGcUQZxDm
HvOwBSGcUQZxDm

July 24, 2020

DmrEtTzMbuqVB

jVfTOWGnAFNi
jVfTOWGnAFNi

July 24, 2020

NpItEvMXH

bUxFNgfV
bUxFNgfV

July 23, 2020

lIczjmsTKv

rJHxXGjpQmBL
rJHxXGjpQmBL

July 23, 2020

nzPEelArFvcBkRos

ndbJKeZIfrHCM
ndbJKeZIfrHCM

July 19, 2020

CBHuVktmUl

hBRTFYNoOxuWbPKi
hBRTFYNoOxuWbPKi

July 19, 2020

JUEpbLzOQe

Leave a comment