Written by Sean Lyngaas
The hackers behind some of the most impactful intrusions of industrial organizations in the last five years have meticulously searched for ways to move from facilities’ IT networks to the more sensitive computers that interact with machinery.
Before alleged Russian hackers cut power in Ukraine in 2015, for example, they spent many months mapping out utility computer networks and gathering grid workers’ credentials. And the hackers that triggered the 2017 shutdown of a Saudi petrochemical plant with the so-called Triton malware are known for using dozens of different tools to maintain access to IT and industrial networks.
As state-sponsored hackers continue to probe U.S. infrastructure, cybersecurity experts regularly emulate those landmark attacks today to break into their clients’ networks in order to protect them. The latest example comes from Mandiant, FireEye’s incident response unit, which this week publicized the techniques it used to infiltrate a North American utility’s industrial control systems and turn off one of its smart meters.
With that level of access, an attacker in a similar position could have disconnected multiple smart meters at the same time, Mandiant researchers told CyberScoop. The researchers declined to share further information on the client, but said the utility was in charge of a “state-wide smart grid environment.”
Adequately preparing for advanced hacking operations takes some creativity. By going public with the details of their exercise, Mandiant researchers might inspire other security experts devising their own “red-team” tests, or those that mimic an adversary, for industrial facilities.
Like the incident at the Saudi plant, the Mandiant researchers said, their hack of the North American utility started with a breach of the external-facing IT network and was followed by a “targeted attack chain to achieve a specific high-risk objective in the [operational technology] environment.” They also scouted high-level employees of the utility in charge of administering firewalls and smart metering operations, just as a state-sponsored adversary might.
After accessing the utility’s corporate network, the Mandiant researchers used publicly available hacking tools, such as Mimikatz, to gain greater privileges on the network. They eventually used a computer server that managed software patches to stealthily move between the utility’s IT network and the more sensitive operational technology network that contains industrial control systems.
The exercise culminated in the Mandiant specialists stealing login credentials for a “human machine interface” portal and issuing a command to disconnect the smart meter.
The disclosure of the smart meter hack comes as U.S. utilities continue to learn from the alleged Russian espionage campaign that exploited software made by federal contractor SolarWinds. While that spying effort did not appear to target the electric sector, hundreds of utilities downloaded the malicious software that the Russians used as a beachhead into networks. It’s the kind of elaborate supply-chain compromise that the North American grid regulator had utilities drill for in 2019.
While industry experts consider the hacks in Ukraine and Saudi Arabia to be advanced pieces of industrial sabotage, red-teaming exercises can help demystify the attacks and remind organizations that those capabilities aren’t as rare as they might think.
The Saudi petrochemical plant, for example, “had some significant security weakness,” said Julian Gutmanis, an industrial cybersecurity specialist who responded to the incident. “A red team likely would have been able to get in pretty easily.”