Blog

OT

Threat Finds

Darktrace OT threat finds: Industrial sabotage

Darktrace OT threat finds: Industrial sabotageDefault blog imageDefault blog image
22
Jul 2020
22
Jul 2020

Darktrace recently detected a case of industrial sabotage while deployed at a food-processing organization in the EMEA region. Like many more high-profile attack campaigns such as EKANS, Havex, and BlackEnergy, this attack started in the business’s IT infrastructure before pivoting to target the OT network.

Despite having a substantial OT network, the company was not aware of the extent of IT/OT convergence in their architecture. They initially chose to deploy Darktrace’s Enterprise Immune System, but not the Industrial Immune System assuming their OT systems were secure. As this attack moved from their IT systems and into OT, the additional visibility and ICS-specific models provided by Darktrace’s industrial offering would have delivered valuable additional context and further helped with threat remediation.

However, thanks to the Enterprise Immune System monitoring the events in real time, we can follow the threat as it moved through the corporate network over the span of three hours.

Timeline of incident

Figure 1: A timeline of events

Darktrace first detected a new device appearing in the “Computing” VLAN, which successfully connected to the “Industrial” VLAN using an admin RDP connection. The device then scanned the industrial network using OT ports 102 and 502, before appearing to call home to external locations using insecure HTTPS and making failed attempts to connect to external servers using OT port 502.

The device then appeared to make successful S7 and Modbus connections to other industrial devices, the nature of which could have been easily determined by the Industrial Immune System.

This new device was introduced directly onto the corporate network, bypassing traditional defenses that sit at the border. Any attempts made by the organization to segregate their IT and OT networks were insufficient in the face of the techniques used by the attacker.

Investigating at machine speed

Darktrace’s Cyber AI Analyst identified the breach device establishing a high volume of connections to unusual external IPs and transferring an unusually high volume of data with the internal WinCC server over port 3389. Simultaneously, the device was observed attempting to establish a high volume of internal connections over ports associated with ICS services. This activity suggests the breach device was conducting an internal scan.

Figure 2: A summary of the unusual data upload

Figure 3: A summary of the scanning activity

Figure 4: The device summary

The graph below details failed connections to external IP addresses made by the breach device when it joined the network (blue), and the mathematical importance of the activity (green), which reveals how statistically important this behavior is due to the size of its deviation from normal. Below that, Darktrace’s user interface surfaces every connection on the breach device over port 102.

Figure 5: The number of external connections made to closed ports

Figure 6: The Event Log for connections to S7 port 102 at the time of the incident

An immune system for industrial networks

Cross-examining and analyzing these multiple anomalies in real time, Darktrace identified this as a case of network reconnaissance. This is particularly suspicious as the device was only seen on the network for a two-day period. The unusual use of administrative credentials in the initial stages suggests the new device was attempting to control the WinCC Server, which allows Windows computers to communicate with industrial devices. Unauthorized access to this server could cause serious harm to the organization, as it would allow an attacker to learn about an industrial process, reconfigure multiple devices, or even fully sabotage the process.

The incident clearly demonstrates IT/OT convergence and the risks that entails, even – or especially – when businesses believe these systems are separate. Improper network segmentation makes ICS networks, particularly HMIs (human machine interfaces), an easy target for cyber-criminals or rogue insiders, making total visibility crucial in defending these systems.

This incident affirms that enterprise security needs to encompass OT security – the two can’t be treated as separate. The Industrial Immune System provides security analysts visibility across OT networks and subnets and defends against threats which might target industrial systems. Further, with AI learning the ‘pattern of life’ for every user, device, and controller, the technology can detect subtle deviations in behavior that evade other security tools, alerting security teams to potentially threatening activity in seconds. As attackers increasingly look to cause disruption and target industrial systems in their efforts, AI will be critical to keeping these systems secure and operational.

Thanks to Darktrace analyst Kendra Gonzalez Duran for her insights on the above threat find.

Learn more about the Industrial Immune System

Technical details

Darktrace model detections:

  • Unusual Activity from New Device
  • Anomalous SSL without SNI to New External
  • Rare External SSL Self-Signed
  • Unusual Admin RDP Session
  • Multiple Failed Internal Connections
  • Experimental / Possible ICS Protocol

IIS models which may have been able to add context/visibility:

  • Anomalous IT to ICS Connection
  • Multiple Failed Connections to ICS Device
  • Multiple New Discover Commands
  • Multiple New Action Commands
  • Uncommon ICS Reprogram
  • Unusual ICS Connectivity


Like this and want more?

Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Max Heinemeyer
Chief Product Officer

Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max oversees global threat hunting efforts, working with strategic customers to investigate and respond to cyber-threats. He works closely with the R&D team at Darktrace’s Cambridge UK headquarters, leading research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. When living in Germany, he was an active member of the Chaos Computer Club. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.

USE CASES
No items found.
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.
This Article
Darktrace OT threat finds: Industrial sabotage
Share
Twitter logoLinkedIn logo

Related Articles

No items found.

Good news for your business.
Bad news for the bad guys.

Start your free trial

Start your free trial

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get a demo

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.