The French Network and Information Security Agency (Agence nationale de la sécurité des systèmes d’information or ANSSI) presented its 2015 Annual Review last month. The review highlighted industrial sites as being the principal target for the majority of major cyber-attacks taking place over the past year. Yet industrial players critically lack awareness on the subject of cybersecurity, ANSSI went on to further argue. News reports have exposed the extent of damage that cyber-attacks are capable of causing. Below our experts are decrypt 4 iconic cyber-attacks.
Stuxnet is the name that has been given to a computer worm that is widely believed to have been created by the NSA. Its initial purpose was to disrupt manufacturing at a Uranium enrichment facility at the Natanz plant in Iran. First launched in 2008 as a series of cyber-attacks, it wasn’t clearly identified until two years later.
The groundwork and deployment that was undertaken by Stuxnet over a several year period to prepare for these attacks required considerable resources. Not to be categorized as random attacks, as is often the case in this field, these attacks should be considered rather as targeted attacks planned with the clear aim of sabotaging the Iranian nuclear industry.
In order to reach and damage the centrifuges, the attacks were carried out as a series of steps. The first step was to increase the gas pressure injected into the centrifuges which was done by taking control of the valves feeding into the centrifuges. By doing this, Stuxnet quickly and successfully put installations out of service without local authorities even being aware of their actions.
Stuxnet’s large scale deployment and aim to damage the Natanz plant led to an even more important turn of events in 2009. Just as the Iranian uranium enrichment plant at Nantanz began to resume its normal functioning, a second attack was launched. This time the cyber-attack targeted the computers regulating the speed of the centrifuges. With no direct access to the target, the attackers infiltrated into the IT network that 5 subcontractors were using. From there, the subcontractors became the attacking vectors and, unknowingly, introduced a virus into the Uranium enrichment plant’s system via infected USB keys. Yet again the result was numerous centrifuges damaged. Other repeated attacks continued to take place before the Iranian authorities, in 2010, realized that their plant had been the victim of cyber-attacks for several years.
This attack is seen to be iconic both due to the geopolitical context surrounding the attacks and the magnitude of the operation. It is the first known attack to have succeeded in undermining an infrastructure’s operations and damaging facilities.
2- Damage caused to a blast furnace in a German steel mill
German authorities revealed at the end of 2014 that one of their blast furnaces had been the victim of a cyber-attack. The attackers succeeded in infiltrating into the corporate company network using malware then, once inside, they continued to navigate through the network to access the production management system. From there, they were able to destroy several control systems resulting in directly stopping one of the blast furnaces from closing correctly and causing substantial damage to their manufacturing facility.
Preliminary findings of the inquiry suggest that the hackers were highly organized and advanced in their knowledge of industrial network operations. Even if their motives have not been made apparent at this stage, this particular cyberattack is the second of its kind to damage an industrial site and has been classified as an APT (Advanced Persistent Threat). Such cyber-attacks are often led by hacker groups which are financed by industrial groups. It seems clear that, in the case of this particular cyber-attack, there is a clear demonstration of the extent of the attacker’s ability to wreak havoc.
Both iconic and memorable, this particular attack has left us with a lasting impression thanks to the German Federal Office for Information Security (BSI) investigating the case and publishing a detailed report on the attacker’s operating mode.
3- Ukrainian power station disabled
There are still many grey areas surrounding this cyber-attack which targeted the IvanoFrankivsk power station in West Ukraine on the 23rd of December last year.
We are still not aware of the exact details of the attack: information surrounding the incident is limited and documentation on the subject has not been made available. However, it appears that the attack was led by a group of Russian hackers, known as the Sandworm Team. The methods used in this particular cyber-attack are still to be confirmed. However, there do appear to be many similarities with methods used by the aforementioned suspected group, specifically the use of the Trojan horse « Black Energy » to put a « Wiper » known as Diskkill into the information system.
What is special about this specific « Wiper » is its ability to destroy server protocols and functions as well as wipe, or erase, the hard drive. This procedure could have instigated the shutdown of the power supply.
The result of this attack was quick to take effect: 80,000 homes were left without electricity. This incident has given us a taste of the potential consequences that cyber-attacks can have on industrial sites: Not only are onsite activities completely turned upside down, but populations are also directly impacted by the disruption.
4 – Jeep hijacked by hackers
Two American researchers and a journalist from the American magazine Wired recently proved that it’s possible to remotely take control of a connected vehicle. The researchers, from the comfort of their living rooms, hacked the control system of the Jeep being driven by the journalist. They were able to remotely take control of the vehicle using the Uconnect software connecting the Jeep to the Internet. They then went on to activate the ventilation system, radio and washer fluid, while the driver observed helplessly from behind the wheel.
The researchers even went as far as to stop the vehicle’s motor while the Jeep was speeding along the highway at 63 mph. A further example saw the braking system being switched off while in a parking lot and the hackers taking over the vehicle’s steering system.
The researchers and journalist wanted to use this exercise to show how vulnerable connected cars are when dealing with hackers. Furthermore, this case is a clear example of how industry players are faced with a range of different types of cyber-attacks to take into account. In this case, it isn’t just infrastructures that are the target: products are the main focus of the hackers attention. Manufacturers often think their products are protected because their product development is hidden. But « security by obscurity » and « security by air gap », which involves stopping hackers penetrating directly into the information systems, just aren’t enough. Cars are exposed to the same types of risks as other industries: In the past, these products were not linked to the Internet.
Now, both factories and vehicles are connected and, as a result, they are left vulnerable and in much need of efficient effective protection from cyber-attacks.
4 attacks, 4 motives, 4 operating models. Attacks are becoming more diverse, methods are continually evolving. While motives are often different, their impact is systematically dramatic. This is why we support raising awareness among industry players so that everyone can act to take precautions against such attacks.