9th episode in our series The Sentryo Files: Industries vs Cyberattacks… Find out what happened when the DaimlerChrysler plant was attacked in 2005.

DaimlerChrysler victim of a cyberattack from the Zotob worm in 2005

In 2005 in the USA, the Zotob worm was used to attack various industrial infrastructures. Thirteen factories were affected and had to completely stop operations for 1 hour. This led to 14 million dollars in losses for DaimlerChrysler.

How did the attack from the Zotob worm play out?

The cyberattack waged against DaimlerChrysler (the two companies separated in 2007) and other major companies was caused by a worm called Zotob. This virus spreads online and exploits the vulnerabilities in PnP functionalities. This Windows (Plug and Play) service is a common component that allows operating systems to detect new material on a Windows system (most notably unpatched Windows 2000) connected to a network.

It was precisely DaimlerChrysler’s Windows 2000 servers that were the victims of this infection caused by the Zotob worm. Despite a firewall being installed between the company network and the industrial networks, the worm was able to spread from plant to plant, halting all operations for more than one hour. As a result, 50,000 employees were forced to stop operations leading to 14 million dollars in gross losses for the company.

What protections are there against this type of cyberattack?

The company DaimlerChrysler was not the only one attacked by a worm (there are many different kinds of worms: Zotob, RBot and even IRCBot). The New York Times, SBC Communications Inc. (today known as AT&T), ABC Inc. and CNN have also been attacked by worms and the complete list of affected infrastructures is quite long.

Two measures to protect yourself from the Zotob worm

A critical system must be sufficiently contained in order to limit the spread of attacks. The following measures could have provided protection:

  • In-depth defense and strict containment of systems linked to production (physical isolation, diode, protection hardware).
  • Limit services to outside exposure: tighten systems, filter authorized flows.

Services exposed to the outside and interconnected networks are much more vulnerable than it may seem! Although the attacks led by the Zotob worm were not strictly targeted (attacks can be random), it is still important to ensure protection in all circumstances. In a similar case, employees were forced to stop working until the IT team was able to correct the Windows system that kept rebooting as a result of an infection: the consequences of cyberattacks are sometimes overlooked.

The development of a cybersecurity policy, the creation of a team of experts and employee training are the major challenges for industries, especially when industrial and business networks are interconnected. In addition to the need to maintain systems updates, it is also important to raise awareness among all industrial players of the security of industrial networks and ICS.

Learn more about ICS Cybervision, Sentryo’s cybersecurity solution that guarantees the integrity and security of your industrial networks.

Sources: reports drafted by the SCADA work group of the French Information Security Club (Clusif) in 2017.