Security Bloggers Network Threats & Breaches

Home » Cybersecurity » Threats & Breaches » Analysis of top 11 cyber attackson critical infrastructure

Analysis of top 11 cyber attackson critical infrastructure

by Noa Ouziel on June 2, 2021

When critical infrastructure fails, the effects can be wide-reaching and devastating. One only has to look at the latest incident in Texas to grasp the potential damage: 4.5 million homes and businesses were left without power, water, and heat for days during a record cold snap in the state. However, this doesn’t even scratch the surface of contemporary threats to critical infrastructure.

This situation was the result of mother nature, not the machinations of cybercriminals. Cyber attacks are an even more significant threat to infrastructure, both public and private. In the past year alone, 56% of energy utility facilities reported at least one cyberattack that caused data loss or operations shutdown.

To give a little perspective of the cost of just a single attack – the recent SolarWinds hack, which exposed over 18,000 private and government clients’ data, will cost an estimated $100 Billion to recover from.

Before getting into the nitty-gritty of recent attacks, it is worthwhile first to understand exactly what is considered critical infrastructure.

What is critical infrastructure?

The Cybersecurity and Infrastructure Security Agency (CISA) divides the types of infrastructure considered critical into 16 sectors, each with its unique vulnerabilities and security needs:

Sponsorships Available

Why cyberattacks on critical infrastructure are increasing

As people and, more importantly, infrastructure has become increasingly reliant on connectivity, heir vulnerability to attack and exploitation has risen accordingly. World-changing events in the last year have forced organizations to adapt and rely heavily on remote access to ensure continuity.

That has come at a price, as over half of industry professionals in the US believe industrial networks lack the necessary security controls to operate safely. What’s more, nearly three-quarters of IT security personnel are more concerned about critical infrastructure attacks than enterprise data breaches.

Unsurprisingly, governments, regulators, and other public and private actors have recently pushed for increased funding and attention to secure these critical infrastructure sectors. The concern is warranted because a survey of infrastructure staff found 90% of respondents had one security incident in the last 12 months, and half had at least two.

Considering how devastating cyber attacks on critical infrastructure can be, it’s worth looking at successful attacks to learn how to prevent similar ones in the future.

Top 11 cyber attacks on critical infrastructure deconstructed

1. TRITON malware attack of 2017

Source: KTH Royal Institute of Technology

The Triton malware attack in 2017 was one of the most potentially destructive and dangerous cyber attacks on industrial control systems (ICS) in the last several years. This state-sponsored malware attack was discovered first in a Saudi petrochemical plant, allowing hackers to take over the plant’s safety instrument systems (SIS).

This malicious code could have led to an explosion or release of toxic gas and was the first time such an attack was purposefully designed to cause loss of life. The investigation concluded spear phishing was the initial attack vector used to access the plant’s internal network, though others believe it was a misconfigured firewall.

The plant could have avoided the attack by running security audits on their network consistently and ensuring their suppliers maintain up-to-date firmware for their products.

2. Taiwan’s state-owned energy company, CPC Corp.

Source: MELANI

CPC Corp in Taiwan, a national asset in charge of oil delivery and liquid natural gas import, was targeted with a ransomware attack last year. Though energy production remained undamaged, the hack threw the company’s payment system into chaos.

Customers at CPC gas stations were unable to use payment wand VIP cards, and payment apps were all rendered useless, though cash and credit still functioned. A compromised flash drive is the supposed unconfirmed culprit, and authorities have not officially named a culprit, though hacker group Winnti is suspected.

Source: CyberInt

A few measures can be put in place by CPC and other energy sector providers to prevent such attacks. One step is to segregate Operational IT systems from the Operational Technology (OT) network and put OT processes in tiers separating critical functions from the rest. Another is to limit access to essential systems and ICS controllers to only relevant employees.

3. Israeli water systems

Source: SecurityAffairs

Israeli water systems were cyber-attacked on a number of occasions in mid-2020. The attacks were designed to compromise the ICS command and control systems for Israel’s pumping stations, sewer systems, wastewater plants, and agriculture pumps.

Though they ultimately failed, the attacks aimed to attempt to spike chlorine and other chemicals in the water to harmful levels and disrupt the water supply during a heatwave and Covid-19. The group exploited outmoded legacy systems still in use and inadequate password guidelines in place at those facilities.

Regularly updating passwords is a seemingly obvious but under-implemented solution to these vulnerabilities, along with replacing outdated ICS equipment and keeping their firmware updated. It is just as essential to identify unfamiliar network-connected devices and remove them immediately.

4. Nippon Telegraph & Telephone (NTT)

Source: NTT

NTT Communications, the fourth-largest telecom company in the world, powers and supports data centers in over 20 countries. Recently, they had a data breach that was highlighted by a great deal of planning and multiple attack fronts. The data breach leaked the data of 621 corporate clients and hybrid in nature, in that it was committed both from the cloud and on-site.

NTT also believes AI and machine learning, along with multi-level attack tools, were implemented in the breach. The origin of the breach was several external, network-connected websites, using a security flaw in an operation server that was part of the company’s information management server.

Running routine security checks could deter an attack of this nature, as well as additional security controls. These fixes will limit entry to sensitive data by both company solutions and employees and prevent irrelevant data or systems access.

5. Moderna

Alleged China-backed hackers probed Moderna, a company at the forefront of Covid-19 vaccine development. They searched for site vulnerabilities and singled out users with expanded security authorization within the network in their hacking attempts.

The hackers’ primary modus operandi was exploiting software vulnerabilities within a well-known web development software. In this case, however, the hackers were unable to steal classified data and research. The bigger problem is, it was revealed the hackers have been terrorizing hundreds of enterprises and government agencies alike for a decade.

Regular security evaluations, code reviews, and upgrades will keep similar companies and infrastructure facilities safer, though it is difficult to keep life-saving treatments that are world-altering safe from prying eyes. Collaboration with government agencies can help mitigate issues with security compliance and offer support in beefing up security standards.

6. Unnamed US natural gas operator

A natural gas facility in the US that has remained unnamed was targeted with ransomware which compromised communications and control resources. The cybercriminal first used a Spear Phishing Link to gain access to the IT network before employing the ransomware within the OT network. The compromised areas included Human Machine Interfaces (HMIs) and data storage.

Fortunately, the plant never “lost control” of operations, but they were forced to shut down for two days until replacement equipment could be obtained and re-programmed. A lack of segmentation between the IT and OT networks was the facility’s primary weak point.

The most critical fix here is the separation of the IT and OT networks and introducing business continuity plans for these cyber threats. Also, drills conducted with employees to deal with potential threats like this need to include cyber attacks and exploits.

7. Ukraine’s Power Grid

Source: SANS ICS

Ukrainian power facility PrykarpattyaOblenergo in 2016 was another instance of an intentional, potentially deadly cyber attack. Half of the population (~700,000 individuals) of the Ivano-Frankivsk region in Ukraine was left without power in mid-December due to a malware attack.

Purportedly by notorious Russian hacker group Sandworm, the attack utilized a dangerous malware dubbed “BlackEnergy 3.” However, this attack wasn’t so straightforward. The hackers also employed hard drive killer KillDisk, Spear phishing, credential theft, VPNs, Remote access exploits, DoS telephony attacks, and other tactics.

Firstly, to protect against such multi-vector attacks, networks must be segmented from one another, and each IT and OT equipment piece must have logging enabled where available. Network monitoring is also paramount in this case, and prioritizing critical equipment and controllers for firmware updates is also a must.

8. San Francisco’s MUNI light-rail system

Source: Aspida

San Francisco’s daily commuters to work were given an irksome surprise one morning in 2016. Hackers used ransomware called Mamba to compromise the city’s Municipal Railway (MUNI) light-rail, breaching the system to access and encrypt over 2000 office systems.

The attack forced the company to shut down the ticketing systems for four days, leaving customers typed messages “Out of Order” and “Free Rides.” No customer or transaction data was compromised in the attack, and backups allowed the transit authority to recover function on most of the systems soon after the attack was discovered.

Though the backups were a good start, they need to have been done much more regularly and covering all critical system components at the very least. Periodically upgrading and running security audits would also help detect vulnerabilities like the ones used for the ransomware and patch them quickly.

9. Iranian Cyber Attack on New York Dam

Source: SANS INC

Iranian state-sponsored hackers, the ITSec Team, or Mersad Company, broke into the Supervisory Control And Data Acquisition (SCADA) systems of the Bowman Dam in New York. The system was connected to a cellular modem but was under maintenance during the time of the attack.

The hackers exploited the unprotected modem connection and lack of security controls for the Dam’s systems. Fortunately, the hackers only accessed a small sluice gate, but were able to manipulate the SCADA controllers expertly. The attack was not necessarily complex in nature but was deemed to be more of a penetration test to probe for weaknesses.

Critical infrastructure controllers must be kept separate from the internet at all costs. If they must have connectivity, the proper security controls, and segregation must be implemented, even for the smallest gates and pipes. In this case, it would also behoove the dam operators to work with the municipal and state government to test and improve their security regularly.

10. Unnamed American Water Authority

Hackers broke into and took control of a US water authority’s cellular network that has remained unnamed. However, their aims were a bit different than some others. Instead of disrupting the water supply or trying to poison the water, the hackers used the cellular routers to jack up the cellular data bills by 15,000%, from $300 monthly to over $50,000 over a ~two-month period.

The weak point was outdated firmware and a factory-installed password for the facility’s Sixnet BT routers. Later that year, the DHS disclosed a vulnerability in the router’s hard-coded credentials, which is believed to be the point at which the hackers exploited the network’s weaknesses.

The water authority could plug the leak by ensuring suppliers maintain up-to-date firmware and routinely check devices and the network for vulnerabilities.

11. Colonial Oil Pipeline

Source: TheGuardian

On May 7th, 2021, in one of the most devastating cyberattacks on infrastructure in recent memory, the Colonial Oil Pipeline was hit by a targeted ransomware attack. The largest overall pipeline in the US, and one that supplied upwards of 45% of the East Coast’s gas, diesel, and jet fuel was forced to shut down its networks and operations entirely. Though they managed to return system function, by May 18th, nearly 11,000 gas stations were still without gas.

The hacker group DarkSide also stole more than 100GB of data from company servers prior to the attack, and only handed over control after Colonial paid $5 million in cryptocurrency. More significantly, the average US cost of gas per gallon rose nationally to the highest cost in over six years.

The attack vector is still currently unknown, but it is believed to originate in an unpatched vulnerability or a phishing scam run on an employee. Due to a number of variables and issues that still remain unanswered, it is difficult to pinpoint an exact cause.

Change is coming but don’t fret

Nature and physical attacks are not the only threats to infrastructure any longer. As critical sectors increasingly rely on wireless and interconnected solutions, the threats they face have evolved accordingly.

Network resilience and security are paramount to ensuring that connectivity remains uninterrupted. Constant vigilance and checks can go a long way towards securing infrastructure, but these steps are not always sufficient.

The most successful and straightforward way to protect your networks and infrastructure starts at the roots with a network-based security solution like Firstpoint. Using one of these security solutions will ensure your facilities, networks, and devices are secure from the ground up.