The Intrepidus Group reveals some details behind a malware
attack that exposed critical systems at an energy company. Using a
Microsoft zero-day vulnerability and a bit of social engineering,
hackers compromised a workstation and threatened critical SCADA
systems, the security vendor says.
It began with an e-mail sent to an employee at an energy company, and ended
with a security breach that exposed critical systems to outside control.
This is an-all-too common scenario, and just one example of the types of
threats targeting not only critical infrastructure
but organizations generally. The attack referred to above happened at the site
of an energy company that Intrepidus Group is keeping anonymous. In a
discussion with eWEEK, however, the security vendor outlined just how a malware
attack broke into a critical network.
The attack began to unravel April 3, 2007. That's when a fraudulent user account—complete
with administrative privileges—was detected by the energy company. At that
point, Intrepidus Group was called in to try to uncover what exactly had
happened. Working backward, the company traced everything back to a little bit
"What started off as a very strange attack where people couldn't
understand why these random administrative accounts were being added in the
internal network ended up being two and a half days later us realizing the
primary domain controller in the system—which is the keys to the system, really,
with all the passwords and user accounts—had been compromised with this
zero-day attack," said Intrepidus Group CEO
Rohyt Belani. "But the big thing that set off alarms … was that the attack
had originated not from the outside big, bad world, but … from another machine
inside their corporate network."
The machine sat on the same segment where the SCADA (Supervisory Control And
Data Acquisition) controllers were. Soon, evidence appeared that the attackers had
leapfrogged off this network and broken into the domain controller, Belani
explained. After backtracking even further, the investigation determined the
source of the breach—a relatively simple phishing attack.
e-mail contained a pitch for a new health care plan, something that caught an
employee's eye. The e-mail claimed to be about benefits for a family with two
or more children, and the employee had three. The message also contained a
malicious .chm file attachment.
When the employee opened the attachment, it reached out to a server in the
Asia-Pacific region and pulled out a malicious executable that gave the
attackers a foothold on the employee's machine, Belani said.
The attack took advantage of MS07-029,
a Windows DNS (Domain Name System) vulnerability that at the time was
unpatched. Using the vulnerability as an entry point, the attackers ended up
with control of the employee's account.
"The attacker had a problem; he got system-level access via an
unpublished zero-day exploit," said Aaron Higbee, CTO
of Intrepidus Group. "But attackers need to maintain access and are
worried about their initial exploits either causing instability with the system
or the system getting patched. This is why they created the [other]
account … with domain admin access."
With the level of access they gained, the attackers could potentially
control, view and modify everything related to the business, Higbee said.
In the aftermath of the attack, Intrepidus advised the company to make some
changes to its security strategy. For starters, the company was advised to
re-architect the outbound filtering of Internet access and put a proxy in place
for Web browsing to ensure that employees aren't reaching out to seemingly
random sites. More critical is the subject of segregation. No workstation
sharing a critical network segment should be connected to the Internet, Belani said.
"It should be segmented away from the sensitive SCADA
controllers," he said.