Darktrace OT threat finds: Industrial sabotage

Max Heinemeyer, Director of Threat Hunting | Wednesday July 22, 2020

Darktrace recently detected a case of industrial sabotage while deployed at a food-processing organization in the EMEA region. Like many more high-profile attack campaigns such as EKANS, Havex, and BlackEnergy, this attack started in the business’s IT infrastructure before pivoting to target the OT network.

Despite having a substantial OT network, the company was not aware of the extent of IT/OT convergence in their architecture. They initially chose to deploy Darktrace’s Enterprise Immune System, but not the Industrial Immune System assuming their OT systems were secure. As this attack moved from their IT systems and into OT, the additional visibility and ICS-specific models provided by Darktrace’s industrial offering would have delivered valuable additional context and further helped with threat remediation.

However, thanks to the Enterprise Immune System monitoring the events in real time, we can follow the threat as it moved through the corporate network over the span of three hours.

Timeline of incident

Figure 1: A timeline of events

Darktrace first detected a new device appearing in the “Computing” VLAN, which successfully connected to the “Industrial” VLAN using an admin RDP connection. The device then scanned the industrial network using OT ports 102 and 502, before appearing to call home to external locations using insecure HTTPS and making failed attempts to connect to external servers using OT port 502.

The device then appeared to make successful S7 and Modbus connections to other industrial devices, the nature of which could have been easily determined by the Industrial Immune System.

This new device was introduced directly onto the corporate network, bypassing traditional defenses that sit at the border. Any attempts made by the organization to segregate their IT and OT networks were insufficient in the face of the techniques used by the attacker.

Investigating at machine speed

Darktrace’s Cyber AI Analyst identified the breach device establishing a high volume of connections to unusual external IPs and transferring an unusually high volume of data with the internal WinCC server over port 3389. Simultaneously, the device was observed attempting to establish a high volume of internal connections over ports associated with ICS services. This activity suggests the breach device was conducting an internal scan.

Figure 2: A summary of the unusual data upload

Figure 3: A summary of the scanning activity

Figure 4: The device summary

The graph below details failed connections to external IP addresses made by the breach device when it joined the network (blue), and the mathematical importance of the activity (green), which reveals how statistically important this behavior is due to the size of its deviation from normal. Below that, Darktrace’s user interface surfaces every connection on the breach device over port 102.

Figure 5: The number of external connections made to closed ports

Figure 6: The Event Log for connections to S7 port 102 at the time of the incident

An immune system for industrial networks

Cross-examining and analyzing these multiple anomalies in real time, Darktrace identified this as a case of network reconnaissance. This is particularly suspicious as the device was only seen on the network for a two-day period. The unusual use of administrative credentials in the initial stages suggests the new device was attempting to control the WinCC Server, which allows Windows computers to communicate with industrial devices. Unauthorized access to this server could cause serious harm to the organization, as it would allow an attacker to learn about an industrial process, reconfigure multiple devices, or even fully sabotage the process.

The incident clearly demonstrates IT/OT convergence and the risks that entails, even – or especially – when businesses believe these systems are separate. Improper network segmentation makes ICS networks, particularly HMIs (human machine interfaces), an easy target for cyber-criminals or rogue insiders, making total visibility crucial in defending these systems.

This incident affirms that enterprise security needs to encompass OT security – the two can’t be treated as separate. The Industrial Immune System provides security analysts visibility across OT networks and subnets and defends against threats which might target industrial systems. Further, with AI learning the ‘pattern of life’ for every user, device, and controller, the technology can detect subtle deviations in behavior that evade other security tools, alerting security teams to potentially threatening activity in seconds. As attackers increasingly look to cause disruption and target industrial systems in their efforts, AI will be critical to keeping these systems secure and operational.

Thanks to Darktrace analyst Kendra Gonzalez Duran for her insights on the above threat find.

Learn more about the Industrial Immune System

Technical details

RDP connection

Connections
Source172.27.103.XX
Destination172.27.51.XXX
Breached on connection to remote port3389
RDP cookieadministr
Unusual connectivity67%
Duration01h52m40s
New or uncommon occurence100%

Possible ICS protocol

Connections
Time of breach2020.07.08, 09:28:09 UTC
Breach deviceWST-1495 · 172.27.103.XX
Breach device typeDesktop
Breach on connection to remote port102
ProtocolTCP (applicaton protocol unknown)
Duration01h00m02s
Destination IP address172.27.0.170
New connection on port 102True

Darktrace model detections:

  • Unusual Activity from New Device
  • Anomalous SSL without SNI to New External
  • Rare External SSL Self-Signed
  • Unusual Admin RDP Session
  • Multiple Failed Internal Connections
  • Experimental / Possible ICS Protocol

IIS models which may have been able to add context/visibility:

  • Anomalous IT to ICS Connection
  • Multiple Failed Connections to ICS Device
  • Multiple New Discover Commands
  • Multiple New Action Commands
  • Uncommon ICS Reprogram
  • Unusual ICS Connectivity

Max Heinemeyer

Max is a cyber security expert with over nine years’ experience in the field, specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats, as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. In this role he worked as a white hat hacker, leading penetration tests and red team engagements. He was also part of the German Chaos Computer Club when he was still living in Germany. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.