APT in ICS

In the world of industrial cybersecurity, threats are continuously progressing and evolving. To raise awareness of this changing environment, this article is focus on Advanced Persistent Threat (APTs), which are currently particularly ubiquitous and constantly evolving. Specifically, it delves into how it works and its impact on the industrial world, without neglecting its technical definition.

What are Industrial APTs?

The origin of the term APT comes from a report published by a famous newspaper, which detailed several cyberattack campaigns. In one of the published cyberattacks, it was described how a Chinese military unit managed to penetrate the communications networks of different media outlets, through a series of phishing attacks and malware aimed specifically at these media.

This type of attack is characterized by the significant effort required to carry it out, as these incidents are often associated with high-value targets (countries, large corporations, etc.). However, it is becoming increasingly common for medium and small businesses to become targets of this type of cyberattack. These incidents are not usually motivated only by economic interests, but are usually carried out for other reasons, such as political cyberactivism or cyberwar between countries.

The objective of this type of incident is to grant continuous access to the affected systems for subsequent exploitation, for this, a series of guidelines and processes are usually followed:

• Reconnaissance: It is the first phase of the threat, aiming to observe and gather information about the target from any available source.
• Gaining access: During this phase, the goal of cybercriminals is to gain access within the organization, taking advantage of any vulnerabilities found.
• Intrusion: during this phase, cybercriminals establish backdoors and conduits to investigate the organization unnoticed and over time.
• Infiltration: Once access points are established, attackers seek to escalate privileges to gain greater capability to manipulate processes within the organization.
• Reconnaissance and movements: once greater privileges have been achieved, the objective is to pivot, i.e. move within the organization to gain access to other departments within the organization (corporate network, industrial network, access to the different servers).
• Exploitation: finally, the attacker learns about the operation and vulnerabilities of the systems, obtaining the necessary information to achieve their objectives.
   

- Phase diagram. Source -

APT in industrials environments

Over the past years, APTs have been evolving, along with their targets. Specifically, the industrial sector has become one of the main targets of this threat, due to a series of factors that have played a crucial role in this increase:

• Human factor: During the process of accessing OT networks for employees or third parties, fundamental factors such as cybersecurity training or awareness are often overlooked, causing knowledge gaps that are often exploited by the attacker. Examples of attacks that take advantage of these situations range from intrusion through phishing or social engineering, to exploitation by internal personnel themselves. For this reason, many organizations are opting for Zero Trust solutions and the application of the principle of least possible privilege.
• IT/OT connections: in many industrial plants, IT and OT assets coexist on the same network. This is a risk, as these teams often introduce new attack vectors to previously unprotected but isolated assets. Therefore, it is important to apply network segmentation and segregation, separating OT and IT networks, whose security requirements are different.
• OT asset protection:it is common for equipment installed in the plant to have outdated or unsupported assets, since in the industrial world equipment has devices with long lifecycles. For this reason, it is normal to find computers with unsupported operating systems or keys, outdated applications and databases, disabled security components, etc. Additionally, OT equipment can be challenging to update, as some updates could affect system operability, contributing to APTs spreading more quickly and easily. A good solution to these problems is to apply good configuration to applications and devices, so that they passively provide security and to establish collaborative relationships with suppliers to facilitate the maintenance and updating of equipment.
• OT endpoint protection: In many current industrial plants, endpoint cybersecurity solutions are not available. Although at first glance these devices are isolated from corporate networks, not only is it common for these devices to connect to multiple networks or serve as a tool to pass data between IT and OT systems, but attackers can also try to access them with adapted malware versions, through USB drives or through phishing. For this reason, it is important to have a good bastion, monitoring, and training in the safe use of these devices...
   

Industrial APT

In recent years, new, more advanced and specialized APTs have emerged for industrial environments, being able to access information from industrial control systems (ICS), affect plant production or even cause physical damage by sending instructions to ICS.

Although today, thanks to forensic analyses carried out in recent years, understanding the operation of these types of attacks is possible, here are some examples of malware used in these attacks.

FourteenHi

It is a malware family discovered in 2021, targeting government entities. In 2022, a specialized variant for the industrial sector was discovered.

There are two variants of FourteenHi available, depending on the architecture used (x86 and x64). Although they have different structures, both have C2 (command and control) communication protocols, and a series of commands used to extract information. Below are the features and differences of the different versions:

• The x64 version has persistence capabilities and a two-step communication protocol. The first step would be to execute commands such as:

  • upload files arbitrarily,
  • download files arbitrarily,
  • execute commands arbitrarily,
  • establish delays in communications,
  • start a reverse shell,
  • End processes and remove persistence.

  The second step allows you to secure C2 communications using the OpenSSL library API, to which it is linked. In addition, this variant uses the RC4 protocol to encrypt and decrypt the data sent by C2, establishing communications securely for the attacker.

• Computers infected with the x86 version do not have persistence capabilities, nor are they linked to OpenSSL, although they still use RC4 encryption protocols for their communications. This malware, unlike the x64 version, is done in a single step. This type of code is ideal for initial stages of equipment infection since it can recover information from a host or local network, download malware, or even collect information for attack stages.

The operating scheme is very similar for all variants, consisting of three main components to implement the code on the victim machine.

• exploiting a vulnerable legitimate application for DLL spoofing.
• a binary file containing the malware's information, encrypted with RC4.
• a malicious DLL which impersonates the original. This application reads and executes the malware's payload to inject it into some active system process (svchost.exe, msiexec.exe...).

MeatBall Backdoor

This APT was first reported in Eastern European industrial organizations, based on x86 and x64 architectures. It works by establishing backdoors, implementing remote access capabilities, creating lists of execution processes, devices, connected disks, etc.

Similar to FourteenHi, it is based on the DLL hijacking technique, but saving the binary itself inside the malicious DLL, rather than in a separate file.

Once executed by a legitimate application, it implements the parameters using "lsNTAdmin", even if that application were to obtain administrator permissions, it creates a service called "esetcss" that runs when the operating system starts. In both cases, it deploys the payload by decrypting a one-byte XOR key and initiates the "svchost.exe" task, using that service with the injected payload, allowing the primary C2 communication to be established by the initiated task.

Yandex Cloud as C2

APT reported in April 2022 that affected several Russian media companies and energy companies. It worked by obtaining information from the infected host by hijacking a legitimate DLL, just like the examples presented above. For the execution of the code, the "libcurl.dll" library linked to SSL communications is used.

As a first step, it creates an exclusion called "Njg8", preventing it from running more instances of the malware itself at any time. After that, it collects host information such as:

• computer name,
• usernames,
• IP address
• MAC address,
• operating system version,
• paths to %System%.

To send the data collected by C2, the malware sends a request to the API, to create a directory with a unique name for the host. After this, it creates a file with a prefix "1770_ and the extension ".dat" where it saves the collected information.

Next, it starts its main loop, periodically checking for a folder called "content" located in the Yandex cloud to detect attacker instructions or extract sensitive information from the victim.

In this folder are located the last files uploaded with the victim's information, encrypted using RC4. Once inside, look for files with "1780_", "1781_" and "1784_" prefixes.

• Files with the prefix "1780_" and "1781_" contain the information in PE (Portable Executable) format, from which the malware extracts new payloads for execution.
• Files with the "1784_" prefix contain a command to run via cmd.exe, which extracts information from the infected host, which is sent via C2 and removed from the infected device.

Conclusion

As seen throughout the article, APTs are highly specialized, targeted attacks that tend to last over time. One of the favorite tools of attackers in an APT is the use of very specific malware, sometimes specially designed to affect the systems of a specific victim, which makes it very difficult to detect once it is introduced into organizations.

Although today there are tools and procedures that allow us to control this type of threat and minimize its impact, they require a good level of maturity in the state of the victim's cybersecurity and the following of good practices in daily operations.

In short, nowadays it is very likely that an industrial organization is susceptible to this type of attack, especially if it operates as a critical infrastructure or presents a strategic target for potential attackers. Therefore, it is not possible to rely on an unprotected system to go permanently unnoticed. Implementing appropriate protection and prevention measures, even if it requires an initial investment of resources compared to ignoring the cybersecurity risks of these threats, is essential to ensure operational continuity and prevent damages, increased expenses and legal consequences in the event of an incident.