Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/1/2013
06:19 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

ICS-CERT: Surge In Brute-Force Attacks Against Energy Industry

Incidents with energy sector in fiscal 2012 included advanced persistent threat (APT)-type attacks, and sophisticated as well as common malware, report says

More than 200 cyberincidents were reported by critical infrastructure operators to the ICS-CERT between October of last year and May of this year -- more than half of which were in the energy sector, followed by the manufacturing industry.

The victim organizations were hit mostly by watering hole attacks, SQL injection, and spearphishing. In fiscal 2012 alone, 198 cyberincidents were reported to ICS-CERT, 41 percent of which were from the energy industry. Advanced persistent threat (APT)-type attacks, as well as sophisticated and common malware were among the threats, ICS-CERT said in its ICS-CERT Monitor report for April/May/June 2013, published on Friday.

Among the recent incidents handled by the ICS-CERT was a brute-force attack campaign against a gas compressor station operator that was later found to be targeting other critical infrastructure operators as well. ICS-CERT said the gas compressor station owner on Feb. 22 reported a jump in brute-force attack attempts on process control networks. The attack campaign, which began in January and subsided in early March, didn't result in any actual breaches, according to ICS-CERT.

ICS-CERT says it posted an alert on its secure portal about the attacks on the gas compressor plant, along with 10 IP addresses being used in the attacks.

"That alert elicited additional reports from critical infrastructure owners who, using the indicators in the alert, had discovered similar brute force attempts to compromise their networks. Those new reports yielded 39 new IP addresses, which ICS-CERT included in an update to the original alert (also posted on the secure portal)," ICS-CERT said in its report.

Gas compressor stations in the Midwest and Plains region were the main victims of the attempted attacks, ICS-CERT said, but there also were attacks against critical infrastructure business networks as well. "While none of the brute force attempts were successful, these incidents highlight the need for constant vigilance on the part of industry asset owners and operators. The ability to detect anomalous network activity and network intrusions early in an incident greatly increases the chance of a successful mitigation and resolution," the ICS-CERT report said.

ICS-CERT last week issued an alert on the dangers of default passwords in Internet-facing devices, a long-standing problem that's been the subject of security researchers for the past three years.

Some incidents in the water and commercial industry reports handled by ICS-CERT in fiscal 2012 had to do with Internet-connected devices that had weak or default passwords.

Lila Kee, North American Energy Standards Board member and GlobalSign chief product and marketing officer, says the new ICS-CERT report demonstrates how the energy sector is at risk of attack. "The report notes that the first half of 2013 yielded 200 brute-force cyberattacks, surpassing 2012's total of 198 attacks. Although attacks on major gas and electric systems are nothing new to those in the industry, these facts serve as evidence that low-level criminals, all the way up to state-sponsored groups, see the value in compromising our nation's critical infrastructure," Kee says.

Kee says the energy sector and other critical infrastructure sectors should be reporting cyberincidents quickly to enable secure information-sharing on attacks. "Although the North American Energy Standards Board has done a fantastic job by drafting and recommending security standards, it is necessary that the critical infrastructure as a whole implement these standards to best apply preventative measures that prepare for the ever-increasing number and methods of targeted attacks," Kee says.

While energy firms represented 53 percent of the 200 cyberincidents reported to ICS-CERT from October 2012 to May 2013, 17 percent of the reports came from the manufacturing sector.

Most of the incident response ICS-CERT conducts occurs remotely, analyzing malware, logs, hard drives, emails and other attack artifacts. ICS-CERT went on-site for five incidents in the first half of FY 2013 to investigate sophisticated attacks in the energy and critical manufacturing industries. "All of the onsite incident response engagements involved sophisticated threat actors who had successfully compromised and gained access to business networks," ICS-CERT said in its report.

In many of the on-site cases, ICS-CERT team analysis was inconclusive because the ICS networks didn't have sufficient logging and forensics data. "While onsite, ICS-CERT analysts examined networks and artifacts to determine if ICS networks were also compromised. Unfortunately, in many cases that analysis was inconclusive because of limited or non-existent logging and forensics data from the ICS network," the report said.

The full ICS-CERT Monitor report is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14821
PUBLISHED: 2019-09-19
An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux kernel's KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer 'struct kvm_coalesced_mmio' object, wherein write indices 'ring->first' and 'ring->l...
CVE-2019-15032
PUBLISHED: 2019-09-19
Pydio 6.0.8 mishandles error reporting when a directory allows unauthenticated uploads, and the remote-upload option is used with the http://localhost:22 URL. The attacker can obtain sensitive information such as the name of the user who created that directory and other internal server information.
CVE-2019-15033
PUBLISHED: 2019-09-19
Pydio 6.0.8 allows Authenticated SSRF during a Remote Link Feature download. An attacker can specify an intranet address in the file parameter to index.php, when sending a file to a remote server, as demonstrated by the file=http%3A%2F%2F192.168.1.2 substring.
CVE-2019-16412
PUBLISHED: 2019-09-19
In goform/setSysTools on Tenda N301 wireless routers, attackers can trigger a device crash via a zero wanMTU value. (Prohibition of this zero value is only enforced within the GUI.)
CVE-2019-16510
PUBLISHED: 2019-09-19
libIEC61850 through 1.3.3 has a use-after-free in MmsServer_waitReady in mms/iso_mms/server/mms_server.c, as demonstrated by server_example_goose.