Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/1/2013
06:19 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

ICS-CERT: Surge In Brute-Force Attacks Against Energy Industry

Incidents with energy sector in fiscal 2012 included advanced persistent threat (APT)-type attacks, and sophisticated as well as common malware, report says

More than 200 cyberincidents were reported by critical infrastructure operators to the ICS-CERT between October of last year and May of this year -- more than half of which were in the energy sector, followed by the manufacturing industry.

The victim organizations were hit mostly by watering hole attacks, SQL injection, and spearphishing. In fiscal 2012 alone, 198 cyberincidents were reported to ICS-CERT, 41 percent of which were from the energy industry. Advanced persistent threat (APT)-type attacks, as well as sophisticated and common malware were among the threats, ICS-CERT said in its ICS-CERT Monitor report for April/May/June 2013, published on Friday.

Among the recent incidents handled by the ICS-CERT was a brute-force attack campaign against a gas compressor station operator that was later found to be targeting other critical infrastructure operators as well. ICS-CERT said the gas compressor station owner on Feb. 22 reported a jump in brute-force attack attempts on process control networks. The attack campaign, which began in January and subsided in early March, didn't result in any actual breaches, according to ICS-CERT.

ICS-CERT says it posted an alert on its secure portal about the attacks on the gas compressor plant, along with 10 IP addresses being used in the attacks.

"That alert elicited additional reports from critical infrastructure owners who, using the indicators in the alert, had discovered similar brute force attempts to compromise their networks. Those new reports yielded 39 new IP addresses, which ICS-CERT included in an update to the original alert (also posted on the secure portal)," ICS-CERT said in its report.

Gas compressor stations in the Midwest and Plains region were the main victims of the attempted attacks, ICS-CERT said, but there also were attacks against critical infrastructure business networks as well. "While none of the brute force attempts were successful, these incidents highlight the need for constant vigilance on the part of industry asset owners and operators. The ability to detect anomalous network activity and network intrusions early in an incident greatly increases the chance of a successful mitigation and resolution," the ICS-CERT report said.

ICS-CERT last week issued an alert on the dangers of default passwords in Internet-facing devices, a long-standing problem that's been the subject of security researchers for the past three years.

Some incidents in the water and commercial industry reports handled by ICS-CERT in fiscal 2012 had to do with Internet-connected devices that had weak or default passwords.

Lila Kee, North American Energy Standards Board member and GlobalSign chief product and marketing officer, says the new ICS-CERT report demonstrates how the energy sector is at risk of attack. "The report notes that the first half of 2013 yielded 200 brute-force cyberattacks, surpassing 2012's total of 198 attacks. Although attacks on major gas and electric systems are nothing new to those in the industry, these facts serve as evidence that low-level criminals, all the way up to state-sponsored groups, see the value in compromising our nation's critical infrastructure," Kee says.

Kee says the energy sector and other critical infrastructure sectors should be reporting cyberincidents quickly to enable secure information-sharing on attacks. "Although the North American Energy Standards Board has done a fantastic job by drafting and recommending security standards, it is necessary that the critical infrastructure as a whole implement these standards to best apply preventative measures that prepare for the ever-increasing number and methods of targeted attacks," Kee says.

While energy firms represented 53 percent of the 200 cyberincidents reported to ICS-CERT from October 2012 to May 2013, 17 percent of the reports came from the manufacturing sector.

Most of the incident response ICS-CERT conducts occurs remotely, analyzing malware, logs, hard drives, emails and other attack artifacts. ICS-CERT went on-site for five incidents in the first half of FY 2013 to investigate sophisticated attacks in the energy and critical manufacturing industries. "All of the onsite incident response engagements involved sophisticated threat actors who had successfully compromised and gained access to business networks," ICS-CERT said in its report.

In many of the on-site cases, ICS-CERT team analysis was inconclusive because the ICS networks didn't have sufficient logging and forensics data. "While onsite, ICS-CERT analysts examined networks and artifacts to determine if ICS networks were also compromised. Unfortunately, in many cases that analysis was inconclusive because of limited or non-existent logging and forensics data from the ICS network," the report said.

The full ICS-CERT Monitor report is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7914
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.
CVE-2016-4606
PUBLISHED: 2020-02-21
Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...