Cyber report details tricks used by hackers to target critical infrastructure

Cyber report details tricks used by hackers to target critical infrastructure
© Getty

A cybersecurity firm says it uncovered the methods and tools hackers use to target critical infrastructure organizations, activity it observed by creating a website that masqueraded as a major electricity provider.

Cybereason on Monday released a report on its "Honeypot Project," which is designed so that the firm's researchers could learn more about the tactics and techniques hackers employ while trying to compromise control systems. 

ADVERTISEMENT

The fake website, known as a honeypot in cyber-speak, was made to resemble a large, well-known electricity provider that served customers in both the United States and United Kingdom.

Cybereason found that the hackers acted quickly.

"Just two days after the honeypot went live, attackers had discovered it, prepared the asset for sale on the dark Web and sold it to another criminal entity who was also interested in [industrial control system] environments," according to the report.

The first set of hackers found ways around firewalls and other security measures by employing a tool called 'xrdp' to gain access to Remote Desktop Protocol (RDP) servers in environments.

The software helped the hackers get around certain administrator restrictions in Windows and quietly gain access to an environment using a compromised user's credentials. They also created backdoors for the new owners to eventually use.

The criminals appear to have bought xrdp from one of the largest underground criminal marketplaces known as xDedic, a digital black market.

By the time the new owners began to become active, they appeared only interested in gaining control of the operational technology (OT) environment, which operated utility providers' hardware systems like pumps, monitors, and breakers, according to the report.

"Whoever controls the OT environment determines who gets utilities like electricity, natural gas and water," Cybereason found.

But Cybereason said these "specialized" hackers did not appear to be part of the "upper echelon of attackers,” because they made some mistakes along the way.

“Despite the attackers’ sophisticated techniques, they made some amateur moves that indicate their approach needs some refinement,” Ross Rustici, Cybereason’s senior director of intelligence, said in a statement.

The ongoing project, which went live on July 17, had been underway for a week when the Department of Homeland Security announced that Russians have targeted the control systems of hundreds of electricity providers.

In recent years, hackers have targeted the control system of a New York state dam as well as managed to successfully shut down Ukraine’s power grid in an attack.