Darktrace OT threat finds: Industrial sabotage
Darktrace recently detected a case of industrial sabotage while deployed at a food-processing organization in the EMEA region. Like many more high-profile attack campaigns such as EKANS, Havex, and BlackEnergy, this attack started in the business’s IT infrastructure before pivoting to target the OT network.
Despite having a substantial OT network, the company was not aware of the extent of IT/OT convergence in their architecture. They initially chose to deploy Darktrace’s Enterprise Immune System, but not the Industrial Immune System assuming their OT systems were secure. As this attack moved from their IT systems and into OT, the additional visibility and ICS-specific models provided by Darktrace’s industrial offering would have delivered valuable additional context and further helped with threat remediation.
However, thanks to the Enterprise Immune System monitoring the events in real time, we can follow the threat as it moved through the corporate network over the span of three hours.
Timeline of incident
Figure 1: A timeline of events
Darktrace first detected a new device appearing in the “Computing” VLAN, which successfully connected to the “Industrial” VLAN using an admin RDP connection. The device then scanned the industrial network using OT ports 102 and 502, before appearing to call home to external locations using insecure HTTPS and making failed attempts to connect to external servers using OT port 502.
The device then appeared to make successful S7 and Modbus connections to other industrial devices, the nature of which could have been easily determined by the Industrial Immune System.
This new device was introduced directly onto the corporate network, bypassing traditional defenses that sit at the border. Any attempts made by the organization to segregate their IT and OT networks were insufficient in the face of the techniques used by the attacker.
Investigating at machine speed
Darktrace’s Cyber AI Analyst identified the breach device establishing a high volume of connections to unusual external IPs and transferring an unusually high volume of data with the internal WinCC server over port 3389. Simultaneously, the device was observed attempting to establish a high volume of internal connections over ports associated with ICS services. This activity suggests the breach device was conducting an internal scan.
Figure 2: A summary of the unusual data upload
Figure 3: A summary of the scanning activity
Figure 4: The device summary
The graph below details failed connections to external IP addresses made by the breach device when it joined the network (blue), and the mathematical importance of the activity (green), which reveals how statistically important this behavior is due to the size of its deviation from normal. Below that, Darktrace’s user interface surfaces every connection on the breach device over port 102.
Figure 5: The number of external connections made to closed ports
Figure 6: The Event Log for connections to S7 port 102 at the time of the incident
An immune system for industrial networks
Cross-examining and analyzing these multiple anomalies in real time, Darktrace identified this as a case of network reconnaissance. This is particularly suspicious as the device was only seen on the network for a two-day period. The unusual use of administrative credentials in the initial stages suggests the new device was attempting to control the WinCC Server, which allows Windows computers to communicate with industrial devices. Unauthorized access to this server could cause serious harm to the organization, as it would allow an attacker to learn about an industrial process, reconfigure multiple devices, or even fully sabotage the process.
The incident clearly demonstrates IT/OT convergence and the risks that entails, even – or especially – when businesses believe these systems are separate. Improper network segmentation makes ICS networks, particularly HMIs (human machine interfaces), an easy target for cyber-criminals or rogue insiders, making total visibility crucial in defending these systems.
This incident affirms that enterprise security needs to encompass OT security – the two can’t be treated as separate. The Industrial Immune System provides security analysts visibility across OT networks and subnets and defends against threats which might target industrial systems. Further, with AI learning the ‘pattern of life’ for every user, device, and controller, the technology can detect subtle deviations in behavior that evade other security tools, alerting security teams to potentially threatening activity in seconds. As attackers increasingly look to cause disruption and target industrial systems in their efforts, AI will be critical to keeping these systems secure and operational.
Thanks to Darktrace analyst Kendra Gonzalez Duran for her insights on the above threat find.
Darktrace model detections:
- Unusual Activity from New Device
- Anomalous SSL without SNI to New External
- Rare External SSL Self-Signed
- Unusual Admin RDP Session
- Multiple Failed Internal Connections
- Experimental / Possible ICS Protocol
IIS models which may have been able to add context/visibility:
- Anomalous IT to ICS Connection
- Multiple Failed Connections to ICS Device
- Multiple New Discover Commands
- Multiple New Action Commands
- Uncommon ICS Reprogram
- Unusual ICS Connectivity