Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


How a Phishing Attack Exposed an Energy Company to Hackers



 By: Brian Prince
2009-09-08
Article Rating:starstarstarstarstar / 6


There are 3 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
The Intrepidus Group reveals some details behind a malware attack that exposed critical systems at an energy company. Using a Microsoft zero-day vulnerability and a bit of social engineering, hackers compromised a workstation and threatened critical SCADA systems, the security vendor says.

It began with an e-mail sent to an employee at an energy company, and ended with a security breach that exposed critical systems to outside control.

This is an-all-too common scenario, and just one example of the types of threats targeting not only critical infrastructure but organizations generally. The attack referred to above happened at the site of an energy company that Intrepidus Group is keeping anonymous. In a discussion with eWEEK, however, the security vendor outlined just how a malware attack broke into a critical network.

The attack began to unravel April 3, 2007. That's when a fraudulent user accountcomplete with administrative privilegeswas detected by the energy company. At that point, Intrepidus Group was called in to try to uncover what exactly had happened. Working backward, the company traced everything back to a little bit of social engineering.

"What started off as a very strange attack where people couldn't understand why these random administrative accounts were being added in the internal network ended up being two and a half days later us realizing the primary domain controller in the systemwhich is the keys to the system, really, with all the passwords and user accountshad been compromised with this zero-day attack," said Intrepidus Group CEO Rohyt Belani. "But the big thing that set off alarms was that the attack had originated not from the outside big, bad world, but from another machine inside their corporate network."

Resource Library:

The machine sat on the same segment where the SCADA (Supervisory Control And Data Acquisition) controllers were. Soon, evidence appeared that the attackers had leapfrogged off this network and broken into the domain controller, Belani explained. After backtracking even further, the investigation determined the source of the breacha relatively simple phishing attack.

The phishing e-mail contained a pitch for a new health care plan, something that caught an employee's eye. The e-mail claimed to be about benefits for a family with two or more children, and the employee had three. The message also contained a malicious .chm file attachment.

When the employee opened the attachment, it reached out to a server in the Asia-Pacific region and pulled out a malicious executable that gave the attackers a foothold on the employee's machine, Belani said.

The attack took advantage of MS07-029, a Windows DNS (Domain Name System) vulnerability that at the time was unpatched. Using the vulnerability as an entry point, the attackers ended up with control of the employee's account.

"The attacker had a problem; he got system-level access via an unpublished zero-day exploit," said Aaron Higbee, CTO of Intrepidus Group. "But attackers need to maintain access and are worried about their initial exploits either causing instability with the system or the system getting patched. This is why they created the [other] account with domain admin access."

With the level of access they gained, the attackers could potentially control, view and modify everything related to the business, Higbee said.

In the aftermath of the attack, Intrepidus advised the company to make some changes to its security strategy. For starters, the company was advised to re-architect the outbound filtering of Internet access and put a proxy in place for Web browsing to ensure that employees aren't reaching out to seemingly random sites. More critical is the subject of segregation. No workstation sharing a critical network segment should be connected to the Internet, Belani said.

 "It should be segmented away from the sensitive SCADA controllers," he said.





  Reader Comments: How a Phishing Attack Exposed an Energy Company to Hackers
>>> Post your comment now!
no proxy?
Let's hope they had a proxy prior and the suggestion was some sort of tweak to it, if not, let's hope this is a small insignificant (as in critical...
Posted At: 09-09-09
By: Armand
A user comment on this article
Great article, Brian. This is why in addition to implementing security solutions employers need to educate their employees about proper Internet and...
Posted At: 09-09-09
By: Angelo Comazzetto
A user comment on this article
Administrators are still browsing the Web with full domain level access, proxy or not. Least rights much?
Posted At: 09-08-09
By: mrhinkydink
>>> Post your comment now!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


x}r8s;Ӯcv ْ˚,*OuJ$)CR^y9q~M -yS([" D;?{{~$riOI1%st[D{{}.GP|gS/92r n8tp;ڀRrLEsrN}~N5y9vtx//0wFD_*QI- y|/LZ@3::}XOB$9"ydZjkMюR='Y̮g fV҄ 'UUjH,ǝ%?ZU&U}X&ZhCA+t 9zq}ں~\z}rڻ"IYxG0p ZʟZr<-zl M iTj{Cw2|&޺x|9!9I '?s`mDi[ܾȑ\ yǛʃ+a(7F`XӀ7? iP2zs, ߱n\S;G`ho__ VYK370s_?m=w  a6z@t\ a#x`Mil&XJp7є6`I˪2TI0%mQq:]R$y3DDȭ g/3/r.i }h8yWҽT7ws 9tipv^nVV͉:YXYujZnY?iQw9qn>^[ٻS7?A*Gm'!|emxZ.3334!E&M w&|hx }# 00w9&z(tH h&r<kIOmLJ.?6 [ G`rɭ 5y05ݻ#i`y1yjQ?]*~ `=w= X_ X.{s6G~>2-01%ޥ6 q0yz[ dQJ d$@!"-i]NP@Ar68 -8,rrd++~Cy-#!bTLZ(ݞH:wP-KEscMX*QY,p[/ Pf%)5{~X9yDMf#T`B[ᛥLKak`Dݚ,#M& yz {[W5´ ҄%(𝀴t0OjHL\U}Ge٢szn I߱n)y@6Êi\ǺdMjEsӆH|Ehs 2!j̹æXgu׵LjTN`3!WqlМwaMߨÕ~|ÈI/uO'ܑ-ӾRoBo+څP!_.dI_fMblȌu>I!VB17OH wf@nmHݤ|r%eR{`MLE2a==%ӻnR/0}̙SĠ3BZSOs\| g:[6[7˦EI8Jەi]jk-T8W7Bɶ/²xcP66R(kυ5Ӳ =2PC6*&C 7s(= > XUM.R?>2ai#*jISJR5>k-,!1ȁ2(Ȩ؊-rir1::NЃXS]OL2n9g,pH!%2D?FB\3 ˀ%\< MM̔>Y[ "~2|P +PރЁ*:tkpp2쟶W=) Υ_$ͧW6v &:Le"6Xi=lBOwg=1}Z`"o@dX.)Uql"zd\8˰De9F3q,˹ tn?0RKkڋpxp߄SsDl4$T2Pa'7s] eaȓyް~ScԧvBd80;#-Ko3>>8ԢTQ݂*w Qքw& 0}{(Dtl?a"%x O=ܸ~?CÜU^ůf/$JPVbtxC+jrTT+ 8+|4;~~»( IߥcЙLj}a:0׃|<4zpY 57A!w^8R`>t0yLLF<1ȗ`|BZ_(ƨOȣ#Y ΄q UESU[V87f;< O?a#ECwf0#L6ᦹo= =g jZU~IF G6q~i@"Os`)|\gm/ RU *~i-::j/J.8F2( #s]QB-Ph7 O5c†k+4C |3MdhH[_N.OVͯ6> 7}&mnfuýO7rF+k1s8Wopo퀂ȋW!bˤW6n&00"41< ~>tUJdxL4J,B8HY9޼Vߦ}jz1gVA=jT5A70pZ&c=•[0ec &sd{ WϝiqH9ٸfAd#<6i2 1y=0SW@] VJ[6@/YQW.m K z47D.>q;" V\s> P5ĺqK))r,*H+ů 3ˁc_.qDyC[_TUeH4yģTY0#y $6-.wEЋѶ7Ǟj&l|l&\#2OB(KYM,aTJp9҃ NAqW9K=XT\QGzN=ݠ1pS JM1H侧Z"⣨j]7 J \Z&& g%!6B[uN,@ m|COkPaۤAf<^ΈۍCu37~ 6eFZuiR͋ u;e޺-XLh;ɲCXvIW,V*J7j՚*NӪV$,< ?>7d,j+LGI4~&.2O%WW= qѿO{_7ԍ!F_I]rQӊ 5`JR}'0 隆cu ( r^-GY`Q.|aR)*`?%ʠK= j ;! 8`& Mx)A`?sp-492=QUaNT+ʬy48'oZU{?$ }MMX9 23= SbM1~u{]wZCRVib 6χxz/{Πӻ8䭃b>"g·At~}4.Ї_ECR:"xUEKtx^8K!:(5ށ `i4Ejx{DC:rfWϊfչ ]whgApy- @W{A+tW:K'?vD;m)ޠw)y2#䈠^jw>\<d0srn^6b7L`jX&I:D#Sk!+H0 RXzW'^ t%V}Xn!q(G<=ּSB&T ˓$-I^O eqj ieʒ~@a'1ۡ ۓ_6/G8 (OLkrwisy/PsybRpd;Ràs< e!>倏wqJh 鳁VKM^cA0><)'xfSZ{.Z"]6GH<Ӟ8Im6x}y:b1ݾneiܱ?jwh;操~{Oj9ЛAsL<}<# zv`Nsgs@ {:`cᦿ C ~Uު箄M$&Laq*huͰ<ˀ" CÙ릍CLV\y>h_arJs ނ3QG 6j 2}dO1\j[Cxyg!,d9a}43GؖrbLd OB%L˶wVp*gcc;/F#%k&ORϱm @|Րr/hZ1i`jcZ/p8|+؊wf_O4oNւ1v̙[ʈ1gcR_S_ZR|  .wi{\naa0^ލ<"t(ı߂KCƧsӆUec\cYPۆt& ވ F9}^o]<ǣYk~f4əs' v~cDk 3<^+'*%<^oDUHV|V|w`8KaٷHϛ}8@b4#T֫mJU+&~875);!ֻacf7{OZa'3:Ǔ0~Գ0*e-EB~ vņN}B*@cee%obJCL](@3% ,4%G8n*al9m:+6J 8|'Cq$e0XRZIe!8Pm%0 aH/gAW7Ag>F 2J-9 &{[v/8NymXi첎8&=ގbeFi3njWP1e~͐d֩BwF_K0,#X,$Eˠ(0 !-_+!'=6CmlQiGZQʒVږV /.N=g.c:'X!d:.%XI-)zҵ̤K>äZMS A$'x)/ !K*==!fSܕ K;aɐLFIk9cL̨tȠE"X,b JErO@EG*) ҋÈz`_X4vlG8>=t̶0'Tժ,%NtB΄IEs/H>++-iN":Ҵ쀷¼Zу$ E2_2}I.~ÍHj%:=!ުX$")i/ æ0NxSb6kBa~& )¸^u89ҕ3BD}էo%૑Lka/^؞0pkXtW5e(YjJy''[) ~9999^vԎI, H aڶ}\3>扻EsΗha8CY%#,b N9DID &E؅qmqc;w`MeV`3^ޒ^mJf[DXV^1}l \^ZMjL0C$yPK"jȞߒ _HErvLI=q/>9EMv񕊌Ò@')X=rO >Qgؒ _m~i_ e{ AmGU E@9ȝי ؑZԖAvH8m M2x76?E7Ӡо8j<ƖXBryn[4Y@$nSp?K9Dts !okm~85Ƿ|֘!M/Ս<նZ`wkQ\ǔ쀘<]ҍ7U'  1e#owE?zxra,:aals7 <(ߦ46_rl:(FtE{KA~&n3{H !?p._dȷncˊ_CT\x[/OC/ Xn]}xce)SQ' g$}jJN ^٘! ؼpogK<N&IEoCY[0AGTя ;dw,̽w $#յn Ν2e׿ ϖн-t3q;RquCD!:_Ƹ5Go͓n~ qjoLݚP!J.lgf5 NoL{f6h{{m_ro6`:lj[V֧uEQzz򝧻 ymZ8G-]Ip6ec5W2o}Cgzp=W?!4S2Ć|wa+I錂qnrGJ*sƚe<,,~%sw)@=ܨb>8\AO=cЃ%:?w}Lĕvέco(jc5?}j闶U.x-N/*`6-k;pO?} S&Lm!90njh 63>^Vz^3XZk]X;Xif›yBE ~K-y-JYՙH,ݾYp:lgN((bXL~-=]Fc' `- h \z9}Z<֛ |찭ux*]@0{wn/1~݊+6'&K?/iѹ H Wkn3R)5ܫS\mD 96z_a8bu{Ω ʒ2;˴Wlfm?ڒVo5JzK(Ә d>3mS?)*A" `߶b~m9\G6݊bMܳsEu]0] a7bF .l3N qť+S1S(W' #n%YVmIr .kh>a{G )ﵪ( 5 /'UP8AnK]V m-i}~1}Ȁ c }rt7\9P[㫋8@`mʼ܏@'BSx؛ḁ7a?= nMO9C· joEֹIz# ,@(eFWH5* i}n윓u=aȈm}p(M$N:}G\0>41a&,t<?CO좺t;@xFgg=u?PʿJK<7E*D "}fA=bAa~L­!P)awS0Zdsa9 fX`,2E<#ezwY<>w we~rt>f5KqfldaQ(b:Mt?,|g)s)aR;M,p4ħyd@z\#4[E9yFPsF/PKF_m.?i63{P(GJl.oZ(?\~ 97urN+2ʡsQd~s?3\~3kt3 f Y v? ta݌w>f'E/>A3(?(- ݌rߋ A{eȟȗ^|̠Kx2+  2o(@_3*}'ߧ ]CuV9u^C_]g_RIRf5/qvJEsQ^53Ty~)P5(ϐge3Vڍ^a{r!{ˀ~ KJ+ťW*7YKxM}%k{F1nvd bCa 5KPe^ۛT2CGP78%Y}MNJ 4tk 7b[y@YAI{R}tEI>tqLw<_[nNJ>s\ȜHǣqaN@x|":_QU|.y|e8Nt7 1W }^fx@#m~̭(G.v:)n7zpK|` U75isy[~|^W;}u<^6?C{1'K*8uߜ:RNw }YV&ƀY8'w)NBhع+jSWxJ {4Lԍ21Nrb$VT+[-WJr= 7DDLP*R%}a`R++ QPफ़h[iRo膖 yVi8an%[C#DK(x6"/cB6of)3^սD<'M~ m

r|L:AÆ^Vٍv"nEhp䣿 t2864ǝaƹrV4nA<3@c d߻E!Nx uY|#]MD|&߲)tO= U/ADlZe3Lpiac! `V{υ9 [2FdX jXJr 9;9!ɱF.C7`b)H#M^F`˫IO߶o p1Q.`:Lx1F`wƨyq݅w989e~w^]=6bRF5 㣭A;-r5V$ǖ1x_05:%xlӍ(1 wuù/Br7g7=T#0?fǺ}qk6d1q⺮F)\ Dœj@@rv6}v3c3v%ԥ:Dƫ&`/Fx)|D6?E4ψy&"5l }_|nڋ{v{_yC͞fs(2>L%/=YԼlQ޺qml.; +Cg^pgUvy*s*>`H6A1^<;z~}C2zdz$_Oxƪ~Saxr=Fз57b([| ӽLi!zQˤ`K쒧~0qGĶ2C|R4ϝUpvRvcdLwV)jFe Ǣ8BU(];#6s/>^|˼kAѾYnw0w1L%/#=ZFc`p ۂ{XiWeJpC)tO˞˰CNx3AEk^rXٿ$Ps:cvKѺ v7"!aNn0n-/ـ&@ s=֏*.u94m+* XGڢFMQaW9~ib=x鞁=ve+{@760* <Ǹ9-o@>{~w1' 0tcz7^?-lI12#, $8zIW{{a0&iE㨤t`C v_ʉ~ph;?҈>A wVǰ=BO PoO80Ux|-h\}[}pXˉ>dS1#'@j0\|ɱH d9[\O^مt&3k/YH~>  \99.@$NSP_X_]< T+ .ƕyXqө8Yo>W.˛wByڻHn!$g~V;~v?;w~i a% ѨT\_;kOz罫,,}|K'?}hIaE y遢%!Z4!ջlZɊxY޿`*XECl⍿01-M4V*wNVtƢI26pzRSV01{6JܖmJHUN9KIk.^i\NƇZڱ wm<lx615*-