A recent spate of cyber attacks against critical infrastructure, including oil and gas pipeline operators, utilities and city and state government websites have revealed new motives and methods in cyber warfare.
Attackers were not out to steal data but, instead, were looking to disrupt services by using an attack vector that the cyber security world has not seen before. Instead of attacking their primary targets directly, hackers hit less secure vendors connected to those targets, using methods that could easily be replicated to attack targets in the shipping sector.
Ahead of the European Maritime Cyber Risk Management Summit in London, where DNV GL will be presenting on cyber threat managment, Marine Electronics and Communications is publishing their guide covering the seven phases of a cyber attack.
Step one - Reconnaissance
Before launching an attack, hackers first identify a vulnerable target and explore the best ways to exploit it. The initial target can be anyone in an organisation. The attackers simply need a single point of entrance to get started. Targeted phishing emails are common in this step, as an effective method of distributing malware.
The whole point of this phase is getting to know the target. The questions that hackers are answering at this stage are:
The more time hackers spend gaining information about the people and systems at the company, the more successful the hacking attempt will be.
Step two - Weaponisation
In this phase, the hacker uses the information they gathered in the previous phase to create the things they will need to get into the network. This could be creating believable 'spear phishing' emails. These would look like emails that they could potentially receive from a known vendor or other business contact. The next is creating 'watering holes', or fake web pages. These web pages will look identical to a vendor’s web page or even a bank’s web page. But the sole purpose is to capture your user name and password, or to offer you a free download of a document or something else of interest. The final thing the attacker will do in this stage is to collect the tools that they plan to use once they gain access to the network so that they can successfully exploit any vulnerabilities they find.
Step three - Delivery
Now the attack starts. Phishing emails are sent, watering hole web pages are posted to the internet and the attacker waits for all the data they need to start rolling in. If the phishing email contains a weaponised attachment, then the attacker waits for someone to open the attachment and for the malware to call home.
Step four - Exploitation
Now the ‘fun’ begins for the hacker. As user names and passwords arrive, the hacker tries them against web-based email systems or VPN connections to the company network. If malware-laced attachments were sent, then the attacker remotely accesses the infected computers. The attacker explores the network and gains a better idea of the traffic flow on the network, what systems are connected to the network and how they can be exploited.
Step five - Installation
In this phase the attacker makes sure they continue to have access to the network. They will install a persistent backdoor, create admin accounts on the network, disable firewall rules and perhaps even activate remote desktop access on servers and other systems on the network. The intent at this point is to make sure the attacker can stay in the system as long as they need to.
Step six – Command and control
Now they have access to the network, administrator accounts, all the needed tools are in place. They now have unfettered access to the entire network. They can look at anything, impersonate any user on the network, and even send emails from the chief executive to all employees. At this point they are in control. They can lock you out of your entire network if they want to.
Step seven – Action on objective
Now that they have total control, they can achieve their objectives. This could be stealing information on employees, customers or product designs, or they can start messing with the operations of the company. Remember, not all hackers are after monetisable data, some are out to just mess things up. If you take online orders, they could shut down your order-taking system or delete orders from the system. They could even create orders and have them shipped to your customers. If you have an industrial control system and they gain access to it, they could shut down equipment, enter new set points, and disable alarms. Not all hackers want to steal your money, sell your information or post your incriminating emails on WikiLeaks, some hackers just want to cause you pain.
Prepare for the attack
So, what now? What can you do to protect your network, your company, even your reputation? You need to prepare for the attack. Let’s face it, sooner or later the hackers WILL come for you. Don’t let yourself think that you don’t have anything that they want. Trust me, you do.
Patrick Rossi, Maritime Cyber Security Service Manager for DNV GL will be presenting on cyber threat managment at the European Maritime Cyber Risk Management Summit in London on Friday 15 June.