{"id":2532,"date":"2024-09-25T18:43:23","date_gmt":"2024-09-25T18:43:23","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2532"},"modified":"2025-07-29T03:52:13","modified_gmt":"2025-07-29T03:52:13","slug":"ics-attacks-on-nuclear-facilities-a-cause-for-alarm","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/ics-attacks-on-nuclear-facilities-a-cause-for-alarm\/","title":{"rendered":"ICS Attacks on Nuclear Facilities: A Cause for Alarm"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/IoT-OT-1-1024x1024.webp\" alt=\"\" class=\"wp-image-2548\" srcset=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/IoT-OT-1-1024x1024.webp 1024w, https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/IoT-OT-1-300x300.webp 300w, https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/IoT-OT-1-150x150.webp 150w, https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/IoT-OT-1-768x768.webp 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The geopolitical scenario of United States and Iran has often spilled over into the realm of Cyberspace between the countries and 2020 was no exception. On 6th January 2020 the US department of Homeland Security published a <a href=\"https:\/\/www.us-cert.gov\/ncas\/alerts\/aa20-006a\" target=\"_blank\" rel=\"noopener\">Cyber Alert<\/a> &nbsp;which is to be considered as an anticipated warning for Iran in response to a Baghdad strike by US forces.&nbsp;<br><br>The <a href=\"https:\/\/www.us-cert.gov\/ncas\/alerts\/aa20-006a\" target=\"_blank\" rel=\"noopener\">Cyber Alert <\/a>published by US CERT focuses on the country\u2019s Critical Infrastructures which are the possible targets &nbsp;for a cyber-attack by Iranian threat actors. The industrial sector and critical infrastructure consist of a wide range of industries like transport, manufacturing, electricity supply and Energy, mining, water utilities &nbsp;and supply, nuclear facilities, automobile manufacturing, maritime manufacturing and shipping, etc. Now each of these industries are a possible target of state sponsored cyber terrorism which threatens the vulnerable OT (Operational technology) systems. These include the hardware and software systems that monitor and control physical devices in the field. It goes without saying that securing these targets is a huge and a mammoth task that lies at each country\u2019s doorstep that possess any critical infrastructure. In this analysis, LMNTRIX focuses on the growing number of different and distinct cyber threats which we have seen over the past year targeting nuclear facilities backed by various state-sponsored threat actors.&nbsp;<br><br>In order to understand the effective functions of the nuclear plant, the devices, functions, and its attributes need to be segregated using Purdue model: &#8211;&nbsp;<br><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"560\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/N1-1-1024x560.webp\" alt=\"\" class=\"wp-image-2549\"\/><\/figure>\n\n\n\n<p><br>Figure 1: Purdue Model of Nuclear Power Plant<br><br>The cyber threats observed on nuclear power plants mostly target the components associated with Level 1 &amp; 2 of the Purdue model. We will refer to the Level 3 as the IT network (even though this is different from the enterprise network and ideally it is placed behind a DMZ) and Level 2 as the OT network from here on. Adversaries targeting Industrial Control systems (ICS) require more resources than any other type of adversary, as each ICS based organization is different in terms of systems used. These systems have varying operational processes that define acceptable and unacceptable outcomes for the PLC devices, valves, pumps, actuators, etc. The ICS Cyber Kill Chain breaks down the steps taken by an adversary into two stages. Identifying each part of these stages and considering them into threat modelling process will lead to a layered defence against ICS attackers.<br><br>The Stage 1 of ICS Cyber Kill Chain is similar to the traditional Cyber Kill Chain as the objectives and goals are similar, namely, of gaining access to information; defeating existing defensive measures; gain access to protected network segments; exfiltrate data; and maintain undetectable access to infected systems.<br><br>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"998\" height=\"943\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/N2-1.webp\" alt=\"\" class=\"wp-image-2550\"\/><\/figure>\n\n\n\n<p><br><br>Figure 2: ICS Cyber Kill Chain, Stage 1, SANS (SANS, 2015)<br><br>In Stage 2, the attacker uses information gained from Stage 1 to develop, test, and execute the attack. Often an adversary fails in Stage 1 due to the sensitive nature of the equipment connected to the network causing unintended outcomes for an attacker. State-sponsored attackers are capable of successfully reaching Stage 2, because they might often get to either a test network in their home country or exfiltrate system specific information to successfully develop working malware.<br><br>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"997\" height=\"788\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/N3-1.webp\" alt=\"\" class=\"wp-image-2551\"\/><\/figure>\n\n\n\n<p><br><br><em>Figure 3: ICS Cyber Kill Chain, Stage 2, SANS (SANS, 2015)<\/em><br><br>Before we move further, it is important to establish what is considered as an ICS attack. Although attacks on ICS organizations may involve theft of operational data or the infection of systems. The functional impact of such an attack on daily operations or degradation in safety involving harm to system devices, plant workers, or field personnel of an ICS organization is defined as an ICS Attack (SANS, 2015). This can be further broken down into three categories:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>LOSS<\/strong><ul><li>Loss of view \u2013 unable to view systems data on console by operators<\/li><li>Loss of control \u2013 unable to control systems from console by operators.<\/li><\/ul><br><\/li>\n\n\n\n<li><strong>DENIAL<\/strong>\n<ul class=\"wp-block-list\">\n<li>Denial of view \u2013 no access to systems data<\/li>\n\n\n\n<li>Denial of control \u2013 no control over systems<\/li>\n\n\n\n<li>Denial of safety \u2013 malfunctioning of safety instrument systems.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>MANIPULATION<\/strong>\n<ul class=\"wp-block-list\">\n<li>Manipulation of view \u2013 loss of data integrity<\/li>\n\n\n\n<li>Manipulation of control \u2013 changing of underlying instructions of a PLC device<\/li>\n\n\n\n<li>Manipulation of sensors and instruments \u2013 execution of instructions injected by attackers into systems controlling sensors, instruments, actuators<\/li>\n\n\n\n<li>Manipulation of safety \u2013 changing of values and conditions to render safety instrument system into an unknown state.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>We will now look at the malware trends having an impact on the stages and steps in the ICS Cyber Kill Chain. This data is compiled from existing community research and known malware targeting ICS organizations. The data points show the number of malware strains that could make it to the shown below stages in the Kill chain. Even though a lot of strains were able to infect organizations in the IT network, only a few of them were able to or had the motivation of extracting sensitive data and to maintain undetected persistent access. The number of stage 2 ICS attacks were a bit higher due to either denial of control, denial of safety (DRAGOS, 2017), or manipulation of sensors and instruments (Symantec, 2011). This sheds some light on the fact that impacting business with attacks causing loss or denial of data and control with wormable ransomware is comparatively easier to achieve than attacks on actual OT equipment causing modification of control (Ex. Stuxnet) or denial of safety (Ex. TRISIS).<br><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"576\" height=\"336\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/4-40.webp\" alt=\"\" class=\"wp-image-2545\"\/><\/figure>\n\n\n\n<p>&nbsp;<br><br>Figure 4: Historical Analysis of ICS malwares (MITRE, 2020)<br><br>Looking deeper into these malwares samples, understanding their operation in stage 2 of the ICS Kill Chain along with the Tools, Techniques and Procedures (TTP) used by the adversaries is vital. The following are a list of techniques commonly used by ICS malware that has the greatest impact.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Data Historian Compromise (T810) \u2013 Attackers compromise or gain control of data historian in order to gain access to the control system environment. Database information could be exposed to attackers who can leverage this to perform reconnaissance and discover systems on the network.<\/li>\n\n\n\n<li>Block Command Message (T803) \u2013 Attackers modify the firmware to limit infected systems from receiving a command message rendering the system unresponsive to operators\u2019 control. This can directly lead to an attack by denial of control.<\/li>\n\n\n\n<li>Block Serial COM (T805) \u2013 Attackers may open and hold a TCP session with an ethernet connected COM port, which would prevent legitimate access to the COM device. This can directly lead to an attack by loss of control.<\/li>\n\n\n\n<li>Control Device Identification (T808) \u2013 Attackers may use management software from infected operator systems to identify specifications of devices connected to the network. This allows attackers to find known vulnerabilities and use them to launch attacks.<\/li>\n\n\n\n<li>Activate Firmware Update Mode (T800) \u2013 Attackers may activate firmware update mode on devices to render it inactive or possibly install malicious firmware.<\/li>\n\n\n\n<li>Unauthorized Command Message (T855) \u2013 Attackers can send crafted command message to a control system to perform actions that are either outside its expected functionality or to cause damage to operations process.<\/li>\n\n\n\n<li>Service Stop (T881) \u2013 Attackers can stop or disable system services to impair process operations and cause significant damage to environment. This can also allow attackers to modify ICS configurations before restarting the services.<\/li>\n\n\n\n<li>Block Reporting Message (T804) \u2013 Attackers can hide their actions from an operator by blocking or preventing reporting message from reaching its intended target, as reporting messages usually contains event log data, I\/O values of associated device. etc.<\/li>\n\n\n\n<li>Exploitation for Evasion (T820) \u2013 Attackers with some prior knowledge of a control device can exploit a software vulnerability in program, service, operating system, kernel, or firmware to inject malicious code into the system while evading detection or disabling security features altogether.<\/li>\n\n\n\n<li>Modify Control Logic (T833) \u2013 Attackers may inject malicious code in a system causing it to malfunction by modifying the underlying control logic that operates the actuators dependent on sensor readings.<\/li>\n<\/ul>\n\n\n\n<p><strong>Case Study:<\/strong> Malware attack at Kundankulam Nuclear Power Plant, India<br><br>In a recent cyberattack to Indian cyberspace, APT group Lazarus has targeted country\u2019s largest nuclear power plant (KKNPP) which is responsible for producing 2000 MW of energy for the entire southern power grid. The DTrack malware used in this campaign to gather sensitive data and network architecture information from infected systems from the internal network, was initially used as a remote access Trojan that was originally developed to target ATMs of Indian Banks. From publicly available information, it has been determined that the malware ATMDtrack was operating in the wild during 2018 and parts of the code was reused to created DTrack which was later discovered in September 2019.<br><br>It is still not known how the initial infection took place at KKNPP but from public reports, the malware seems to have gained access to the internal KKNPP network after an infected user connected their laptop to the network.<br><br>The objectives of the malware seem to be limited to gathering the following information:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Gathering browser history to %TEMP%\\temp\\browser.his<\/li>\n\n\n\n<li>Gathering host IP addresses to %TEMP%\\temp\\res.ip<\/li>\n\n\n\n<li>Gathering active connections to %TEMP%\\temp\\netstat.res<\/li>\n\n\n\n<li>Gathering all running processes to %TEMP%\\temp\\task.list<\/li>\n\n\n\n<li>Gathering network configuration data to %TEMP%\\temp\\netsh.res<\/li>\n\n\n\n<li>Get information of registered owner, organization, and OS install date from HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion<\/li>\n<\/ul>\n\n\n\n<p>The malware contained strings of highly specific commands (image below) which suggests that this variant of DTrack malware was prepared after gathering enough information and credentials to exfiltrate data and system information.<br><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"614\" height=\"133\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/5-39.webp\" alt=\"\" class=\"wp-image-2546\"\/><\/figure>\n\n\n\n<p><br>&nbsp;<br><br>Figure 5: Highly specific commands as string constants in malware<br><\/p>\n\n\n\n<p>To date, neither the security research community nor the NPCIL (Nuclear Power Corporation of India Limited) has reported on any evidence of any additional actions related to this campaign. This leads us to believe that this was a generally successful Stage 1 ICS Attack. Also to date, there has been no documented evidence on Stage 2 activity. A representation of the ICS Cyber Kill Chain for KKNPP attack is displayed below.<br><br><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"576\" height=\"345\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/image3.webp\" alt=\"\" class=\"wp-image-2547\"\/><\/figure>\n\n\n\n<p><br><\/p>\n\n\n\n<p>Figure 6: KKNPP Attack mapped to ICS Cyber Kill Chain<br><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Remediation<\/strong><\/h2>\n\n\n\n<p>The ICS Cyber Kill Chain provides a strong foundation for understanding the various stages of an attack on an ICS organization. Taking these into consideration during threat modelling in an organization will significantly highlight shortcomings in the security coverage.<br><br>Separate the safety systems behind a firewall and limit access to it via the network. Remove ICS components from direct Internet access. Place the OT network and IT network in separate compartments separated further by a DMZ firewall in between.<br><br>It is also important to regularly stay updated with vendor provided security updates and patches.&nbsp;<br><br>Moreover, an important takeaway should be to apply a layered defence strategy to both the IT and OT networks to prevent common malware attacks or attacker techniques from successful execution.<br><br>As from the past trends of ICS malware attacks, most adversaries fail in Stage 1 itself. Therefore, having a secured environment in both the enterprise and operations network is one of the key points to successfully preventing an ICS attack.<br><br>LMNTRIX has been successfully defending our ICS customers from the recent number of growing threats in view of increased geopolitical tensions across the continents. We have reviewed CISA Alert AA20-006A (CISA, 2020) to ensure that we have an up-to-date understanding of previously observed Iranian Tactics, Techniques, and Procedures (TTPs) and taken an aggressive stance on the following MITRE ATT&amp;CK Techniques to identify possible future Iranian activity:<br><\/p>\n\n\n\n<p>AT COMMAND LATERAL MOVEMENT<br><br>CERTUTIL FILE DOWNLOAD<br><br>COMMAND LINE OBFUSCATION<br><br>COMPRESSION OF SENSITIVE FILES<br><br>CREATION OF SETTINGCONTENT-MS FILES<br><br>CREDENTIAL ACQUISITION VIA REGISTRY HIVE DUMPING<br><br>DOWNLOADED URL FILES<br><br>ENCRYPTING FILES WITH 7ZIP<br><br>EXECUTION OF FILE WRITTEN OR MODIFIED BY MICROSOFT OFFICE<br><br>EXECUTION OF FILE WRITTEN OR MODIFIED BY PDF READER<br><br>EXECUTION OF PERSISTENT SCRIPTS<br><br>MODIFICATION OF WDIGEST SECURITY PROVIDER<br><br>ENCRYPTING FILES WITH WINRAR<br><br>NETWORK CONNECTION FROM UNUSUAL DIRECTORY<br><br>PERSISTENCE OF SCRIPTS VIA REGISTRY<br><br>PERSISTENT SCRIPTS IN THE STARTUP DIRECTORY<br><br>POWERSHELL REMOTING<br><br>POWERSHELL WITH UNUSUAL ARGUMENTS<br><br>SCHEDULED TASK COMMAND LATERAL MOVEMENT<br><br>SERVICE COMMAND LATERAL MOVEMENT<br><br>STEALTHY POWERSHELL LOADING<br><br>SUSPICIOUS DOCUMENT CREATED BY PDF READER<br><br>SUSPICIOUS JAR CHILD PROCESS<br><br>SUSPICIOUS JAR DESCENDANT PROCESS<br><br>SUSPICIOUS MS OFFICE CHILD PROCESS<br><br>SUSPICIOUS MS OFFICE DESCENDANT PROCESS (Mac)<br><br>SUSPICIOUS MS OFFICE DESCENDANT PROCESS (Windows)<br><br>SUSPICIOUS MS OUTLOOK CHILD PROCESS<br><br>SUSPICIOUS PDF READER CHILD PROCESS<br><br>SUSPICIOUS PDF READER DESCENDANT PROCESS<br><br>SUSPICIOUS POWERSHELL DOWNLOADS<br><br>SUSPICIOUS SCRIPT OBJECT EXECUTION<br><br>USERS CREATING SYSTEM TASKS<br><br>WEBSHELL DETECTION (Linux)<br><br>WEBSHELL DETECTION (Windows)<br><br>WINDOWS SCRIPT EXECUTING POWERSHELL<br><br>WPAD SERVICE EXPLOIT<br><br><a href=\"https:\/\/lmntrix.com\/Contact\">Contact LMNTRIX <\/a>for more information.<br><br><strong><em>Works Cited<\/em><\/strong><br><br>(2011, February). Retrieved from Symantec: https:\/\/www.symantec.com\/content\/en\/us\/enterprise\/media\/security_response\/whitepapers\/w32_stuxnet_dossier.pdf<br><br>(2015, October). Retrieved from SANS: https:\/\/www.sans.org\/reading-room\/whitepapers\/ICS\/industrial-control-system-cyber-kill-chain-36297<br><br>(2017, December). Retrieved from DRAGOS: https:\/\/dragos.com\/wp-content\/uploads\/TRISIS-01.pdf<br><br>(2020, January). Retrieved from MITRE: https:\/\/collaborate.mitre.org\/attackics\/index.php\/Software<br><br>(2020, January). Retrieved from CISA: https:\/\/www.us-cert.gov\/ncas\/alerts\/aa20-006a<\/p>\n\n\n\n<p>On 2020-05-08<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The geopolitical scenario of United States and Iran has often spilled over into the realm of Cyberspace between the countries and 2020 was no exception. On 6th January 2020 the US department of Homeland Security published a Cyber Alert &nbsp;which is to be considered as an anticipated warning for Iran in response to a Baghdad [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2548,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2532","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2532","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2532"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2532\/revisions"}],"predecessor-version":[{"id":4264,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2532\/revisions\/4264"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2548"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2532"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2532"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2532"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}