Department of Homeland Security

(U//FOUO) DHS Bulletin: Anonymous Hacktivist Threat to Industrial Control Systems (ICS)

See also:

(U//FOUO) DHS: “Anonymous” and Associated Hacker Groups Deploying New Cyber Attack Tools
DHS: Anonymous/LulzSec Has Continued Success Using Rudimentary Hacking Methods
(U//FOUO) DHS LulzSec Bulletin: Hacktivist Groups Target U.S. and Foreign Networks
(U//FOUO) FBI Anonymous’ Participation in “Day of Rage” Protest May Coincide with Cyber Attack
(U//FOUO) Pittsburgh Office of Emergency Management “Occupy Pittsburgh” Threat Assessment

ASSESSMENT OF ANONYMOUS THREAT TO CONTROL SYSTEMS

  • 4 pages
  • For Official Use Only
  • September 16, 2011

Download

(U) The loosely organized hacking collective known as Anonymous has recently expressed an interest in targeting industrial control systems (ICS). This product characterizes Anonymous’ capabilities and intent in this area, based on expert input from DHS’s Control Systems Security Program/Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in coordination with the other NCCIC components.

(U//FOUO) While Anonymous recently expressed intent to target ICS, they have not demonstrated a capability to inflict damage to these systems, instead choosing to harass and embarrass their targets using rudimentary attack methods, readily available to the research community. Anonymous does have the ability to impact aspects of critical infrastructure that run on common, internet accessible systems (such as web-based applications and windows systems) by employing tactics such as denial of service. Anonymous’ increased interest may indicate intent to develop an offensive ICS capability in the future. ICS-CERT assesses that the publically available information regarding exploitation of ICS could be leveraged to reduce the amount of time to develop offensive ICS capabilities. However, the lack of centralized leadership/coordination and specific expertise may pose challenges to this effort.

DISCUSSION

(U//FOUO) Several racist, homophobic, hateful, and otherwise maliciously intolerant cyber and physical incidents throughout the past decade have been attributed to Anonymous, though recently, their targets and apparent motivations have evolved to what appears to be a hacktivist agenda. The section below highlights a recent interest Anonymous has developed in exploiting ICS, which the NCCIC assesses is a new tactic, technique and/or procedure (TTP). For more information on Anonymous’s background or motivations, please see the NCCIC Bulletins: “Anonymous Upcoming US Operations, Impact, and Likelihood,” and “Anonymous and Associated Hacker Groups Developing New Cyber Attack Tools.”

(U) Recent Examples of Anonymous’ Interest in Control Systems

(U) On 11 July 2011 a suspected member of Anonymous, posted some materials to Pastebin. This posting describes its cyber attack on Monsanto’s websites and e-mail servers. Anonymous reported exfiltrating personally identifiable information (PII) data on 2,500+ employees and associates, including full names, addresses, phone numbers, and exactly where they work. They reported it took about two months to accomplish this attack. (U) Monsanto is a U.S.-based global biotech seed company. Tom Helscher, the company director of corporate affairs, in an e-mail to msnbc.com confirmed that Monsanto “experienced a disruption to its website that appeared to be from an organized cyber group.”

(U//FOUO) On 12 July 2011, Anonymous released a press report on a website titled “Anonymous Operation Green Rights \ Project Tarmaggedon.” The report outlined Anonymous’ hacktivists concerns with global warming and called for protests against the Alberta Tar Sands (Canada) project along Highway 12 in Montana. As quoted from its posting, “Anonymous Operation Green Rights calls your attention to an urgent situation in North America perpetuated by the boundless greed of the usual suspect: Exxon Mobil, ConocoPhillips, Canadian Oil Sands Ltd. Imperial Oil, the Royal Bank of Scotland and many others.” On 13 July 2011, according to open source reporting, seventy protesters ascended on the Montana state capitol building to protest the Alberta Tar Sands project and the Keystone, XL 36 inch underground pipeline project.e The NCCIC assesses that Anonymous’ participation in peaceful protests carries a moderate likelihood of being accompanied by cyber attacks or exploitations, though no malicious cyber activity was reported in association with this protest.

(U) On 19 July 2011, a known Anonymous member posted to Twitter the results of browsing the directory tree for Siemens SIMATIC software. This is an indication in a shift toward interest in control systems by the hacktivist group.

(U) ICS-CERT Assessment of Capabilities

(U//FOUO) An anonymous individual provided an open source posting on twitter of xml and html code that queries the SIMATIC software. The individual alleged access to multiple control systems and referred to “Owning” them. The Twitter posting does not identify any systems where privileged levels of access to control systems have been obtained.

(U//FOUO) The posted xml and html code reveals that the individual understands the content of the code in relation to common hacking techniques to obtain elevated privileges. It does not indicate knowledge of ICS; rather, it indicates that the individual has interest in the application software used in control systems. The posted xml and html contained administration code used to create password dump files for a human-machine interface control system software product from Siemens. The code also contained OLE for Process Control (OPC) foundation code that is used in server communication with control system devices such as programmable logic controllers, remote terminal units, intelligent-electronic devices, and industrial controllers. No indication of exploitation capability was observed by ICS-CERT. The information assessed indicates that the individual was able to recognize and post the portions of code that would ensure others knowledgeable in control systems would take notice.

(U//FOUO) The same individual also posted the directory browse history of the software application installation. In the twitter posting the server information was not identified. This does not indicate that the individual was trespassing on an operational control system – the information could have been posted based on others work or a demonstration installation on the individual’s personal systems.

(U//FOUO) The capability of the individual to recognize and post code that would gain the attention of those knowledgeable in control systems, as well as their claims to have access to multiple control systems, indicates the individual has an increased interest in control systems, but does not demonstrate capabilities. There are no indications of knowledge or skill in control systems operations, design, or components. The individual may possess the necessary skill to exploit elevated privileges by hijacking credentials of valid users of the ICS software product posted based on traditional exploitation methods, not anything ICS specific. No posting by the individual indicated direct malicious activity.

DHS/NCCIC ASSESSMENT

(U//FOUO) The information available on Anonymous suggests they currently have a limited ability to conduct attacks targeting ICS. However, experienced and skilled members of Anonymous in hacking could be able to develop capabilities to gain access and trespass on control system networks very quickly. Free educational opportunities (conferences, classes), presentations at hacker conferences, and other high profile events/media coverage have raised awareness to ICS vulnerabilities, and likely shortened the time needed to develop sufficient tactics, techniques, and procedures (TTPs) to disrupt ICS. Control system exploits are released in common penetration testing software such as Metasploit release 4.0 that can be directly used with novice level skills in hacking and little to no background in control systems. Common packet inspection tools such as WireShark and Netmon have improved to the point where industrial protocols are supported minimizing the effectiveness of security-by-obscurity.j,k,l,m In addition, there are control systems that are currently accessible directly from the Internet and easy to locate through internet search engine tools and applications. These systems could be easily located and accessed with minimal skills in order to trespass, carry out nefarious activities, or conduct reconnaissance activities to be used in future operations.

(U//FOUO) Anonymous has recently called on their members to target energy companies based on “Green Energy” initiative performance. This targeting could likely extend beyond Anonymous to the broader hacktivist community, resulting in larger-scope actions against energy companies. Asset owners and operators of critical infrastructure control systems are encouraged to engage in addressing the security needs of their control system assets.

Share this:

Facebooktwitterredditlinkedinmail