Targeting SCADA Systems

Introduction

Recent years have witnessed an increased awareness within the worldwide security community of risks related to cyber attacks against critical infrastructures. ICS/SCADA systems have been a particular cause of concern for the security community, owing to Stuxnet, Flame and other cyber threats. As automation continues to evolve and assumes a more important role worldwide, the use of ICS/SCADA systems is likely to increase accordingly.

In this post I would like to present an analysis of several cyber incidents pertaining to ICS/SCADA systems and originating from threat elements in the Middle East.

Iranian Hacker Group Implicates itself in Physical Attack on Electric Power Facility

On January 2, 2014, the Cryptome.org website (a digital library host) published a message from the Iranian hacker group Parastoo, directed at the American authorities. The message headline connects the group to a “military-style” attack on an electric power station, the PG&E Metcalf substation, in California, U.S.A. on April 16, 2013. The connection to the Iranian group is unclear, despite the fact that Parastoo has mentioned that it has been testing national critical infrastructures using cyber vectors.

Cryptome message
Cryptome message

On April 16, 2013, an undetermined number of individuals breached the PG&E Metcalf power substation in California and cut the fiber-optic cables in the area around the station. The act neutralized some local 911 services and temporarily disrupted cell phone service in the area. The perpetrators also fired shots from high-powered rifles at several transformers in the facility. Ten were damaged and several others shut down.

It should be noted that there have been several attacks against different infrastructure facilities in the U.S. in the past year, such as the Arkansas power grid. Furthermore, officials conceded that the electric power industry is focusing on the threat of cyber attacks.

About Parastoo

The Iranian hacker group Parastoo first emerged on November 25, 2012, when they posted a message announcing they hacked into the International Atomic Energy Agency (IAEA) and leaked personal details of its officials. In February 2013, Parastoo claimed to have stolen nuclear information, credit card information, and the personal identities of thousands of customers, including individuals associated with the U.S. military, that work with IHS Inc., a global information and analytics provider.

The Syrian Electronic Army Hacks into Israeli SCADA Systems

On May 6, 2013 the cryptome.org website reported a successful attack by the “Syrian Electronic Army” (SEA) on a strategic Israel infrastructure system in Haifa. In an email sent to the website, the attack was declared to be a warning to decision-makers in Israel, evoking alleged Israeli Air Force (IAF) attacks on Syrian territory at the beginning of May 2013. The claim of responsibility for the attack was accompanied by a .pdf file with screenshots substantiating the cyber attack.

Examination of the screenshots proved that the attack was authentic, but was not aimed at a Critical National Infrastructure (CNI) like the municipal water SCADA system in Haifa. Our research did, however, reveal that the attackers had targeted the irrigation control system of Kibbutz Sa’ar, near Nahariya. Control of this system would present the hacker with numerous capabilities, among which is the destruction of the agricultural yield.

Screenshot from the PDF released by the attackers
Screenshot from the PDF released by the attackers

We also noticed that the time shown on the screenshot indicated the end of April 2012. It is possible that the system clock was incorrectly set, but it is more likely that the system was breached a year ago and the published “Retaliatory Strike” was retained as a contingency plan for exactly such an attack by Israel.

The Syrian Electronic Army posted a denial via its Twitter account, where it stated that it was not behind the attack. On other occasions, this Twitter account has been used as a platform for claims of responsibility, but with this incident, the above attack is not mentioned, neither here nor on the group’s official website or forums (apart from the denial). It should be noted that there are numerous examples of fictitious claims of responsibility intended to deflect identification of the attacker MO (Modus Operandi) of state-sponsored hacker groups.

SEA denial on their Twitter account
SEA denial on their Twitter account

This incidence is another link in a chain of events demonstrating an impressive ability to locate and exploit SCADA systems that appear to be susceptible to the Muslim hackers’ skills. However, in our view, this event is unprecedented. For the first time in public, a critical computerized infrastructure facility on Israeli soil has been attacked, and it is extremely likely that a sovereign state is behind the attack, declaring outright war in the cyber arena and deviating from the intelligence-gathering plateau.

Jihadist Cyber Terror Group to Target SCADA Systems

On June 11, 2011, a prominent Web Jihadist from the Shumukh al-Islam forum, Yaman Mukhaddab, launched a campaign to recruit male and female volunteers for a new Electronic Jihad group. The campaign, which takes place over the thread itself, begins with a clear definition of the group’s tasks and priorities. Mukhaddab says:

Simply put, it is a cyber-terror base, for launching electronic terror attacks on major infidel powers, specifically the U.S., the U.K. and France, no others. This base is not going to attack, for instance, the sites of Shi’a, Christians, apostates, slanderers, liar sites and forums or anything else. I repeat: it will only target the U.S., the U.K. and France.

Mukhaddab goes on to list the main targets for future attacks. SCADA systems are ranked as a top priority target, in order to “destroy power, water and gas supply lines, airports, railway stations, underground train stations, as well as central command and control systems” in these three countries. The second priority includes control systems of general financial sites, such as central savings organizations, stock markets and major banks. Third on the group’s agenda are websites and databases of major corporations dominating the economies of these countries, while fourth and last are less specified “public sites affecting the daily routine of citizens, in order to maximize the terror effects on the population”.

Mukhaddab details the desired skills of anyone wishing to join the group, including: thorough understanding of SCADA systems, preferably with experience in hacking them; acquaintance with writing hacking programs and scripts, and programming in C, C+ and C++ languages; expertise in networks, communication protocols and various kinds of routers and firewalls, specifically mentioning CISCO; Expertise in Linux or Unix operating systems; expertise in Windows operating system; capability of detecting security vulnerabilities; acquaintance with hacker websites, capability of entering them easily, searching for required scripts, tools, or software, and providing them to fellow members, if asked to; complete mastery of English or French scientific language, and scientific background in computer engineering; mastery of the Russian language; and mastery of the Chinese language. Members who want to volunteer are asked to post a response in the thread, specifying the categories that fit their capabilities.

To date, close to a hundred volunteers have already signed on to Mukhaddab’s Electronic Jihad group. We have yet to see indications that this newly formed group has started to engage in online hacking activity, but given the enthusiasm it created among forum members, this is likely to occur in the near future.

Related Posts:


Cybercriminals Target iOS Devices April 28, 2014 by Tanya Koyfman

Cyber Threats to a Bank – Part 1: Cybercriminals Target Financial Institutions November 27, 2014 by Tanya Koyfman

AnonGhost Targets Universities around the World December 4, 2014 by CyInfo

Cyber Criminals “TARGET” Point of Sale Devices  January 15, 2014 by assafkeren


One thought on “Targeting SCADA Systems

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s