In late December, the annual German Federal Office for Information Security report revealed a disturbing cyberattack on a steel mill that resulted in “massive damage” to the foundry. This case is just one of the latest examples of Hollywood fears coming true through the Internet of Things (IoT). Through the judicious use of online translation engines, we have learned several key things about the attack, although specific details about the company and the full extent of the damage are still unknown.

According to the report, the attacker used sophisticated social engineering and spear-phishing tactics to gain initial access to the steel mill’s office network. Individual industrial control components were compromised, which prevented the blast furnace from being shut down. The technical capabilities of the attacker were very advanced, demonstrating a familiarity not only with conventional IT security, but also with the specific applied industrial control and production processes.

Although not explicitly stated, we can infer the attacker was likely an insider — or worked with an insider — or was familiar with industry-standard protocols used in the operation of the mill. Because of the jump from office network to industrial control system, we can also assume the mill’s office network had to be connected to the industrial control system. The more familiar the attacker was with this specific company’s systems, the easier that link would have been to find and exploit.

Industrial Targeting

Aside from a striking similarity to any “hacker-of-the-week” television drama, this situation is reminiscent of the Stuxnet worm that was designed to attack industrial programmable logic controllers in 2010. Stuxnet reportedly compromised almost one-fifth of the nuclear centrifuges in Iran by causing them to tear themselves apart. This type of physical destruction from a cyberattack makes it the most similar case to that of the steel mill. Put a pin in the fact that the reported attack on Iran was politically, if not financially, motivated — we’ll come back to that.

This industrial targeting is not new. Last year, IBM Trusteer researchers identified a variant of the Citadel malware targeting Middle Eastern petrochemical companies. Earlier in 2014, reports emerged that the Havex remote access Trojan (RAT) was being modified by attackers to target the websites of industrial control system manufacturers and poison their software downloads. The ultimate goal was for unsuspecting clients to download the supervisory control and data acquisition (SCADA) software updates, now with bonus Havex RAT in the download package. This let attackers access the network at a later time.

Security in the Internet of Things

Amid these threats, in the latest IBM X-Force Threat Intelligence Quarterly, X-Force laid out not only IBM’s model for talking about the structure of the IoT, but also some best practices for designing systems of “things.” The following is how these practices relate to the steel mill attack:

  • Perform regular penetration testing on products. Without identifying the company, we don’t know which security protocols were in place at the compromised steel mill. However, they are likely stricter now.
  • Build a secure design and development practice. Logic dictates that the steel mill had to be sufficiently new or recently overhauled to have a Web interface for the industrial controls. Allow me to offer a supposition that the German government’s Industry 4.0 project has come into play in this case. Industry 4.0’s goal is to promote intelligent factory design through adaptability, resource efficiency and ergonomics. The IoT, big data and cloud computing are all motivations and components of this initiative.
  • Follow industry guidance. In addition to general security best practices, there are those specific to SCADA systems and heavy industry, both globally and locally. Without knowing the company and its practices, it is difficult to ascertain how closely it adhered to industry guidance.
  • Follow the Open Web Application Security Project’s Top 10 practices for the IoT. This is actually a list of the top 10 things that could go wrong with a “thing.” Any of them could apply to the steel mill industrial control, from insecure Web or cloud interfaces to insufficient security configurability. Again, the information is limited, so we can’t know for sure.

That Hollywood ‘It’ Factor

Remember that pin stuck in the reported politically motivated Stuxnet attack on Iran in 2010? Let’s talk about how that relates to the recent Sony Entertainment breach. Did attackers gain direct financial benefits from the attack on Sony’s network and release of proprietary information? Aside from any supposed payment from a sponsor to attack Sony, based on the terrorist demands, the ultimate goal seemed to be to prevent a movie release and prohibit free speech.

The following is a quick rundown of the motivations from the examples in this article:

  • Politically motivated physical destruction of a country’s nuclear power generation capabilities via a worm in 2010;
  • The Havex RAT targeting SCADA system manufacturers to gain control of industrial controls in 2013;
  • Terrorists’ ransom demands to stop a movie being shown via a data breach in 2014;
  • Physical destruction of a German steel mill for a yet-to-be-disclosed purpose in 2014.

Monetary gain is not the sole motivating factor in cyberattacks, especially through new avenues of Internet of Things ecosystems that are connecting control systems with varying levels of secure coding.

More from Endpoint

X-Force Prevents Zero Day from Going Anywhere

This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The X-Force Vulnerability and Exploit Database shows that the number of zero days being released each year is on the rise, but X-Force has observed that only a few of these zero days are rapidly adopted by cyber criminals each year. While every zero day is important and organizations should still devote efforts to patching zero days once a patch is released, there are characteristics of certain…

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…