Exfiltrating Reconnaissance Data from Air-Gapped ICS/SCADA Networks

Presented at Black Hat Europe 2017, Dec. 7, 2017, 11:30 a.m. (60 minutes).

Air-gapped industrial networks are assumed to be impenetrable because they are disconnected from the Internet and even from corporate IT networks. However, there are multiple ways that attackers can deploy malware to an air-gapped network, including compromising vendor update mechanisms or infecting USB drives or laptops of third-party contractors who connect directly to the air-gapped network for maintenance purposes.

In this talk, we cover the following scenario: An attacker compromises the air-gapped network with autonomous, self-directed malware that performs reconnaissance to discover the network topology, the specific types of industrial devices connected to it (as with the CrashOverride malware used in the 2016 Ukrainian grid attack), and perhaps sensitive IP such as secret formulas and nuclear blueprints. Once the reconnaissance information has been collected, how do you exfiltrate the data so it can used to plan and mount physical attacks?

Previous researchers have shown how to exfiltrate data from air-gapped networks using RF signals emitted from PCs, but persistent PC-based malware has a high probability of being detected. However, Programmable Logic Controllers (PLCs) don't use anti-malware programs because they have limited CPU/memory and run embedded real-time operating systems. As a result, they're ideal targets for compromise using malicious ladder logic (the code used in PLCs).

We'll explain how to inject specially-crafted ladder logic code into a Siemens S7-1200 PLC. The code uses memory copy operations to generate frequency-modulated RF signals slightly below the AM band (340kHz-420kHz), with the modulation representing encoded reconnaissance data. The signal can then be picked up by a nearby antenna and decoded using a low-cost Software-Defined Radio (SDR) and a PC. The receiving equipment can be located just outside the facility or even mounted on a drone flying overhead.

Finally, we'll show a live demo and discuss various ways to defend against this type of attack.


Presenters:

  • David Atch - VP of Research, CyberX
    David is a world-class cybersecurity expert with many years of real-world experience in malware analysis, threat hunting, and incident response. He has contributed multiple submissions to ICS-CERT including for zero-day vulnerabilities in commercial ICS devices [see: https://search.usa.gov/search?utf8=%E2%9C%93&affiliate=us-cert-cs&query=atch&commit=Search] and tracking malware campaigns targeting critical infrastructure [see: https://ics-cert.us-cert.gov/Operation-BugDrop-CyberX-Discovers-Large-Scale-Cyber-Reconnaissance-Operation-Targeting-Ukrainian]. Prior to CyberX, David had a military career in the IDF where he led a team of programmers and reverse engineers who continuously hunted and mitigated complex cyber-intrusions targeting the country's critical national infrastructure. He has also received multiple awards for technological innovation. Most recently, David was invited to present at the SANS ICS Security Summit in March 2017. CyberX is a Boston-based industrial cybersecurity company founded in 2013 by IDF cyber experts.
  • George Lashenko - Security Researcher, CyberX Israel Ltd
    An experienced Security Researcher, George Lashenko brings to CyberX vast experience working with mathematical algorithms and developing large scale software development projects. Spending over 4 years in the Israel Defense Forces (IDF), George served in an elite unit, as a software engineer in teams in charge of protecting the IDF's critical infrastructure.

Links:

Similar Presentations: