Martin, the CIO of Pulp Global, has a plan.
He wants to roll out reporting and manufacturing execution systems to all 25 of the company’s mills.
That’s where our story begins.
•Their industry is a highly competitive
•Producers need the lowest possible costs
•There are as many different ways of building and running a mill as there are mills
•Only 5 of its 25 mills use the same systems
Number One decides to do a little investigation of Pulp Global.
He calls this his “get-familiar phase.”
His team looks into vendors, suppliers, maintenance contractors, personnel, and information about the IT and OT systems.
One word keeps popping up: Segnen.
The files inside:
•Mill floor plans
•A list of equipment with brand, models & version #s
•A list of new software, OSes, network layouts, IP addresses, Modbus tags and I/O listings, and even and passwords
An engineer from Pulp Global’s third party integrator had received an email from containing only the zip file with the subject: “Important project documents.”
He decided to upload the zip file into a reputable malware scanning service.
Peter has just finalized his Master’s degree in Automation Technology and was almost immediately hired by Pulp Global.
His thesis just happens to be about – wait for it! – the Pulp Global's plant automation project.
Smart move for lowering costs, but there’s a problem.
The service also had a test environment where the service developers could test & deploy changes.
And there is an admin account
Number One decides it is time to launch a targeted spearphishing campaign.
Through the newsletter, he learns employees recently had been rewarded with a party.
He creates an email using Pulp Global’s template...
Subject: Employee Celebration Pics
Peter couldn’t go to the party but he’s interested in seeing what he missed.
Official template. Seems legit.
Number One and the team spend the next two weeks mostly celebrating. No further attacks or trying to extend their foothold.
Instead, they monitor Peter’s laptop, logging keystrokes and capturing screenshots of the systems Peter accesses.
*system & shop floor layout
*asset inventory report.
Their exfiltration of information detailing Pulp Global’s projects and sites totals tens of gigabytes.
Some comb through the millions of pages of documents. Others try to extend their foothold in Pulp Global’s network.
To remain undetected, they use all the same tools the company’s IT staff and system administrators use on a daily basis.
1.They're a mishmash built over 3 decades
2.They include everything from legacy applications and servers to new Windows systems
3.Many systems receive no updates, making them easy to infect with publicly available exploits
In a photo from IT support staff member, a computer monitor in the corner has a
Post-It note stuck to it.
The note contains the domain administrator credentials used by Pulp Global’s IT support staff.
Number One doesn’t believe they will work. But they do.
Meet Eric, a control systems engineer working for a third-party integrator.
He’s guy who uploaded the zip file to the reputable malware scanner
*the different systems
*their software versions
*the PLCs (programmable logic computers)
*the DCS (distributed control system) equipment used in the mill
And for fun, they try to harvest more user credentials
BONUS: Local admins had written in the passwords for easy access for the employees.
This makes it possible for automation engineers to access the engineering workstations while monitoring operations from the control room.
It's also the hackers' way in.
After about a month of collecting information and extending the foothold in Pulp Global’s networks, Number One finally has enough information to prepare the targeted attack on the industrial control systems at the Segnen mill.
This means they can test and validate their attack on the production systems with only a minor risk of getting caught.
Playing the part of a new employee at one of the mill’s contractors, Number One asks questions that could only come from someone who knows the mill intimately.
The employees suspect nothing.
If successful, his attack would cause lasting reputational damage and financial loss.
If it fails, it will wipe out all PLCs, servers and hosts in the production environment.
This is easier said than done.
Segnen mill runs 24/7. Controllers can’t be taken offline or stopped for the code change without the attackers calling themselves out.
By changing small parts of the specific code blocks and extending the existing variable in data blocks, the controllers don’t need to be stopped.
The new code can be downloaded onto the controller and will start running during the next cycle.
They change six different PLCs, a few safety logics, and create new views for HMI panels used by the operators to monitor the process.
It’s go time.
Temperatures used in the pulp cooking process begin to vary random intervals.
The fluctuations in temperature distort quality control system readings, which results in waste, quality problems, fines and -- ultimately --reputational damage.
Due to recent attacks against the safety controllers, Eric, the control systems engineer, implemented a physical key attached to the controllers, putting them on run-only mode.
This stops anyone making software changes without actually turning the key.
The control systems engineers, including Eric, work overtime to find the cause of the random fluctuations.
The pros recommend a thorough sweep of the production hosts to see if any other implants are hidden in the network.
Eric contacts his boss, who notifies the CIO of Pulp Global:
The mill is under attack.
He saw the development environment open with the very same part of the code they’d been trying to circumvent for the better part of a week.
“How did they find us?”
Within two hours, the Segnen mill is completely halted.
The pulp cooking process has to be taken down using a manual override -- a process that can take weeks to reverse.
Bored mill personnel begin posting pictures of blank control room displays on Facebook.
Eventually the news of the complete breakdown at the Segnen mill reaches the CIO–from a reporter looking for a comment.
After the call from the reporter, the CIO contacts Segnen to find out what's up.
The mill is in such chaos that it it’s impossible to get anyone to stay on the phone.
Pulp Global had no plans or procedures to guide the CIO in dealing with the incident.
This means the hackers have nearly limitless possibilities to attack other targets within Pulp Global.
It takes nearly a year to regain the confidence of customers and investors and deal the resulting the safety and health hazards.
Although the direct cost of the forensics, equipment and labor are in the millions, the biggest cost can’t easily be measured -- the loss of customer & investor confidence.
With cyber attacks growing more advanced by the day, you cannot rely on stopping all threats before they infiltrate your infrastructure.
These days, a compromised network is not a question of “if,” but “when” and “what do we do about.
A high-quality detection and response solution slashes attack detection from months to minutes.
Find out more about F-Secure’s Rapid Detection & Response: