The anatomy of large-scale cyber attacks

By Vincent Goh, Vice President of Sales for Asia Pacific and Japan, CyberArk

The recent Australian census has focussed a spotlight on the problems cyber attacks can cause for both governments and businesses in our increasingly online world. As well as causing disruptions, they reduce the public's faith in internet-based services.

Unfortunately it's not just data gathering exercises such as the census that are at risk. Everything from water and power plants to financial platforms and communication networks are tempting targets for criminals looking to cause widespread damage and disruption.

Attention is now focusing on the steps that can be taken to reduce the likelihood and impact of such attacks. How can core infrastructure that serves cities, regions or even the globe be protected from cyber criminals?

To understand what can be done to protect important assets, it's worth examining two recent high-profile attacks. Although different in terms of targets and objectives, they demonstrate what's required to prevent future similar incidents:

Example 1: Blackout in Ukraine

In late 2015, the entire western region of Ukraine experienced a massive electricity blackout. An estimated 225,000 residents were left in the dark, and sub-station control systems were overwritten making restoration by power companies difficult. This event was the first time in history a cyber attack had been proven to bring down an electrical system and disrupt the lives of citizens.

The attack began with a spear phishing campaign in which the criminals disguised themselves as legitimate system vendors and members the government. Three staff within the target utility companies believed the emails were legitimate and opened attached documents which contained a malicious macro. This caused malware to be installed on their machines.

The malware established a connection with its command and control server and deployed a secondary piece of malware known as KillDisk. KillDisk was capable of overwriting files on infected systems and rendering each system unbootable.

The attackers then stole credentials and used them to move laterally through the IT environment, staying under the radar of intrusion detection systems. They discovered electric breakers could be accessed over an internal VPN.

When the attack was launched, the criminals took control of workstations in the control room and remotely disabled them so system operators could not intervene. They then disconnected systems, opened breakers, and shut down electricity at 30 substations. They also disabled backup power supplies to two of the three energy distribution centres.

As the power went out throughout the area, the system operators were left helpless, with no ability to take back control of their machines and stop the attack.

Example 2: Financial attack in Bangladesh

In May, 2015, cyber criminals stole $US81 million from the Rizal Commercial Banking Corporation (RCBC) in Bangladesh. The money was sent through fake bank accounts and laundered through casinos in the Philippines.

The attack began with either a spear phishing drive-by-download attack which allowed the criminals to harvest credentials from infected systems and use them to move laterally throughout the bank's IT network. They eventually gained access to machines connected to the SWIFT inter-bank platform that allows secure transfers of money between banks around the globe. The attackers ordered a total of 35 transfers worth $951 million.

The orders were flagged during processing by the US Federal reserve, however the first four - worth

$81 million - had already been sent to fake bank accounts at RCBC in the Philippines. The bulk of that money is still missing.

The role of privilege

In both these attacks the role of privilege was shown to be particularly important. In the Ukraine incident, attackers were able to guess and capture administrative credentials from infected endpoints and use them to move laterally throughout the environment. This enabled persistent, privileged access to the network, and eventually allowed the attackers to VPN into control systems and shut down the power.

In the Bangladesh bank heist, the attackers captured administrative credentials from infected machines and used them to move laterally until they reached the SWIFT-connected systems. Because passwords being used were static and there was no second-factor authentication, the attackers were able to gain persistent, privileged access.

Attack prevention

In both examples, taking a different approach to security could have helped prevent the damage and losses that occurred.

The Bangladesh Bank could have dramatically reduced its attack surface by eliminating unnecessary privileges. As a best practice, standard business users should never have full local administration. Without local admin rights, it would have been much more difficult for the attackers to break in, move throughout the network and install monitoring software.

Privileged account credentials should also be secure. This includes domain admin credentials, privileged SSH keys and any other credential that provides access to sensitive accounts or systems.

Highly sensitive systems should also be segmented from the rest of the IT network. Many utilities separate and 'air gap' their control systems and banks take a similar approach with their SWIFT-connected systems.

Organisations should also establish a single, highly controlled point of access into their sensitive systems. By forcing all users through this single point and closing all other routes, they can significantly reduce the attack surface and have granular control over who is able to access what systems.

While it's almost impossible to make large and complex infrastructures completely secure, following these techniques can go a long way towards reaching that goal. Cyber attacks of this nature are likely to continue to increase, making a focus on proper IT security ever more important.

Join the CSO newsletter!

Error: Please check your email address.

Tags Australian censushackersfirewallscyber attackscyber criminalsvpnAttack preventionKilldiskdata protectionmalwarecyber securityransomware attacks

More about SSH

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Vincent Goh

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place