Experts demonstrated how to hack a utility and take over a smart meter

Researchers from the FireEye’s Mandiant team have breached the network of a North American utility and turn off one of its smart meters.

Over the years, the number of attacks against ICS/SCADA systems used by industrial organizations worldwide has rapidly increased. Many security firms highlighted the risks related to attacks targeting OT networks used in utilities.

Among the most clamorous attacks against industrial organizations, there is the 2015 attack against the electric grid in Ukraine and the 2017 Triton attack against a Saudi petrochemical plant.

Recently FireEye’s incident response unit Mandiant demonstrated how to infiltrate the network of a North American utility and hack into its industrial control systems to turn off one of its smart meters.

The scope of the test was to demonstrate tactics, techniques, and procedures used by threat actors to breach the protected perimeter between an IT network and an OT network.

In the first phase of the attack, the Mandiant team adopted techniques used by TEMP.Veles to breach the OT network during the TRITON attack.

“Mandiant’s experience during red team engagements highlights that collecting information from IT network assets plays a crucial role in targeted OT attacks. As a result, the internal reconnaissance phase for OT targeted attacks begins in the enterprise network, where the actor obtains knowledge and resources to propagate from an initial compromise in the IT network to remote access in the OT network.” states the FireEye’s report. “Detailed information collected about the target, their security operations, and their environment can also support an actor’s attempts at remaining undetected while expanding operations.”

Mandiant’s red team initially targeted the external-facing IT network, then attempted to gain access to the OT network.

Mandiant launched a spear-phishing attack to gain a foothold in the target enterprise network. The experts used a combination of two different phishing scenarios:

• Embedded link for a malicious file hosted on a Mandiant owned domain on the Internet
• Email attachment for a Microsoft Office document with auto – executable macro code

With this approach, the red team achieved code execution on a user workstation in the enterprise environment.

Once achieve control over the workstations in the enterprise environment, experts used a set of publicly available offensive security tools (OST) to escalate privileges and to obtain domain administrator level access.

Below the list of tools used by the Mandiant’s team:

• ldapsearch to enumerate information in the enterprise domain
• PowerSploit to exploit common security misconfigurations in IT
• WMImplant to move laterally from one system to another in the internal network
• Mimikatz to extract credentials for local user and domain administrator accounts

Then Mandiant’s OT Red Team conducted an internal reconnaissance in the IT network to determine targets of interest (people, processes, or technology) and find a way to jump from the IT to the OT. 

“During the process of propagation from IT to OT networks, an actor will leverage previously compromised systems, credentials, or applications to access systems in higher security zones—such as OT demilitarized zones (DMZ).” continues the report. “Based on our observations during multiple red teaming engagements and research, the most likely attack vectors for propagation are:

Finally, once mapped the OT network, researchers were able to steal login credentials for a human-machine interface portal for the meter control infrastructure and issue a command to disconnect the smart meter.

“With access to the domain controller in the core OT network, we extracted credentials for high privilege domain administrator accounts in the OT network using DCSYNC and Mimikatz. Using these accounts, we gained control of management servers, application servers, and operator workstations in the OT network.” concludes the report. “Mandiant was also able to use compromised credentials to login to the human machine interface (HMI) portal for the meter control infrastructure and issue a disconnect command for a target endpoint meter in the smart grid environment.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, smart meters)

[adrotate banner=”5″]

[adrotate banner=”13″]