Categories: Security

ICS-CERT states that manufacturing organization compromised for several months

Last ICS-CERT MONITOR report reveals that hackers had access to the systems of an unnamed manufacturing organization for several months.

According to the ICS-CERT MONITOR report, which summarizes the Industrial Control Systems Cyber Emergency Response Team’s (ICS-CERT) activities between May – August 2014, threat actors had access to the systems of an unnamed manufacturing organization for several months.

The attackers compromised the network of the organization and as explained in the report issued by the ICS-CERT a large number of hosts were compromised, the investigation also revealed a lateral movement of the intruders to extend their presence to the hacked architecture.

“A large critical manufacturing organization was compromised by multiple sophisticated threat actors over a period of several months. ICS-CERT received and analyzed digital media data provided by the organization and deployed an onsite incident response team to assist the organization with recovery efforts. “states the report.

The investigators discovered also that bad actors had managed to gain privileged access to machines by leveraging compromised domain accounts. The organization hit by the hackers has a large surface of attack, the experts discovered more than 100 entry and exit points connected to the Internet, a scenario not unusual for critical infrastructure.

Another typical problem in critical environments is that the overall architecture results composed by a numerous components that were added over the time making the infrastructure very heterogeneous and hard to control. As a result, the network is composed of a total of appliances and sometimes of entire networks that are integrated over time with little attention to security aspects.

“In this situation, re-architecting the network is the best approach to ensure that the company has a consistent security posture across its wide enterprise,” ICS-CERT said. “This organization is a conglomeration of multiple companies acquired in recent years. The acquisition and subsequent merging of multiple networks introduced latent weaknesses in network management and visibility, which allowed lateral movement from intruders to go largely undetected,” the report reads.

The document issued by the ICS-CERT also includes paragraph on Method of Exfiltration which specifically refers the Havex RAT, which has been used in the last months in cyber espionage campaigns. Researchers at FireEye in July have detected a new variant of Havex RAT, which scans SCADA network via Object linking and embedding for Process Control (OPC), their analysis confirmed the discovery made by security experts at F-Secure and Symantec which announced a surge of malicious campaigns based on “Havex” malware against critical infrastructure. The bad actors behind the Havex campaign mainly targeted companies in the energy industry with the intent to conduct industrial espionage against several American and European companies.

“Various reports have indicated that organizations in the energy, manufacturing, pharmaceutical and information technology sectors are among those targeted by this campaign. However, drawing conclusions about the specific intent of targeting is not well understood as all victims have not been identified. While the specific target and motive of the campaign is unclear, the situation elevates the presence of a new and potentially evolving threat against industries operating critical infrastructure,” ICS-CERT report .

Unfortunately incidents and cyber attacks to critical infrastructure are very frequent, a study from Unisys and the Ponemon Institute published in July revealed that 70% of 599 critical infrastructure analyzed had suffered at least one security breach in the last 12 months that caused disruption of operations or the loss of confidential data. In May US Congressmen Ed Markey and Henry Waxman issued the report “Electric grid vulnerability” on the level of security for US critical infrastructure which confirmed that US critical infrastructure under unceasing cyber attacks.

Security of critical infrastructure is a top priority for the US Government, recently the NIST has published a draft of cybersecurity framework , which outlines how private companies can protect themselves against cyberattacks, and security breaches.

Pierluigi Paganini

(Security Affairs –  Critical Infrastructure, ICS-CERT)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

DORA Compliance Strategy for Business Leaders

In January 2025, European financial and insurance institutions, their business partners and providers, must comply…

15 hours ago

CISA adds Android Pixel, Microsoft Windows, Progress Telerik Report Server bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Android Pixel, Microsoft Windows, Progress Telerik Report…

22 hours ago

City of Cleveland still working to fully restore systems impacted by a cyber attack

Early this week, the City of Cleveland suffered a cyber attack that impacted multiple services.…

1 day ago

Two Ukrainians accused of spreading Russian propaganda and hack soldiers’ phones

Ukraine’s security service (SBU) detained two individuals accused of supporting Russian intelligence in spreading propaganda…

1 day ago

Google fixed an actively exploited zero-day in the Pixel Firmware

Google is warning of a security vulnerability impacting its Pixel Firmware that has been actively…

2 days ago

Multiple flaws in Fortinet FortiOS fixed

Fortinet released security updates to address multiple vulnerabilities in FortiOS, including a high-severity code execution…

2 days ago

This website uses cookies.