Over the past few days, we have looked at 3 very different Iranian hacker groups that operated in very different ways. We have had some great conversations with our clients and partners about the different ways that we can all protect ourselves from these threats.
One of the first questions that we hear is, “is this really a threat to my company?” Listen…I’m going to give it to you Bottom Line Up Front: Yes, the threat is real. Red Trident Inc has already seen an increase in phishing activity, and there has been an increase in reconnaissance and intelligence gathering activities. So why haven’t we seen a large scale OT/ICS attack by during the heightened tensions with Iran? Before we get into that, let’s look at the main categories of threat actors that can carry out these types of attacks.
Intelligence teams look at information in context, and it’s important to look at this particular problem set from the context of different Threat Actor’s perspectives. This will help you determine why they may be targeting your OT/ICS networks, and help you stop them. The four main Threat Actors that have capabilities and motives to act against ICS networks are:
We’re going to do a full white paper on the various motivations of the different major threat actor group types, so look for that in the very near future. I expect to have that published by mid-January. For today, I would just like to address State Sponsored groups, and Nation States, and why they are a valid threat to your organization.
State Sponsored Groups
State Sponsored Groups can be very powerful, and they normally have very specific targets that they are hunting. Typically, a country will hire privateers/pirates/hacker groups to do a specific mission. Normally these things are aimed at accomplishing objectives that the sponsoring country doesn’t want to do, does not have the capability to do, or does not want to get caught doing. Regardless of the motivations, they hire groups to carry out State sponsored objectives. These groups are NOT State controlled, though, so they normally have additional objectives that they will try to accomplish while inside your network.
We have looked at three such groups earlier this week, and you can see how their activities are only sometimes in-line with their state sponsored objectives. All evidence points directly to State sponsorship, but not always State sponsored objectives. Regardless of where the objectives come from, ICS networks are one of their prime attack vectors. Attacks will continue to escalate, although it’s not completely clear whether they will stay regional or continue to grow globally.
Nation States
Nation States like China, Russia, North Korea, and Iran are well known to have very active cyber espionage organizations. State sponsored attacks against ICS networks represent the biggest concern to the US and global economy. Why hasn’t there been more attacks against these networks? It depends on your definition of attack. If you define an attack by any type of probing or intelligence gathering, then attacks happen every day. If you define an attack by an entity causing damage, then most State actors have a vested interest in not doing those types of attacks. Once a full-on cyber war is started with all sides trying to cause damage to ICS networks, then the world could truly be in trouble. It’s a kind of Cyber Mutually Assured Destruction that keeps things from getting too out of hand, if you will. For now, Cold War style cyber-attacks will continue to be the norm, with all sides stealing as much information as they can while doing as little damage as possible. Intelligence gathering will continue, packages will be weaponized for the specific environments, and we will all continue to leave each other alone as long as everyone is playing fair.
The main problem with Nation State cyber warfare in the OT/ICS realm is that there will be very little warning before attacks occur, and the attacks will be devastating. You do not have to line up your troops, or move things into position, or do any type of activity that would show a build-up of force before an attack. Escalation will be rapid. One single attack will not happen, unless it’s an accidental attack. Indications that an attack are occurring will be sketchy, because we have not seen a national level attack before. None of us have. The nation that initiates the attacks will probably have the upper hand, and that upper hand will extend to all types of information networks.
So what does this mean for your business?
Does this mean that you don’t have any risk to your OT/ICS systems? The short answer is NO. You have a lot of risk, and that risk is coming from many different vectors. Cybercriminals are trying to use your OT networks to infiltrate your IT networks. Hacktivists need to be monitored, and responded to when they raise their ugly heads. State sponsored groups are a major threat right now and they will be for the foreseeable future. Nation States…well, let’s just say that if China wants to get into your networks and steal your intellectual property, then get ready for a fight. That goes for any nation state, but China is notorious for doing this, so you need to have a plan. You really need to have a good understanding of those threat actors that target your specific types of networks.
The Good News
Red Trident Inc has a full team of IT and ICS cyber security professionals that can do everything from vulnerability and compliance assessments to comprehensive cyber security program development.
We have military-grade intelligence analysts on our staff that can help you identify your threats.
We have CSOC services that can help you monitor, detect, contain, and remediate across your IT and OT networks. Most importantly, we have all worked in the plants and know what you’re up against.
