A cyberattack honeypot set up by cybersecurity company Cybereason has unearthed insights into the methods and behaviours of hackers looking to gain control of national power grids.

The honeypot was created by Cybereason to mimic a power transmission substation owned and operated by a major electricity provider. It was built with the same type of network architecture so that hackers would believe they were attacking a power transmission substation.

The cyberattack honeypot was set up with intentional weaknesses in the security to make it an appealing target for attackers, and was then monitored to determine how they behaved.

The result was an impressive, albeit concerning, insight into the goals and speed of power grid hackers.

Power grid hackers are increasingly targeting industrial control system environments

Power grids and other environments that handle the generation, transmission and metering of energy are known as industrial control system (ICS) environments.

These ICS environments are not a new target for attackers, but the number and range of different types of attackers focusing on this environment type is increasing.

This is backed by a number of high-profile recent incidents. In 2016, for example, a New York dam’s control system was hacked, while the Ukrainian power grid has been hit by several attacks in recent years.

Such attacks are extremely serious, with the potential to not only cripple essential infrastructure, but even result in loss of life.

It is no surprise, then, that the US government announced on Friday that it will be running its own extensive tests on the country’s national power grid to determine how effectively it would recover from a severe attack.

How the cyberattack honeypot ended up on the black market

Just two days after Cybereason’s cyberattack honeypot went live, it had been accessed by a black market seller.

Believing it to be an ICS target, rgwt installed a number of backdoors onto the system and put it on sale on xDedic, a black market hosted on the dark web.

While Cybereason were not able to oversee the sale itself directly, 10 days after the honeypot went live a new hacker connected – the new owner of this asset.

3 Things That Will Change the World Today

What the power grid hacker wanted

The new attacker’s first action was to disable standard security systems, such as the antivirus software, but from they began to look for ways to directly access and control the ICS environment, allowing them to control or do damage to the power system.

To do this, their focus was to find a path from the IT environment they were accessing to the operating technology (OT) environment, which would, if the system was not a honeypot, allow them to control real-world power network infrastructure.

“In two days, the attackers got into the environment, conducted reconnaissance aimed at finding an entry point from the IT environment to the OT environment, which is really what they wanted,” explained Israel Barak, CISO of Cybereason.

“The attackers appear to have been specifically targeting the ICS environment from the moment they got into the environment. They demonstrated non-commodity skills, techniques and a pre-built playbook for pivoting from an IT environment towards an OT environment.”

Lessons for the power industry and beyond

The findings of the cyberattack honeypot makes it clear that attacks by power grid hackers are a serious issue, and that they are relatively easy to achieve.

Moreover, it shows that organisations need to be aware of the risks posed by attackers who have already gained access to the system and are working to move between different areas. In particular it highlights the need for security that covers the whole system, rather than having custom siloed security systems for the OT and IT environments respectively.

“Having this visibility is important because attackers could start in the IT environment and move to the OT environment,” Barak said.

It also highlights that attacks are not only being undertaken by what are known as advanced persistent threat (APT) actors – highly sophisticated attackers hacking professionally for nation states and similar.

In this case, while the attacker was knowledgeable they made some choices that identified them to Cybereason as not being at the APT actor level. In other words, power grids and other ICS environments are appealing to a wide range of hackers.

“The biggest lesson learned from the honeypot is that multiple tiers of attackers find ICS environments interesting. That’s increasing risk for people who operate those types of systems,” said Ross Rustici, Cybereason’s Senior Director of Intelligence.

“The security basics are really what’s going to prevent a bad day from becoming a catastrophic day.”