Issue link: https://fhpublishing.uberflip.com/i/1045844
NETWORK / 34 / NOVEMBER 2018 CYBER SECURIT Y I CS environments have long been on the radar of hackers. In recent years, attackers have hacked into the control system of a dam in New York, shut down the Ukraine's power grid and installed mal - ware on the operating systems of US companies in the energy, nuclear and water sectors. The US government, contin- ues to influence grid reliability through exercises such as the latest iteration of Liberty Eclipse scheduled for this November. It will test the ability of the na- tion's power grid to bounce back from a simultaneous cyber at- Keeping networks safe Ross Rustici, senior director of intelligence services at Cybereason, discusses a honeypot project that has been launched to bait hackers into revealing tactics used to compromise industrial control system (ICS) environments. tack on electric, oil and natural gas infrastructure. Utility providers, are unfor- tunately facing a broader threat than is normally publicised. While ICS hacks linked to APT groups and nation-state actors are still targeting these systems, a greater variety of threat actors with a range of skills is also going a„er ICS environments. This assessment is based on data collected from a honeypot Cybereason setup to emulate the power transmission substation of a major electricity provider. Accompanying this variety of focused threat actors is a new approach to sourcing access. access executed a focused op - erational plan concentrated on compromising the OT network. This plan first and foremost at- tempted to identify and leverage shared resources between the IT/OT networks, to move later- ally into the OT environment. This type of operational cadence and OT playbook is employed by experienced attack groups, that target OT environments on a regular basis. Since other characteristics of this attacker carried more resemblance to a cyber crime actor (including the acquisition of target and the initial point of penetration, aggressive disablement of the Instead of specifically selecting targets, the actors who compro - mised Cybereason's honeypot bought the asset off a Dark Web forum. The honeypot infrastruc - ture was first discovered by a black-market seller conducting a broad scan of the Internet for vulnerable machines. The seller was able to compromise a single machine in the honeypot and posted it for sale in a black market, along with the network identifiers of that compromised environment, which disclosed its probable affiliation with a large utility provider. The hacker who purchased