#it security

For those not familiar, scripting is basically telling the computer what you want it to do in a language it can understand. Very VERY useful for task automation, which is what I use it for at work. I primarily use Powershell.

I've been working on and off on a script for about a month that would pull user information from Active Directory and export it into an Excel document. Saves me the headache of having to copy and paste every little bit of user account information into a notepad. I've been running into multiple errors and issues with said script since I started working with it. I shelved it for a while to work on other projects and priorities. I came back to it this afternoon since I found myself with quite a lot of free time.

Three hours and multiple tests and debugs later, I finally got it to work. Three minutes before I had to leave.

I squealed (thankfully my door was closed and my office mate was working from home).

I plan to fine-tune it next week, but for now I'm just happy it works.

Tech would be so fucking proud of me.

Welcome back to another episode of An Actual Post. As usual, no prior computer science education needed. Today I'm going to talk about the worst of the worst malware. A lot of things has happened since what the general population consider to be viruses; annoying and maybe steals some money or logins. Unfortunately it's nowadays way way way worse than that so prepare for some uncomfortable reading!

Since the dawn of Stuxnet (which I wrote about here), malware has gotten increasingly more real-life, with real-life complications. It could be the Pegasus spyware, that targets political activists in authoritarian regimes, or disruptive infections that put a stop to Copenhagens metro trains for a few hours. But we're merely in the beginning, because in the last few years, some nasty shit has been going down. I'm going to write about two (technically three but I'll group the first two together for obvious reasons) of the worst incidents we've seen today.

BlackEnergy and CrashOverride

This piece of malware has been around since early 2000's, for the intention of creating DDoS attacks (which I wrote about here) from infected computers. It has since then branched out in its usage, particularly into targeting infrastructure environments. Most notable is the 2015 Ukrainian powergrid incident, which occured when the Russian hacking group known as "Sandworm", infected three Ukrainian energy companies, wiping out systems and causing a power outage for over 250 000 households during winter. The attack began with just one infected document being opened in the affected companies. When BlackEnergy infected their systems, it opened up a remote connection to the attackers, making them able to control the entire powergrid opreation from inside Russia, and thereby switching it off.

That was not enough though, as the attackers also implanted another piece of malicious software known as KillDisk, which wiped out many of the ciritical operation systems, as well as cutting off the connection to the UPS units, which are backup generators in case of system outage. To add a cherry on top, BlackEnergy did what it was originally intended to do - DDoS attacks - towards the energy companies call-centers, so that customers were not able to call and ask what was happening.

The Ukrainian powergrid is quite outdated, which made the attack easier, but it was also the saving grace, as they still had manual power-switches (as opposed to purely digital, which were under the attackers control), so power was eventually restored before they had to rebuild all of their digital systems. This is more concerning for countries with modern powergrids, as manual switches have all been replaced by only digital, meaning power restoration could take weeks or months in case of a similar attack.

Besides the energy companies, three other critical Ukrainian infrastructure organisations were hit by BlackEnergy, but did not result in any operational outages.

But it didn't stop there. Just one year later, in December 2016, a similar attack struck Kiev, successfully taking down one-fifth of the countrys electrical power. Like with the BlackEnergy incident, it was quite quickly restored, but there was a far more horrifying infection this time. Named CrashOverride, the malware was much more sophisticated than BlackEnergy, did more things automatically without the need of input from a remote attacker. It was also modular, meaning that functionalities could just be added to it like lego-pieces, adapting it to whatever kind of electrical grid it was entering. This meant that it wouldn't just be able to infect only Ukranian electrical grids, but just about any country's. Furthermore, evidence points to the 2016 CrashOverride infection only being a test-run.

Triton

Last but definitely not least - Triton, the first (known) malware designed to kill.

But before we talk about it, we need to look at what happened in Bhopal, India in 1984 when what has since been considered the worst industrial disaster of all time occured. At the Union Carbide India Limited pesticide plant in December 2nd, one of the gas tanks had a fatal malfunction, creating a massive gas leak of methyl isocyanate, which is extremely toxic. The leak spread to the surrounding city of Bhopal, resulting in almost 600 000 injured people, 40 000 temporary injuries, 4 000 permanent or severe injuries and over 8 000 people died within the first two weeks, with an estimated additional 8 000 deaths following due to injuries in the time after.

This was of course not caused by Triton, but it became the inspiration for the creation of the malware In 2017, a new piece of malware was discovered in Schneider Electrics industrial control system (called Triconex) at a Saudi Arabian petrochemical facility, which unravelled a horrible and complex secret. The infection chain for Triton contains many steps, so let's start with a brief overview of what the Triconex ICS and SIS is. ICS (Industrial Control System) are computers that handles all the industrial processes, computers that are programmed to do one thing and one specific thing only, unlike our regular PCs which you can play games or surf the internet and whatever. ICS will be computers who control valves, releases chemicals into vats, spins stuff around, or whatever automated processes may happen at an industrial facility.

SIS (Safety Instrumented System) are a kind of ICS that are responsible to check that everything is going alright and, if needed, will take over the process in case some ICS is failing and may result in damage, fire, injury or other disasters. So a SIS are monitoring failsafes, meant to prevent what happened in Bhopal.

Unless, of course, you program a malware intended to make the SIS malfunction.

What happened in the Saudi Arabian petrochemical facility started as follows:

The attackers successfully implanted a remote access trojan, which just like in the BlackEnergy case, makes the attackers able to control infected machines remotely. However, you can't infect a ICS or SIS this way, you need to enter a regular computer with internet access first, which is what they did. The initial machine was an engineering station, on which ICS and SIS computers are controlled. From there, the attackers wanted to plant their own software on the ICS and SIS machines, but there was a problem; the software can't be installed without someone turning a physical key on the Triconex devices, as a security measure. A second problem is that every time new software changes are made to a Triconex device, the old software will be deleted and replaced entirely by the new, which meant that the malware was at risk of being deleted if any engineer made any software changes.

So a second piece of Triton malware was made to overcome those hurdles. Instead of being save where the software should be saved in the Triconex devices, it saved itself where the firmware was installed (the piece of software that's made to have the Triconex work as opposed to where the software that tells the Triconex what to do), this not only gave Triton persistence even if new software was loaded, but also overrides the physical key as firmware always has administrator privileges. With all this in place, the attacker could execute any commands at the comfort of their home to both the ICS and SIS systems in the facility.

As luck would have it, before the attackers were able to cause any harm, the facility experienced a safety incident, prompting shutdown of the whole operation, and an investigation later uncovered the malware in the systems. Had Triton not been discovered in time, it would have been able to cause catastrophic failures similar to what happened in Bhopal. But just because it was thwarted this time, doesn't mean it's gone for good. There will always be some actor who is willing to try again.