Fantastic information and where to find it: a guidebook to open-source OT reconnaissance

Wednesday 2 October 17:00 - 17:30, Green room

Daniel Kapellmann Zafra (FireEye)



Since at least 2015, we have tracked a cluster of Russian-sponsored cyber espionage activity targeting the energy sector, known as TEMP.Isotope. The group has leveraged watering holes and spear-phishing campaigns to infiltrate information technology (IT) networks, harvest credentials, and exfiltrate information about industrial networks. The documentation retrieved by TEMP.Isotope is critical for engineering future attacks targeting operational technology (OT) networks that are designed to control and monitor physical processes. The extracted information can be used by threat actors to better understand the network architecture and physical processes taking place in the facility, to visualize what equipment the victim uses, identify associated suppliers and contractors, and figure out what tools they will need to build or acquire in order to conduct further attacks.

Although we have observed an uptick in the number of nation-state sponsored threat actors seeking to obtain information about operational technology environments by directly targeting organizations, we highlight that it is also possible to find this type of information in mainstream open-source sites and repositories. In this paper, we explain some of the main motivations that drive threat actors to perform reconnaissance on industrial networks. We then illustrate some of the tactics that have been used by threat actors to extract OT documentation from IT corporate networks. Finally, we present our findings from browsing popular sites looking for information that can be leveraged to learn about the industrial control systems (ICS) networks. Our paper includes examples from cybersecurity products, popular online retail stores, manual libraries, vendor websites, coding and mobile application repositories.

 

 

Daniel-Kapellmann-Zafra-web.jpg

Daniel Kapellmann

Daniel Kapellmann works as a senior cyber threat intelligence analyst in FireEye's cyber-physical team. As a former Fulbright scholar, he holds an information management Master's degree from the University of Washington, specialized in information security and risk management. His background is multidisciplinary, with past work experience that includes consulting for the International Telecommunication Union's Digital Inclusion Division, IT Planning & Architecture for Puget Sound Energy, and IT consulting for the Competitive Intelligence Unit in Mexico City. Among other achievements, he was awarded first place in Kaspersky Academy Talent Lab's 2017 competition for designing an application to address security beyond anti-virus, and received an honorary mention for designing the HomeAbroad application at Microsoft's Big Idea Design Challenge in 2016. In his free time, he works as a journalist, writing for organizations such as Bertelsmann Stiftung, Siemens Stiftung, OECD, LSE and Fair Observer.

@Kapellmann


   Download slides    Read paper    Watch video

Back to VB2019 Programme page

Other VB2019 papers

Curious tale of 8.t used by multiple campaigns against South Asia

Niranjan Jayanand (Microsoft)
Ivan Macalintal (Microsoft)
Debalina Ghosh (Microsoft)

Discretion in APT: recent APT attack on crypto exchange employees

HeungSoo Kang (LINE)

Thwarting Emotet email conversation thread hijacking with clustering

Pierre-Luc Vaudry (ZEROSPAM Security)
Olivier Coutu (ZEROSPAM Security)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.