Hack The Port
Hack The Port 2022 is a competition sponsored by U.S. Cyber Command, the NSA, and the Maryland Innovation & Security Institute (MISI), that simulated a real-world attempt to compromise the security of a functional maritime port in the United States. The competition took place in Florida during March, 2022.
The competition organizers invited “red teams” to try to Hack The Port, that is, to seriously compromise the security of the technological infrastructure of the port, and “blue teams” to act as defenders. The competition included six scenarios, encompassing all aspects and possible risks of a real-world industrial port.
The red teams were allowed to use any means that real-world threat actors would employ in their attempt to breach the networks, including phishing, metasploit, DDOS attacks and others. The blue team's task was to detect the attacks and to stop the attackers in their tracks.
This whitepaper will outline the findings and the results of the exercise, and it details the success of SCADAfence in successfully defending the port against the attacks.
____
Executive Summary
The SCADAfence Platform outperformed its rivals in the Hack The Port competition by sucessfully detecting and preventing the highest number of attacks against the fictional port, while having the fewest false-positives.
The SCADAfence Platform caught red teams as they employed a variety of techniques in their attempts to compromise critical systems including DCSync, Log4J, self-signed metasploits, downloading Mimikatz, RDP attacks, and hacking domain controllers.
In the real world, if left undetected attacks such as these could cause a port to shut down, and result in major damage to equipment, outages of critical systems, and even cause physical injury.
The first step in detecting and preventing the threat actors from attacking the port, was to get the SCADAfence Platform up on running, securing the port networks.
Before Hack The Port event began, the SCADAfence team sent the installation package to event organizers. The organizers were able to install the SCADAfence Platform seamlessly on their own, and it worked straight out of the box. No additional configuration or support from the SCADAfence team was needed.
Whether installing the SCADAfence Platform in a giga factory or in a smaller network such as in Hack The Port, the SCADAfence Platform only takes 10 minutes to install. After 10 minutes, the SCADAfence Platform was up and running and protecting the port.
The Gantry Crane
An industrial port’s gantry crane is a large overhead crane that sits astride the port and is used for loading and unloading containers on ships, and for installing engines and other heavy equipment used in ship building and repair. The cranes are controlled and operated via a computer with specialized software. This attack scenario invited red team participants to attempt a breach of the crane’s control system and gain enough access to allow them to disrupt the crane’s movement and to lower a ship’s engine directly into the ocean.
The Water Filtration System
The water filtration system at a major port is responsible for providing clean water to shipboard personnel, and the entire port. The goal of this challenge was to sabotage the water filtration system by accessing the devices that control the machinery, and trick it into adding an incorrect ratio of additives into the water. A key part of this challenge was to prevent the system’s detectors from discovering the changes.
The Ship Board Network
This scenario challenged red teams to access the bridge control systems of the actual vessels as they attempted to dock at the port and shut down the ship’s propellers, thereby halting the ship and in effect, causing gridlock at the port.
The Ballast Control
This challenge also required accessing a ship’s bridge control systems. In this scenario, red teams attempted to gain access to the ship’s ballast control system and cause the HMIs to incorrectly indicate that the system is pumping water even though it is not.
The Surveillance System
Like any major industrial facility, Hack The Port’s organizers included a surveillance system in their port, consisting of cameras which record digital footage to be saved for later review when needed. Red teams were challenged to shut down this network and to make sure no data was preserved that might implicate the threat actors later.
The Access Control System
Secure ID cards issued to each worker at a port is a critical aspect of maritime security. Ensuring that each person has the exact level of access to restricted areas helps keep the area secure. This challenge required red teams to gain access to the gate control systems and to card readers, and to allow unauthorized entry into the port.
Scanning the Network
As expected, the red teams began each scenario with reconnaissance of the network.¹ This begins with a scan to gather information in order to obtain the following: An inventory of devices attached to the network, services that run on those devices, device types, IP addresses, open ports, the manufacturer names, and what OS software the devices were running. They then used this information to correlate those devices with known vulnerabilities, and continued looking for anything else they could find, in order to gain further network access.
Real World Impact:
A Metasploit self-signed certificate can be used by an attacker to hide his actions and tools while transferring data from and to the host machine.
Reconnaissance is the first step of the kill-chain:
- https://collaborate.mitre.org/attackics/index.php/Discovery
- https://attack.mitre.org/tactics/TA0043/
- https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
Metasploit Certificate Usage
During a routine scan, one of the first things the SCADAfence Platform detected was a self-signed Metasploit certificate. A certificate signed by the Metasploit Framework, instead of a certificate signed by a trusted company such as DigiCert or GoDaddy. This indicates unauthorized or malicious activity being sent through the network. Specifically, it was issued by a router with an IP address of[c][d] 10.88.0.252 (NAT).
Real World Impact:
A Metasploit certificate, even if its self-signed can be used to gain the trust of the host machine. If left unflagged, threat actors can then penetrate deeper into the network.
Attempted Attack Via RDP (Remote Desktop Protocol)
The SCADAfence Platform detected that attackers tried over 4,700 times to establish a connection with the FLOW-HMI machine. They were eventually able to create a successful RDP session. Several other successful RDP sessions on 10.88.5.29 from known malicious actors (10.88.0.252, 10.88.0.106) that happened on the same day, were not preceded by targeted scans or bruteforce login attempts, and were therefore not reported.
Real World Impact:
Threat actors who successfully start an RDP Session have full control over the host machine and can steal other genuine login credentials, passwords, and other sensitive information and launch ransomware attacks. Accessing an HMI in this way is particularly dangerous as remote operators can use their access to cause physical damage.
Starting and Stopping a PLC
One of the most significant attacks the SCADAfence Platform was able to detect was an actual start/stop commands sent to a PLC. After gaining access to the PLC, the threat actors maintained their attack on the compromised device sending commands to change the device’s operating mode.
Real World Impact:
PLCs are used to control or automate physical equipment. With this level of access, threat actors can issue commands to the PLC to carry out physical attacks such as shutting down a power grid, damage machinery, or compromising a water supply, all with potentially lethal consequences.
Downloading Mimikatz on a Compromised Domain Controller
One important way threat actors launch significant attacks is by first gaining a foothold in a network, then using that entry point to penetrate further into the network where they can work undetected. The SCADAfence Platform detected one of the most significant attacks of the Hack the Port event using this technique. The Red Team initial breach was a successful brute-force attack which they used as a launching point, and then, using compromised SSH access they continued through an intermediary device to then access a domain controller. From that point, the attackers attempted to download Mimikatz onto a compromised domain controller in order to steal passwords (hashes) and other sensitive information. The SCADAfence Platform was able to detect the download.
Real World Impact:
Threat actors use the data extracted with Mimikatz to traverse deeper into the network and compromise additional devices.
Connecting to the TIA Portal
Among the most important devices that control the workings of an industrial port, (or any other computer controlled manufacturing or production environment) are the HMI’s and operator / engineering stations. Gaining access to these and the PLCs by which control them, is among the top prizes for a threat actor. During the Hack the Port event, the SCADAfence Platform detected an external connection to port 8888. Port 8888 is used for the integrated configuration web application of Siemens TIA Administrator (TIA Portal). This indicated that the threat actors were attempting to gain access to the PLC. Again, the two-way communication detected by the Platform, indicated that they had successfully established this connection and the PLC was compromised.
DCSync Attack
Hack the Port included a number of Raspberry PI devices with notable vulnerabilities. Most red teams were able to gain a foothold into the Raspberry PI network and use it as a jump point to gain deeper access into the network, by using one or more intermediary devices. In this case, the Raspberry PI network was compromised in order to launch a DCSync attack against a domain controller. The attacker first compromised the Raspberry PI and used that as a jump point to access an HMI via SSH, before finally attacking the domain controller. The attackers used their control to extract information from the domain controller using the SMB protocol.
Real World Impact:
A DCSync attack is a late-stage attack carried out by threat actors who have already penetrated a network. It's used to gain admin control of Active Directory. Once they have it, they can replicate damaging modifications to every every domain controller.
Log4J Strikes Back
A major vulnerability was identified in open source logging library Apache Log4J at the end of 2021. SCADAfence added support for the Log4J vulnerability immediately after the attack was discovered. At Hack The Port, the red team used this known vulnerability to stage an attack, hoping that it wouldn't be discovered. The target of this attack was an IO-link ENIP adapter, AL1970. The SCADAfence Platform immediately detected the attempt to use the Log4J vulnerability in order to execute code remotely on the device.
Real World Impact:
The Log4J vulnerability allows threat actors to take full control of a device and run malicious code, launch malware attacks, and fully infiltrate the network.
Value Analysis Changes from A Compromised Domain Controller
One of the most vital features of the SCADAfence Platform, the value Level feature, goes beyond basic OT command level detection, and retrieves actual OT variable values that were sent to the PLC. During the Hack the Port event, the SCADAfence Platform detected value level changes that originated in a compromised domain controller. Unexpected changes in values indicate a breach, and in a real world scenario can indicate a major attack. In this case, the attacker changed the values in the PLC via the Modbus protocol, to a significantly higher value in order to disrupt both the PLC and connected machinery/sensors. The attacker’s intent was to cause damage by having harmful additives dumped into the water supply.
Real World Impact:
If this had a been a real incident, this alert would indicate that threat actors had succeed in breaching security controls and caused major disruption. The SCADAfence Platform's Value Level change alerts prove that damage has been done, even if the HMI has also been compromised to camouflage it.
Detecting All New Red Team Scenarios
As one of the red teams completed working on the attack scenario, another red team took it in turn. The SCADAfence Platform was able to detect the change due to new IP addresses being added to the network. The same IP address being used by a new device potentially indicated that a device that was using the IP has left the scene and a new device entered, taking the same IP and thus triggering a corresponding event.
The SCADAfence Platform succeeded in detecting the widest variety of attempted red team attacks against the fictional port. From untrusted x.509 certificates and DCSync attacks to unauthorized PLC start/stop commands and others, the SCADAfence Platform generated alerts to breaches on their network, without a large number of distracting false positives.
the SCADAfence blue team provided the most comprehensive reporting details for the entire blue team channel, with the fewest false positives.
In real world scenarios, the SCADAfence Platform’s ability to detect cyber security breaches and generate accurate alerts would have protected the port from experiencing a major security incident, as it does today with many industrial ports around the world. This case study is a perfect example.
Keep Your Information Updated
Subscribe to the newsletter to be informed about the updated information of OTD Bilişim.