Even after a successful attack, it is very rare in the cyber world to get a clear answer as to the identity of an attacker. Only in exceptional cases, such as towards the end of last year after the cyberattack on Rockstar Games and the release of gameplay content for GTA 6, has the main perpetrator been identified and convicted. In most other cases, the questions about the full motives, the actual attacker identities and the underlying organizational structures almost always remain unanswered.

With regard to cyberattacks against public infrastructure and industrial companies, it can be assumed that the attackers are organized cybercriminals and state services - in some cases, the two even occur together: for example, state services that entrust criminal groups with operational tasks. In other words, the attackers are often highly trained professionals with extensive resources, as in many cases it is almost certain that major military powers are behind such attacks.

Highly professional attack methods

The really dangerous cyberattacks on (I)OT systems usually take place in several stages and are very well prepared. Different sequences of coordinated individual steps are used. Based on military procedures, this is even referred to as a "kill chain". This refers to a sequence of actions for reconnaissance and target identification, deployment of armed forces and execution of the attack until the target is destroyed. For cyber attacks, i.e. an "intrusion kill chain", this description is certainly somewhat exaggerated. With regard to the individual steps of execution, the comparison with individual special operations by state actors is probably more accurate - see, for example, the attack on the Nord Stream pipelines and the necessary reconnaissance, preparation, execution and trace avoidance.

In any case, various attack vectors must always be assumed when protecting against attacks and the possibility of reconnaissance in advance must be given very high priority - once the attacker has penetrated the network and is looking for target systems there, considerable damage has already been done in any case. See also the MITRE ATT&CK-ICS matrix with the matrix-shaped overview of the technology, tactics and procedures of potential attackers in the December issue of Computer&Automation on page 19. In most cases, we are dealing with an Advanced Persistent Threat (APT). According to the German Federal Office for Information Security, we speak of an APT when a well-trained, typically state-controlled, attacker attacks a network or system in a very targeted manner over a longer period of time for the purpose of espionage or sabotage, possibly moving and/or spreading within it and thus collecting information or carrying out manipulations.

The Cyber Kill Chain

During the reconnaissance phase, an employee in the organization was identified who, due to his position, should have access rights to the OT network. This computer initially serves as a backdoor for further reconnaissance and attack activities in order to install permanent remote access in the target environment, which can be used for various attack activities.

© SSV

Lockheed Martin in the USA is a company that, presumably due to its products, is particularly frequently involved in defending against cyber attacks. For this reason, the company has developed a framework known as the "Cyber Kill Chain". This is a seven-stage model for analyzing APT cyber attacks, which is very well suited to developing individual countermeasures. The Lockheed Martin methodology is based on the following individual steps:

• Reconnaissance: The attacker selects a target that matches the attack plans, examines it as comprehensively as necessary and simultaneously attempts to identify potential vulnerabilities. This creates a target profile that incorporates all available information that could be helpful for the attack. Social media is also used in this phase, for example to find out who within an organization might have access to the OT network.
• Weaponization: An attack strategy appropriate to the target is determined and the technical details of the planned compromise are developed. The tools required for this - in this case the cyber attack weapons - are selected and prepared. This could include, for example, a special fake email for spear phishing a selected target person, which is created with the help of suitable LLM AI tools such as WormGPT or FraudGPT. The design of a fake website to which the attack victim is to be lured in order to install malware on their own computer also takes place at this attack level.
• Delivery: The prepared cyber weapons are deployed and the actual attack is launched. In this attack phase, for example, the previously created spear phishing email is sent or a compromised USB stick is sent to a person. Now the attacker first waits to see whether the target carries out the desired action, for example clicking on the link to the fake website. The delivery phase may have to be repeated several times in the same or a modified form.
• Exploitation : As a rule, this attack step involves installing malware on a computer in order to gain access for further attack activities. If this works, the attacker has reached an important milestone. If necessary, the attacked workstation is examined more closely. The malware may already carry out initial reconnaissance steps in the target network and provide the attacker with information that can be helpful in coordinating further steps.
• Installation (installation): The malware is permanently installed and hidden on a computer system within the IT network. From the attacker's point of view, it must be ensured that the malware in question is persisted and is also available again after a system restart. There is now something like a digital beachhead, which the attacker can exploit at any time as a backdoor for further activities and which should remain undetected for as long as possible.
• Remote control of the target system (Command and Control, C&C or C2): The attacker could now use the malware backdoor to carry out comprehensive OT network penetration, for example, and use host and port discovery plus sniffing to find out which systems and services exist there. In the event of weak OT/IT network segmentation, the attacker now has extensive options for achieving their final attack targets. With a security-oriented connection process and the use of a data diode, there should be no possibility of access in the OT direction at all.
• Targeted actions (Actions on Objective): If the intruder finds a PC-based system controller with a widespread and therefore known IEC 61131 runtime environment in the OT network, he could, for example, import a manipulated firmware into the controller through corresponding C&C activities and attempt to threaten a production outage and extort a ransom.

Possible defensive measures

The author: Klaus-Dieter Walter is a member of the management board at SSV Software Systems.

© SSV Software

The actual attack surface for various threat vectors of an APT is often much larger than assumed. In practice, too little importance is attached to the first three attack stages of the framework described above. After all, countless ransomware attacks have also started with someone in the target environment who has carelessly clicked on a link or taken some other ill-considered action. OT/IT network managers should assume that targeted attacks on an organization's production IT will start similarly. They should therefore ensure that anomalies in daily data traffic are automatically detected.