THE HUNT
A cyber attack in
the process industry
QUICK FACTS
Company: Pulp Global Inc, a leading producer of various types of pulp products
Industry: Pulp and paper industry
Number of employees: 12 500
Motivation of the attacker: Extort money by disrupting production
CHARACTERS
Martin, CIO, Pulp Global
In charge of implementation of new systems,
as well as integration and modernization projects.
Eric, control systems engineer, contractor
Works for Pulp Global’s third party integrator,
who supports the mill modernization project.
Responsible for the manufacturing execution
system (MES).
Peter, new employee, Pulp Global
Wrote his thesis about a modernization project
at Pulp Global during his Master’s studies in
Automation Technology.
Number One, adversary
Works for an online-based organized crime
syndicate. Motivated by the challenge,
bragging rights and monetary rewards.
1
In manufacturing,
86% of cyber attacks
are targeted
66% feature hacking,
only 34% malware
Almost half (47%) of
breaches involve the theft
of intellectual property to
gain competitive advantage
53% of the attacks are
carried out by stateaffiliated actors,
35% by organized crime
Source: Verizon 2018 Data Breach Investigations Report
2
SETTING THE STAGE
Pulp Global Inc, a leading producer of various types of
pulp products, was preparing to ramp up production after
summer maintenance breaks at various plants. Martin, the
CIO of Pulp Global, was proud of his team’s progress with the
commissioning of new systems during the summer holidays.
put tremendous pressure on the management team
of Pulp Global. The global pulp and paper industry is a
highly competitive arena where producers have to place
themselves in the lowest possible cost position, while
capturing and maintaining market share.
Pulp Global had been growing significantly over the past five
years. They had acquired many smaller competitors, whose
production facilities they merged into the Pulp Global lineup.
The fierce competition within the pulp industry was also
the main driver for the information system overhaul. The
management team demanded better, more timely visibility
into global operations. The plan? Orchestrate production
better while decreasing overhead. The ultimate goal?
Continue to provide the high quality products Pulp Global
was known for while keeping prices competitive.
As a part of an ongoing project, Martin had been extremely
busy coordinating the rollout of a large information and
production orchestration system. Once the rollout was
complete, all of Pulp Global’s 25 mills would use the same
performance reporting and mill manufacturing execution
systems.
For the data to flow from all of the different legacy
distributed control systems at the plants, Martin needed to
increase the connectivity between the corporate and the
production networks. He had to install various new systems
to provide an integration between the new management
systems and the old production systems.
Martin looked forward to the sense of accomplishment that
would come with finishing the project. He had no idea that
life at Pulp Global was about to take a distressing turn.
The pressure of lowering costs and increasing
market share
This was anything but a straightforward task. Most of Pulp
Global’s mills were acquired by purchasing smaller pulp
producers. There were as many different ways of building a
mill as there were mills. Only five of the mills were using the
same template, systems and systems design: the ones built
from the ground up by Pulp Global.
Despite the company’s growth, the picture wasn’t all rosy.
Increasing competition, especially in maturing markets,
and declining profitability in the pulp and paper market
CYBER RISK MANAGEMENT CHALLENGES IN THE PROCESS INDUSTRY
• The convergence of IT (information technology) and OT (operations technology)
towards the use of COTS (Commercial off-the-shelf) platforms
• Increasing interconnectivity
• Integration of legacy technologies
• Large number of different systems
• Pressure to get more data
3
The Segnen mill
requirements and increase efficiencies. Pulp Global had
chosen an equipment supplier and a third party integrator to
facilitate the modernization project. Pulp Global had shared
very detailed plans and documentation of the project with
the subcontractors.
One of the most challenging mills in Martin’s project
was also Pulp Global’s largest mill. The Segnen mill was
originally built by Davon International, which Pulp Global
acquired in the early 1990s because of new pulp production
technologies Davon was pioneering at the time.
Becoming a target
The Segnen mill was located on a large industrial estate
along the coast of the Baltic Sea. The mill had its own port
for importing wood and exporting kraft pulp bales anywhere
in the world.
Pulp Global was also building a brand new pulp mill in the
beautiful Samveng delta in Southeast Asia. Following the
visibility in media, this 500 million dollar project also sparked
the interest of Number One, the leader of an organized
cyber crime group. The group had been performing highly
sophisticated, targeted attacks against various companies
around the world with the goal of extorting money, selling
confidential information on the black market or causing
reputational and financial damage.
Segnen had five separate distributed control systems,
eight different SCADA systems, automation products from
all of the largest vendors, three different mill information
systems, and the list goes on. The complexity of the mill,
the large number of systems and the requirements to
increase connectivity and integrate legacy systems into
modern orchestration systems presented a challenge, and
sometimes a headache for Martin.
When Pulp Global’s project popped up in the news
repeatedly, Number One decided to seize the opportunity.
They chose to investigate how cyber resilient the company
was, and whether there was some money to be made.
Segnen mill was undergoing a major overhaul. The mill
needed modernization to meet the new group reporting
4
PHASE 1 - RECON
Pulp and paper was a new industry for Number One. But it
didn’t take long for the skilled group to get a grasp of Pulp
Global’s operations. Number One liked to call this phase of
research and reconnaisance the “get-familiar phase.”
their brand models and version numbers, a detailed list of
new software to be installed, operating system versions,
network layouts with IP addresses, Modbus tags and I/O
listings, and even usernames and passwords for the reporting
and integration servers.
Number One and the team began to gather as much
information about Pulp Global as they could from various
freely available sources, such as news articles and press
releases. This included information about vendors and
suppliers, maintenance contractors, personnel in key
positions, and information about the IT and OT systems.
Amongst the data and information they had collected, one
mill constantly popped up: Segnen.
Number One and the group had obtained the information
via a public web service where anyone could upload files to
check if they contain viruses or malware. A cyber securityaware control systems engineer Eric, who worked for
Pulp Global’s third party integrator, had received an email
from Pulp Global’s project manager containing only the
compressed zip file and subject line stating “Important
project documents.” Eric had thought it might a good idea to
check that the file didn’t contain any malware. He decided to
upload the zip file into a reputable malware scanning service.
Number One decided to focus on the Segnen mill, due to the
large quantity of available information. Their plan was to turn
Segnen into their initial entry point.
What Eric didn’t know was that all the files uploaded into
the service were made available for malware researchers.
And one of them had close ties with the underground crime
community.
A treasure trove of information
A few days into the reconnaissance phase, one of the crime
group members came across a treasure trove of information
within a 130Mb compressed zip folder. The folder contained
floor plans of the mill, a list of automation equipment with
5
group sprang into action. They started to probe for services
and hosts that were open and available via the internet.
SUPPLY CHAIN ATTACKS
A supply chain attack targets an organization
through a third party, a vendor or a partner.
Also known as a value-chain or a third-party
attack, it is designed to infiltrate a company’s
systems through vulnerable elements in
their partner network. The weakest link in
your security chain may lie outside your
organization.
To Number One’s annoyance, the internet attack surface
of the mill was relatively small. Prior to the modernization,
Segnen had few systems feeding data to the corporate
systems hosted in Pulp Global’s headquarters.
However, the group did find a development version of Pulp
Global’s internal email newsletter service. With thousands
of employees, an internal employee email newsletter was
the only reasonable way of conveying information. Pulp
Global had set up their own newsletter service in the cloud.
This made it easier for the internal communications team to
access the system, while also lowering costs.
Selecting the employee to target
With the newly available information, Number One and
the group began to build a better picture of the mill and its
personnel. They came across Peter, a former thesis worker
and now a proud employee of Pulp Global. Peter had finalized
his Master’s degree in Automation Technology a few months
prior and was immediately hired by Pulp Global.
Username “admin” password “admin”
The email service also had a test environment where the
service developers could test and deploy changes before
applying them to the production version. To make the
testing more realistic, the developers had written a script that
would copy the database from the production system to the
development system. The script would make sure they always
had the most recent data with which to test their changes.
After some further mapping of the personnel, Number
One learned that Peter had written his thesis about the
modernization project. Even more, he had included a very
detailed description of how the pulping process in the mill
worked. Number One thought Peter would be a great target
for malicious emails: as a new employee, he was unlikely to
know all the people working at the mill.
It being a test system, the developers had added an admin
account titled “admin” with the password “admin.” This was
the account Number One used to gain access to the service
and siphon all the email addresses, names and titles of Pulp
Global’s employees, as well as the templates used to send
internal newsletters.
Looking for available services and hosts
With the Segnen mill selected as target, Number One and the
PROTECT YOUR CREDENTIALS
30%
of CEOs have used their company email address
to register for a service that was later breached,
exposing their password and other details.
In a password audit of a large, well- known
organization we tested 6,000 passwords.
Here is what we found:
We successfully cracked
35%.
73%
of the passwords were derived from
the organization’s name – e.g. using pHiShd!;
81%
of CEOs have had their email address and other
personal information exposed online in the form
of spam lists or leaked marketing databases.
Source: F-Secure 2017 Report: CEO Email Exposure: Passwords And Pwnage
80
passwords derived from the word “password”.
6
Source: phished
PHASE 2 - INITIAL INTRUSION
After extensive information gathering, it was time for the
initial intrusion. Number One decided that the best way to
gain access deep within the network was to launch a targeted
spearphishing campaign against key personnel. The group
had all the necessary resources to perform this: they had
gathered data from the email newsletter service, including
the newsletter templates used by the company.
to Number One’s command and control infrastructure and
allow him to perform additional attacks. This way Number
One would be able to extend his foothold within the network.
The targets for the spearphishing campaign were
strategically selected. One of them was Peter, the former
thesis worker and new recruit for Pulp Global. Peter had
been unable to attend the employee celebration, and he was
interested in seeing what he had missed.
Crafting a spearphishing email
Through accessing the newsletter service, Number One had
learned that Pulp Global had recently held a get-together
to celebrate the successful maintenance breaks and reward
the employees for the long hours they’d put in. He decided
to craft a spearphishing email with the title “Employee
Celebration Photos” using Pulp Global’s newsletter template.
The phishing email appeared to come from a legitimate
source. It was even using the company newsletter template,
so Peter didn’t hesitate to open the email or the attachment.
The attached file promptly infected Peter’s laptop with the
remote access trojan.
It only took about an hour from sending the email to getting
the initial foothold via Peter’s compromised computer.
The email contained a zip folder with a custom built remote
access trojan (RAT). Once executed, it would connect back
7
SPEARPHISHING
REMOTE ACCESS TROJAN
Spearphishing emails appear to be from someone
the target trusts. They are designed to trick the
target into clicking on a malicious link and giving out
sensitive information, such as passwords.
A malware program that utilizes a back-door to take
administrative control over a target computer.
If you have a business to protect, you shouldn’t
depend on the fact that people don’t open malicious
emails. Emails are designed to be opened and read.
Address the issue by educating your staff and having
other controls in place.
8
PHASE 3 - EXTENDING THE FOOTHOLD
9
Number One was celebrating. With relative ease, the
group had gained a permanent foothold deep within Pulp
Global’s internal network. The attackers had also gotten
lucky with their selection of Peter as a target. Although a
new employee, Peter had wide access to both the internal
corporate network as well as systems communicating
directly to the production network.
For about two weeks, Number One and the team refrained
from performing attacks or trying to extend their foothold.
Instead, they passively monitored Peter’s laptop, logging
keystrokes and capturing screenshots of the various systems
Peter accessed as part of his day-to-day work.
One of the important systems Peter had access to was
the project management and wiki service where all the
production and ICS projects were stored, with related
documentation and planning information. Number One
managed to capture most of the credentials Peter was using
to access the various systems, including the credentials for
the project management system.
QUICK WINS OR PERSISTENT FOOTHOLD?
The continuous trade-off for an attacker is how, and how fast, do I want to move versus what
are my chances of being detected, contained or stopped.
• Freedom of movement vs. losing access
• Being detected vs. being contained
• Getting to the target fast vs. a persistent access for further intelligence
Jackpot!
Peter had a habit of leaving his laptop turned on in the
office when he left work for the day. This was very fortunate
for Number One, as it allowed his criminal gang to utilize
Peter’s computer outside office hours. They could probe the
network, launch additional attacks and extend the foothold.
management system, others were tasked with covertly
extending their foothold within the network. In an effort to
remain undetected for as long as possible, they made sure to
use the same tools used by Pulp Global’s IT staff and system
administrators to perform their day-to-day duties.
One of the first things Number One started to probe was
the project management system and wiki. To his elation, it
was a jackpot. The amount of information and the level of
detail he found within the system was unprecedented in his
experience.
But they needn’t have worried – Pulp Global had no network
level visibility and very limited host level visibility. The
attackers could have run nearly any tools, no matter how
noisy, without a significant risk of getting caught. The truth
was, Pulp Global had no idea what was happening inside
their networks.
Over the next couple of days Number One and the group
downloaded every single network drawing, system and
shop floor layout, project plan, equipment list, and asset
inventory report they could find. Their exfiltration totaled
tens of gigabytes of detailed information about Pulp Global’s
projects and sites.
Staying undetected
While some of the hackers in Number One’s group combed
through documents and details collected from the project
Pulp Global’s internal network was a mishmash of various
systems and hosts across three decades. This included
everything from legacy applications and servers to brand
new Windows systems.
Many of the systems were already past their end-of-life and
were receiving no software updates, thus making it easy for
the attackers to gain access and infect them with publicly
available exploits.
10
A photo displaying critical information
While half of Number One’s team was busy infecting
and extending the foothold, the other half had
finished piecing together a thorough picture of Pulp
Global’s operations and mills.
VISIBILITY
Detection and response solutions allow you
to detect cyber attacks before criminals
can access critical systems or files. Catching
– and containing – a breach as early as
possible will significantly lower the damage
and the costs it can incur.
Number One discovered an interesting tidbit in one
of the IT support staff member’s photo. There was a
computer monitor in one corner of the image, with a
Post-It note attached to it. The sticky note contained
shared domain administrator credentials used by Pulp
Global’s IT support staff.
“This can’t be true, there’s no way these credentials
will work,” Number One thought out loud. After all,
the photo had a time stamp from nearly five years
ago. But of course, he had to try them. He entered the
credentials into the login page. Incredibly, the system
opened up.
GET CONTEXTUAL VISIBILITY INTO IT
ENVIRONMENT AND SECURITY STATUS
The account was a shared one, meaning that it would
be nearly impossible to track who was using it. This
was perfect for Number One. Using the domain
admin credentials, the whole network was now open
to the crime group. Exploiting the hosts was as simple
as logging in with the administrative account. The
use of these credentials was so widespread within the
corporate network that they also worked for Linux
hosts, and even the routers and switches.
11
PHASE 4 - INFORMATION
GATHERING AND PLANNING
With nearly unlimited access to the corporate network and information gathered
from documents in the project management system, Number One located key
users within Pulp Global. To access these users’ computers, the attackers installed
the remote access trojan which allowed them to begin monitoring their activities.
12
Access to corporate and production networks
After accessing the MES server with the domain
administrator credentials, Number One’s group had nearly
unlimited access to the various production networks and
systems. Each of Pulp Global’s mills had a separate ICS
Active Directory managed by the local IT on site. The group
focused on the Segnen site.
One of these users was Eric, the control systems engineer
who worked for the third party integrator. Eric was targeted
because he was also responsible for the newly installed
manufacturing execution system (MES) that was used
to connect Pulp Global’s enterprise resource planning
(ERP) system more tightly to production – the MES also
automated the flow of data between ERP and production.
With access to the information collected from the project
management system and wide access to the production
networks, Number One’s group began to map the different
systems and their software versions, as well as PLCs
(programmable logic computers) and DCS (distributed
control system) equipment being used in the mill. They also
tried to harvest more user credentials.
From the network drawings and mappings of the network
equipment, Number One had established that the MES
system was the key link between the corporate and
production ICS networks. He selected the MES system
because of the wide access to both networks.
13
Harvesting user accounts
With some further recon, Number One established that the
ICS production Active Directory was using a protocol called
SMBv1. SMBv1 was a legacy protocol that made it possible
for the attackers to query the directory for all of the user
accounts and their account descriptions, as well as hosts
present in the directory tree.
To make it easier for the mill personnel to log in to the
hosts, the local IT administrators had written the account
passwords in the account description fields. This would
enable them to share the passwords with users who had
forgotten them. In addition to standard users, this also
included some of the personnel with domain administrator
accounts. As with the corporate network, the doors were
once again wide open for Number One’s group.
Accessing the engineering workstations
Most of the production and ICS-related networks in the
Segnen mill were on the same network. However, one
network seemed to be separate from the others. This was
comprised of the engineering workstations used to program
the programmable logic computers (PLCs) and safety
instrumentation systems (SIS) used to control the plant’s
operations.
The engineering workstations were a key target system.
They contained the source code and development files for
the PLCs and safety systems, the key pieces of information
needed to tailor an effective attack against the control
systems.
It took considerable effort from Number One’s group to
locate the engineering workstations among the thousands
of other hosts within the large production network.
Eventually, the engineering workstations were found via an
unlikely source, a regular operator station sitting in one of
the control rooms.
The operator station had recently been upgraded with a
second network interface to make it possible for automation
engineers to access the engineering workstations while
monitoring operations from the control room. This “dualhome” control room host was Number One’s gateway to the
network segment containing the engineering workstations.
This network segment didn’t have direct connectivity to the
internet so the source code and project files were piped via
multiple hops within the Segnen mill network, ultimately
ending in the corporate network and then on to the
command and control server of Number One.
14
PHASE 5 - ATTACK PREPARATION,
TESTING AND VALIDATION
Social engineering to get insider information
After about a month of collecting information and extending
the foothold within Pulp Global’s networks, Number One had
finally obtained enough information to begin preparing for
the targeted attack on the industrial control systems at the
Segnen mill.
Despite their painstaking research, the group was still
lacking certain critical details they would need to carry out
a successful attack. They needed to better understand the
different parameters and how altering them would affect the
overall process. It was clear they would need additional help
– someone on the inside.
The attackers began carefully studying the kraft pulping
process and how it operated in the Segnen mill. In addition
to generic resources, such as Google and various pulp
industry trade publications, Number One used the detailed
information in Peter’s thesis to plan the attack.
Number One began to approach some of the Segnen
mill employees by email and phone with various social
engineering techniques. Playing the part of a new employee
at one of the mill’s main contractors, Number One asked
detailed and specific questions that could only come from
someone with both a thorough knowledge of the pulping
process and access to confidential mill information. The mill
employees suspected nothing. After all, who would have
access to such information other than contractors and mill
employees?
The attackers learned that due to the complexity of the
pulping process and the natural fluctuations for various
parameters and chemicals, any changes could take up to a
week to show up in the finished product. This meant they
could perform testing and validation of their attack on the
live production systems with only a minor risk of getting
caught. As long as the changed parameters had been
carefully chosen, any problems in the process would likely be
attributed to natural fluctuations.
15
Now armed with valuable information obtained from multiple
employees, Number One had finally figured out the attack
vector. If successful, his intricately-planned attack would cause
long lasting reputational damage and financial loss. And just in
case this attack should fail, he also formed a much more crude
backup attack plan that would completely wipe out all PLCs,
servers and hosts in the production environment.
Number One and the crime group wrote and tested multiple
configurations and ways of conducting the attack. They
changed six different PLCs, a few safety logics, and created
new views for HMI panels used by the operators to monitor
the process.
Testing the attack
To develop and test the main attack plan, Number One
needed to build a simulated environment representing the
systems he planned to attack and modify. Using the original
source code, project files and HMI graphics, the group set
up a crude test bench for simulating and testing their attack
payloads.
SOCIAL ENGINEERING
Social engineering means manipulating
people into giving up confidential
information. It is one of the most effective
attack vectors because it exploits natural
human behavior and our tendency to trust
one another. It is often said that the human
factor is the weakest link in cyber security.
In order to distribute the attack payload, the newly changed
software would need to be downloaded onto the PLCs and
safety controllers. This proved to be much easier said than
done. Segnen was running a 24/7 operation which meant that
the controllers couldn’t be taken offline or stopped for the
code change. Performing this kind of operation would risk the
attackers getting caught.
After intensive testing, the group learned that by changing
just small parts of the code in specific code blocks and
extending the existing variable in data blocks, the controllers
wouldn’t need to be stopped. The new code could be
downloaded onto the controller, and it would start running
during the next execution cycle.
16
THE INDUSTRIAL CONTROL SYSTEM
CYBER KILL CHAIN STAGE 1 -IT
17
THE INDUSTRIAL CONTROL SYSTEM
CYBER KILL CHAIN STAGE 2 -ICS
18
PHASE 6 - ICS ATTACK
To maximize the impact, and make it extremely hard for the
Segnen mill workers to pinpoint the problem, Number One
opted to attack multiple parts of the pulping process while
using the normal fluctuations to hide the attack.
contained an additional payload used for varying the process
parameters. The HMIs used by the plant operators were
also updated with interfaces featuring values that were
simulated directly within the code rather than coming from
plant sensors. The quality control system parameters were
changed so that instead of using static values, the parameters
were taken from a text file that was updated by a hidden
process running on the quality control system server.
The plan: vary the temperatures used in the cooking
process, offset the balance of chemicals and distort the
readings of the quality control system at random intervals.
The fluctuations in cooking temperature and distorting
the quality control system readings would affect the
quality of the end product, resulting in waste, quality
problems and reputational damage. Offsetting the balance
of the chemicals, especially the sulfidity, would result in
larger sulfurous gas emissions. Pollution or fines from the
environmental protection agency would, in turn, cause
reputational damage.
The deployment went smoothly, except for the safety
instrumentation system. Due to recent attacks against
the safety controllers, Eric, the control systems engineer,
had used a physical key attached to the safety controllers
and put them into run only mode. This prohibited anyone
making software changes without physically turning the key.
Although Number One’s attack code was now running, the
safety controllers might limit the changes made by the attack
code.
Launching the attack
Three months after the initial breach of Pulp Global’s systems,
Number One finally launched the carefully crafted attack.
Number One and the crime group went back to the drawing
board to figure out a way to fool the safety controllers and
prevent them from interrupting the parameter changes. The
attack code was left running.
First the PLCs were reprogrammed with new code that
19
Random fluctuations
For the next week or so, Number One worked on revising
the code and devising ways to get around the safety
controllers. Meanwhile, the Segnen mill began to experience
strange problems with the quality of the pulp and arbitrary
fluctuations in the control system parameters. The control
systems engineers, including Eric, tried furiously to find the
cause of these random fluctuations.
It wasn’t long before one of the vendors called to aid them
in the hunt. The vendor had noticed that the quality control
system was running a hidden process that shouldn’t be there.
They had tried stopping the process and even restarting
the server, but the hidden process persisted. The vendor
representative copied the executable file from the host and
sent it back to their IT team for further analysis. The file was
also sent to a security company the vendor had worked with
in the past to analyze potentially malicious files.
in the control system networks many times before, due to
employees using their own laptops for conducting changes
or contractors bringing new software on removable media.
Thinking this must be another case of commodity malware,
Martin instructed the mill to continue normal operations.
Eric investigates further
Eric didn’t give up easily. He decided to log on to some other
hosts to see if anything else appeared to be amiss. And there
was: he noticed a huge number of alerts caused by one of the
safety controllers on a valve.
The control values were out of the allowed range. The safety
system was overriding the valve control to make sure it
wouldn’t enter into an area of possibly damaging conditions.
The earliest alerts dated back to about a week, with a few
going back as far as two weeks. Prior to that, there had been
zero alerts throughout the entire five year uptime of the
safety controller.
A mill under cyber attack
The security company performed an analysis and notified the
Segnen mill that the file obtained from the quality control
system was a purpose-built attack tool. A thorough sweep of
the production hosts should be performed, they urged, to
see if any other implants were hidden in the network.
Eric swiftly contacted his boss, who in turn notified Martin,
the CIO of Pulp Global, that they had discovered evidence of
the mill being under some kind of an attack.
The Segnen mill had had problems with malware and viruses
“Something strange is going on,” Eric thought. He just
didn’t know exactly what. He logged on to the engineering
workstation used to program the safety controller, and began
poring through the code used to control the specific part of
the process. But as he was reviewing the original source code
stored in the project files, he found nothing amiss. Leaving
the development environment open, he exited the control
systems lab, puzzled.
A few days later, Eric still hadn’t shaken the feeling that
something was wrong. Systems that were normally reliable
were now acting in very sporadic manner, seemingly without
any reason.
20
“We’ve been detected!”
Within two hours, the Segnen mill was completely halted. The
pulp cooking process had to be taken down using a manual
override, a process that can take weeks to bring back running
once stopped.
Meanwhile, Number One had also logged on to the
engineering workstation used to program the safety
controllers. He saw the development environment open
with the very same part of the code they’d been trying to
circumvent for the better part of a week.
However, this was the least of Pulp Global’s worries. Almost
all of the Windows hosts within the mill were wiped clean.
Nearly 50 controllers, from two of their main vendors,
summered a similar fate. Only a few controllers from different
providers remained unaffected.
“Someone has spotted us. What do they know? How did they
find us?” Number One asked in an emergency meeting with
the rest of the crime group. He demanded to know why their
operation had all of a sudden been noticed. What could the
group still do to inflict maximum damage with the foothold
they still had?
The attack hits the news
The situation was worsening. The mill personnel, unable
to perform any work, began to post social media pictures
of blank control room displays. The Facebook posts were
quickly noticed by reporters scouring social media for
interesting topics.
The crude backup plan
“Time to say bye-bye to the Segnen mill operations,”
muttered Number One as he sent a command to all of the
compromised hosts.
Eventually the news of the breakdown at the Segnen mill
reached CIO Martin – but it wasn’t via Pulp Global personnel.
He was called by a reporter looking for a comment regarding
the cyber attack that had wiped out everything at the Segnen
mill.
The hosts began running commands to wipe as many other
hosts as possible, including downloading bogus blank
software onto the controllers running the plant, restoring
the switches and routers to factory default settings and
formatting the hard drives of every possible host and server.
21
PHASE 7 - AFTERMATH
After the call from the reporter, Martin contacted Segnen to find out what had
happened and how bad the situation was. But the mill was in such upheaval that it
was impossible to get anyone to stay on the phone for more than a minute.
22
Forensic team gets to work
Martin was overwhelmed. Pulp Global had no plans
or procedures to guide him in dealing with a cyber
incident. There were no established policies, processes
or guidelines on recovery, and no internal or external
communications plans. He was getting questions from the
board, the corporate employees, the mill staff, his IT team
and reporters – questions he couldn’t answer. With no
experience in dealing with a cyber incident, the CIO was in
over his head.
The cyber security company began to investigate the attack
with help from the authorities and the local CERT. But due to
devices and drives being wiped out at the Segnen mill, the
forensic analysis was extremely difficult. Log files and other
useful information were almost impossible to find.
The forensic analysts soon abandoned the Segnen mill, as
it would take days to get anything useful out of the wiped
hosts. Instead, they decided to turn their focus on other
systems.
Martin knew he had to call in external help to handle the
situation. He asked the vendors supplying the Segnen mill to
send first responders on-site immediately. The hunt was on.
Law enforcement began investigating the mill because
of the possibility of the attack being an insider job. The
computer forensic analysts turned their attention to the
corporate systems, as they were still fully operational. If the
attack wasn’t conducted by an insider, the adversaries were
likely coming in via the corporate network.
The extortion
Just when Martin thought things couldn’t get any more dire,
he received a phone call from the CEO who had just received
a threatening email.
Ransom deadline is approaching
“Segnen mill was only the beginning,” the email read. “If
you don’t comply with our requests, this could get very
expensive for you. Below you will find a cryptocurrency
wallet address where you need to deposit 600,000 euros by
the end of the day or we will start taking down your mills one
by one until you don’t have any business left.”
With just four hours to go until the ransom deadline, the
forensics team found that the corporate Active Directory
was completely taken over by the attackers. This meant
they had nearly limitless possibilities to attack other targets
within Pulp Global.
There were still 11 hours before the end of the day. Pulp
Global alerted the authorities and the local CERT, and
enlisted a cyber security company to work on containing
the attack. Meanwhile, the board of directors called an
emergency meeting to decide what to do about the ransom.
The forensics team, with the help of Pulp Global’s network
and infrastructure teams, began to isolate and segment the
network. They aimed to limit the access of the adversaries
while being careful not to draw attention to their efforts.
By the time the ransom deadline expired, the incident
responders were confident that they had managed to
contain the attack. They had been able to segregate the
network, thus avoiding paying the ransom.
23
The return of Number One
An hour had passed after the ransom deadline and nothing
had happened. The forensics team were closely monitoring
any actions on the network. The Segnen mill staff were busy
recovering systems from any backups they could find.
Two hours after the deadline passed, the forensics team
noticed someone accessing the MES system server using
domain administrator credentials through a VPN. A quick
check confirmed it wasn’t anyone within Pulp Global. It was
the adversaries, returning to wreak havoc again.
The adversaries exposed
The forensics analysts logged each of the adversaries’
actions and every network packet they sent. They wanted
to find out what the attackers were after, how they were
accessing the systems and whether they had any ongoing
processes running.
Once in the system, the adversaries used a process running
with system privileges to send commands to hosts within
another mill’s production network. The forensics team
began to search for the same process running on other
possibly compromised hosts.
Bingo: the investigators found that the same remote access
trojan had been deployed to many other machines. Now
the responders knew what to look for. Even better, the
trojan kept an easily decryptable log file of all of the actions
performed. Some of the actions were automated, as the
adversaries likely wanted to have access to the output run
by the command – in case the host would lose internet
connectivity, it could send the results at a later stage.
Crisis communications
As the incident response and forensics investigations
continued, the CEO and board worked on a communications
plan towards employees, Pulp Global’s client base and the
media. Once the CEO had released the statement, Pulp
Global’s share price plummeted more than ten percent
within a single day.
The share price wasn’t the only problem. Unhappy customer
companies started to demand compensation from Pulp
Global due to the delays the Segnen mill outage would
cause, some going as far as threatening legal action. The
local authorities initiated their own investigations into the
environmental, safety and health hazards possibly caused by
the abrupt stop of mill operations.
24
Recovery
Once the attack was successfully contained, it took Pulp
Global nearly three months to recover all operations and to
search for and eradicate all backdoors from multiple hosts.
All told, the attack ended up costing Pulp Global a significant
percentage of their yearly revenue. Although the direct
cost of the forensics, equipment and labor were in the
millions, the biggest costs were the ones that aren’t so easily
measured: the loss of customer and investor confidence.
It took nearly a year to regain the confidence of customers
and investors, and deal with the authorities regarding the
safety and health hazards.
TIMELINE OF PULP GLOBAL’S CYBER ATTACK
DEFENDER
ATTACKER
25
ABOUT F-SECURE
Nobody knows cyber security like F-Secure. For three decades, F-Secure
has driven innovations in cyber security, defending tens of thousands of
companies and millions of people. With unsurpassed experience in endpoint
protection as well as detection and response, F-Secure shields enterprises and
consumers against everything from advanced cyber attacks and data breaches
to widespread ransomware infections. F-Secure’s sophisticated technology
combines the power of machine learning with the human expertise of its worldrenowned security labs for a singular approach called Live Security.
F-Secure’s security experts have participated in more European cyber crime
scene investigations than any other company in the market, and its products
are sold all over the world by over 200 broadband and mobile operators and
thousands of resellers.
Founded in 1988, F-Secure is listed on the NASDAQ OMX Helsinki Ltd.
www.f-secure.com
29