In today’s interconnected world, it is a well-known fact that systems with Internet exposure are under continual threat of cyber-attacks. This risk extends from private websites to corporate infrastructure. With the increasing modernization of Industrial Control Systems (ICS), these vital components also become more exposed to such threats. But what is the extent and nature of attacks against industrial infrastructure? Do certain countries, such as Ukraine, face a disproportionately high number of attacks? In this exploration, we delve into these questions, using data collected from honeypots mimicking different ICS products in both Ukraine and Germany, to better understand the landscape of cyber intrusions in this specific field.
Industrial Control Systems (ICS) are crucial for monitoring and managing complex industrial processes and systems. They form a significant part of the broader Operational Technology (OT) family. These systems encompass various subgroups and components, including Programmable Logic Controllers (PLC), Supervisory Control and Data Acquisition (SCADA) systems, and Human-Machine Interfaces (HMI), among others.
In the evolving landscape of those systems, there has been a emergence of devices that serve as a bridge between traditional ICS components, using industrial protocols, and more modern technologies featuring, e.g., Internet connection via cellular network, HMI displays integrated into web interfaces, and more. The integration of modern technology into traditional Industrial Control Systems (ICS) not only facilitates greater operational flexibility but also significantly increases the attack surface, particularly due to the capability for direct remote management over the Internet.
Often, attackers compromise the business network of an industrial company without directly impacting the Industrial Control System (ICS) infrastructure. A prime example of this is the incident at Colonial Pipeline, where the business systems were impacted by a ransomware attack. The attackers stole data and encrypted many internal business systems. As a precaution, the pipeline operations were temporarily halted to mitigate any risk to the operational network [1] [2]. To successfully interfere with an industrial process, attackers typically need a deep understanding of the underlying protocols, industrial processes, and sometimes ways to circumvent Safety Instrumented Systems (SIS).
Due to the scarcity of publicly available data, obtaining a comprehensive view of direct attacks on ICS infrastructure remains challenging. A short overview about some public records:
These examples show that ICS are attacked by a variety of threat actors, including advanced persistent threats (APTs), hacktivists, and even insiders.
While there are established honeypot solutions like Conpot or XPOT, their recognition among attackers might influence the results. Therefore, it was decided to manually recreate the web interface of existing products. It was hoped this approach would make the systems less recognizable as honeypots, at least on the first few interactions.
Given that manufacturers typically do not release source code for their systems, publicly reachable products were identified using shodan.io, an IoT search engine. Due to the large availability of example systems, it was chosen to partially recreate four different products:
The static web content was copied from publicly available systems. For dynamic data, the API responses were studied and manually replicated. Functions that could alter the original system – such as information modifications, restarts, or firmware installations – were not tested or included in the replicas. Where assumptions about the behavior of these systems were necessary, generic error messages were implemented instead. All identifiable details, including company names, IP addresses, location data, and MAC addresses, were replaced with fictional counterparts, ensuring that the original systems remained unidentifiable.
When accessing these emulated systems, visitors are greeted by the login page of the respective product. In line with the product manuals, the default credentials are valid on three of the four products. Visible information within these systems was carefully adjusted to reflect country-specific details, like location information, cellular providers, time zones etc. Additionally, some advanced functionalities were emulated, such as a web-based Command Line Interface (CLI). This feature allows for operations like internal network enumeration with ping, including simulated responses from various internal IP addresses.
Each product was operated on dedicated Virtual Private Servers (VPS) operated by one of eight different cloud providers located in Ukraine or Germany. The systems were made accessible on their default ports, 80, 8080, and a non-standard HTTP port. Furthermore, additional infrastructure for monitoring and management have been deployed.
During the study, all network traffic was recorded and later analyzed using the Intrusion Detection System Suricata. This analysis used approximately 600 custom-written rules along with around 6,500 existing rules to categorize and analyze HTTP requests. Additional classifications, such as the type of attack, the year of the related CVE (Common Vulnerabilities and Exposures) or exploit, were manually added, particularly for larger clusters.
A whitelist approach was adopted to categorize every request as malicious or non-malicious. The following criteria were used.
HTTP requests not classified as malicious:
HTTP requests classified as malicious:
Data was collected over a period of nearly three months, spanning from July 16, 2023, to October 14, 2023. During this time, the emulated ICS products recorded a total of 83’947 HTTP interactions, providing a large dataset for analysis.
Out of the total interactions, 46’930 were categorized as malicious, while 37’017 were identified as non-malicious requests. The systems located in Germany recorded a marginally higher number of malicious requests, totaling 24’842, compared to those in Ukraine, which registered 22’088 such requests.
In this experiment, the source IP of each attack was determined using the MaxMind GeoLite2 Country database. However, it is crucial to note that attributing cyber-attacks to specific countries based solely on source IP addresses is not reliable. Attackers often conceal their true location using methods like Proxies, VPNs, or by hijacking systems in different countries.
The map below visualizes the number of malicious HTTP-Requests to the honeypots attributed to various countries by the source IP. It shows that the honeypots received malicious requests from around the world. The United States tops the list with over 10’000 requests, followed by Canada and Germany. 41% of the malicious requests originated from those three countries.
A notable detail is the disproportion between malicious requests targeting Ukraine and Germany, with certain countries like Canada, France, and Turkey showing a heavy bias toward German systems. In contrast, the Russian Federation, Finland, Poland, and Sweden have sent more malicious requests to Ukraine. The intensity of the color on the map reflects the target tendency, with darker colors indicating a higher tendency to target the honeypots situated in either Ukraine or Germany.
The bar chart below categorizes the top 20 countries by the number of malicious requests they have made to honeypot systems in Germany and Ukraine.
The vast majority of attacks were not specifically targeting the simulated ICS. Instead, most attacks were rather typical web-based attacks observed on the Internet. This is explained by the fact that all systems exposed online are subject to constant scanning, and automated exploit attempts are made against a wide range of products.
87.5% of the malicious request (41’054) have been categorized as forced browsing. These requests are part of reconnaissance activities, where attackers aim to discern product types, management portals, or directly access sensitive information. For instance, 8’049 requests tried to verify the presence of PHPMyAdmin, a popular database management framework. Another significant portion of these requests targeted the /.env file, presumably linked to the Laravel PHP web framework, which could contain sensitive information or secrets.
4’007 malicious requests contained payloads leading to code execution, SQL injection, SSRF, XXE or authentication bypasses. At least 2’662 of those requests aimed to exploit specific vulnerabilities in specifics products. The majority of the exploits allows the attacker to execute their own code on the underlying operating system. The targets varied across a large number of products, including:
For 2’700 requests the payload age (based on the CVE or exploit code publishing date) has been determined. The data shows a consistent pattern of attacks using vulnerabilities from previous years, not just the most recent ones.
Additionally, there were 1’573 requests attempting to log in to various products like WordPress, Artifactory, and Tenda routers.
Reconnaissance activities targeting ICS were also evident. Across all eight systems, including those operating on non-standard HTTP ports, there were in total 61 requests probing for the presence of a page associated with the Siemens SIMATIC S7 Controller:
GET /Portal/Portal.mwsl HTTP/1.1
User-Agent: curl/7.54.0
Connection: close
Host: [Redacted]
The bulk of these requests originated from two IP addresses located in the UK, followed by a significant number from Germany. A smaller portion of the requests came from IP addresses in the Netherlands and Russia.
296 login attempts targeted the two emulated products. Out of those, a staggering 295 were directed at the Industrial Cellular Gateway, while the remaining single attempt targeted the SCADA system. In 10 instances, the attackers successfully used the correct username and password combination. However, contrary to expectations, these successful logins did not lead to any further authenticated requests on the products. Despite originating from various IP addresses in Russia, Poland, and Turkey, the attacks used similar credentials and identical HTTP request parameters like User-Agent, Accept and Accept-Language. This uniformity suggests the attack might be conducted by the same attacker or multiple attackers using the same toolkit.
POST /checklogin.php?action=1 HTTP/1.1
Origin: http://[Redacted]:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif ,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US
Cookie: PHPSESSID=ts41gvbiam5a9vkp6d5oq9lgft
Host: [Redacted]:8080
Content-Length: 44
username=admin&password=password&Login=Login
One product faced 84 attempts to exploit the vulnerability CVE-2023-1698. This vulnerability allows attackers to run commands on the operating system of the product. The attacks were geographically dispersed, with 43 HTTP requests targeting the system in Germany and 41 in Ukraine.
In 80 cases, the attacker issued the payload to execute the command id which would show the current users. In two separate requests, the command cat /etc/passwd was used, aiming to access information about user accounts. In two other cases they tried to download a script from an external source using wget.
From 24 out of total 29 IP addresses, malicious requests were sent to systems in both Germany and Ukraine:
Notably, this specific exploitation attempt was absent in the other six honeypots, each emulating different ICS products, highlighting a targeted attack pattern on this particular vulnerability. Consequently, the attackers carried out reconnaissance activities to identify the product prior to launching attacks that contained specific exploits.
An example of the activities conducted by one of the attacker IP addresses:
Timestamp | System | Activity |
---|---|---|
03.08.2023 02:53:02 | Honeypot DE | Performing a HTTP-Request on web root |
03.08.2023 02:55:04 | Honeypot UA | Performing a HTTP-Request on web root |
03.08.2023 02:57:05 | Honeypot DE | Send an HTTP Request with the exploit |
03.08.2023 02:57:05 | Honeypot UA | Send an HTTP Request with the exploit |
While constructing the SCADA honeypot, a misconfiguration in the original SCADA solution was identified. This flaw permitted unauthorized admin login access on the solution. Upon further examination, it was discovered that at least 20 water supply facilities using the same product were susceptible to this vulnerability.
This critical issue was immediately reported to both the manufacturer and the Computer Emergency Response Teams (CERT) of the affected country. The CERT classified the issue as high priority and took immediate action. This discovery, though incidental to the main research, underscores the pressing necessity for heightened security measures in this domain.
The data gathered from the honeypots does not provide any surprising new insights. Maybe due to the fact that the honeypots could be easily recognizable as decoy systems, possibly because they are hosted as Virtual Private Servers (VPS). Deploying these systems over cellular networks in the respective countries could yield different results and potentially provide more covert and realistic scenarios. However, the analysis of the collected data confirms several points:
Based on this, we give the following recommendations:
Further recommendations regarding ICS security: