German iron plant hit by APT attack

A German federal agency has detailed in a new report how an Advanced Persistent Threat (APT) attack physically damaged an unnamed iron plant in the country.

German iron plant hit by APT attack
German iron plant hit by APT attack

In its 44-page ‘IT Security Situation 2014' report published on Wednesday, the Federal Office for Information Security (BSI) outlined the current information security threats and hacker methodologies, but  - most interestingly  - admitted that its critical infrastructure was targeted in one specified attack during the year.

On section 3.3.1 of the report,  BSI – which stands for Bundesamt für Sicherheit in der Informationstechnik – revealed that attackers used spear phishing and ‘ingenious' social engineering to get an initial foothold on the office network of an iron plant, at which point they were able to weave their way to the production networks.

[In a recent interview with SCMagazineUK.com, Sean Mason, VP of incident response at Resolution1, said that this was evidence of attackers following the kill chain, something he more succinctly referred to this as: “It's like going to the bar – you don't walk in a straight line.”

The report goes on to note that there was an accumulation of breakdowns of individual components of the control system or entire facilities – resulting in an incident where a furnace could not be shut down in a regular way. This caused ‘massive damage to the system'.

“The technical skills of the attackers can be described as very advanced,” reads the report.

“A variety of different internal systems were compromised and industrial components. The attackers had advanced know-how of not only conventional IT-security, but also detailed technical knowledge of the industrial control systems and production processes that were used in the plant.

The agency has not released the name of the company involved, nor specified when the attack happened, while the threat actor behind the attack is also unknown.

David Lacey, futurologist at IOACtive and former CISO at Royal Mail, added in an email to SCMagazineUK.com: “The process industry has always been reluctant to adopt expensive security measures. And there are numerous ways to damage a plant. In fact the bigger they are, the easier they are to blow up. You can generate massive surges in big plants and heavy equipment doesn't like to do things it wasn't designed to do. Rogue instructions can generate spectacular breaks.”

This news follows shortly after Bloomberg reported that an oil pipeline in Turkish energy plants had been hacked, causing it to explode, in an attack that pre-dated the discovery of the Stuxnet worm which infected Iranian centrifuges by two years.

Critical infrastructure is a constant worry as far as cyber-attacks are concerned – as noted at SC Magazine's recent APT roundtable – and analysts expected more state-sponsored efforts in this area in 2015.

“State-sponsored cyber-espionage and cyber-sabotage campaigns, like we saw with DragonFly and Turla  respectively in 2014, will continue to pose a risk to national and critical infrastructure and intellectual property in 2015,” said Orla Cox of Symantec Security Response.

Sign up to our newsletters