Blue Hexagon Blog

Deep Learning Threat Detection of recent ICS attacks

Blue Hexagon Threat Labs has seen an uptick in attacks over the last few months against the Oil and Gas sector and the latest US CISA confirms

Blue Hexagon discovered the Dustman Malware targeting the Bahrain Oil Company Bapco in January. In this attack, the initial infiltration occurred in July 2019, meaning the malware was present on the organization’s network months before the execution on December 29th.

Another recent report on ICS attacks against the Oil and Gas sectors includes the Ekans or Snake ransomware seen in late December that was used against Windows systems as well. In the report, Ekans has been identified as a variant of MegaCortex, which was originally discovered in January of 2019 and updated in June 2019 to exhibit the ability to kill critical ICS processes and references to ICS. The report has since been updated to include further examination of the process list and indicates significant continuity between the samples.

Another ICS attack that occurred in December, a Maritime Transportation Security Act regulated facility was shut down for more than 30 hours due to a malware attack. The US Coast Guard released a security bulletin identifying the malware as Ryuk ransomware and it was believed to have been delivered through a malicious phishing email. Once on the network, the malware was able to disrupt the entire corporate IT network as well as “industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations.”
https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/MSIB/2019/MSIB_10_19.pdf

In response to a ransomware attack in February on a natural gas compression facility, US CISA issued an alert on February 18th raising further awareness of the threat to critical infrastructures. In this alert, US-Cert highlights that the victim did not have IT and OT network segmentation which allowed the attack to traverse the IT-OT boundary. Though there is no malware named, it is mentioned that this is commodity ransomware, potentially Ryuk which was identified by the US Coast Guard in the previous attack. This was also delivered through a malicious phishing link to obtain initial access to the network.

This trend of cyber threats to ICS and critical infrastructure is expected to increase in light of the political instability around the globe.

Countermeasures and Defense Strategy

Blue Hexagon’s Real-time Threat Prevention Platform leverages Deep Learning to detect and mitigate these threats and other ICS malware in a fraction of a second.

With no autonomous propagation mechanism, the malware relies on email, internet download or script to propagate further emphasizing the importance of proper security controls and effective segmentation policies between the information technology (IT) network and the operational network (OT).

Detection evolution analysis

On first analysis there are very few matches, these numbers get better overtime usually rounding out around one week after a sample is uploaded and analyzed. As seen below from Virustotal, the samples used in these attacks and more were detected by only 17 vendors, and at the time of first analysis, many were unsure of the classification of the sample.

Blue Hexagon’s Deep Learning powered threat protection solution has been proven in actual deployments to have accurate and fast coverage over these attacks. In fact, even the models that have been trained months before the introduction of these attacks are able to detect and block these attacks, highlighting the importance of using diverse and highly generalizable machine learning and deep learning models in cybersecurity. More information on deep learning-powered threat detection is available here https://bluehexagon.ai/

When first uploaded to Virustotal on December 26th, 17/70 vendors detected the Ekans sample from the Dragos report as malicious.

Snake

e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60

17/70 Detections on VirusTotal when first seen on December 26th

a5a7e6ddf99634a253a060adb1f0871a5a861624382e8ca6d086e54f03bed493

17/70 Detections on VirusTotal when first seen on January 13th

Megacortex

873aa376573288fcf56711b5689f9d2cf457b76bbc93d4e40ef9d7a27b7be466

16/70 detections on Virustotal when first seen on August 8th

Blue Hexagon Dashboard highlighting the detections of the malware used in these attacks.