ICS attack classifications: The geopolitical impact of misclassification
One of the most important and overlooked parts of the cyber threat attribution process is identifying the threat actor’s objective. Threat researchers often look at the intended goal of an attack and the nature of the perpetrators to determine why an attack might have happened, but it’s complicated. However, across the industry, it’s common for standardized vocabulary to take precedence – but not without some misconceptions. Crucially, the lines between cyberwarfare, cyberterrorism, and hacktivism are increasingly becoming blurred.
The rise in Industrial Control Systems (ICS) attacks in recent times is a major concern considering the impact they are having on an international level. In such precarious circumstances a mislabeled attack can have huge effects on international relations. Getting a classification right is more important than ever, especially given that, in 2022, ransomware attacks on industrial organizations increased by 87%.
Cybersecurity and International Relations
In today’s digital world, the threat of a cyberattack is becoming more and more real for all businesses and industries. Earlier this year, a new survey revealed that nation-state attacks were at the forefront of cybersecurity concerns for many organizations, with 60% of respondents naming “foreign governments” as one of the largest threats in 2023 (up from 41% in 2021). This may be because of the growing geopolitical tensions surrounding Russia’s invasion of Ukraine, but more general political tension could also be a factor. Recently, for example, CISA (Cybersecurity and Infrastructure Security Agency) Director Jen Easterly made comments at the Aspen Institute Cyber Summit about China changing its targets from cyber espionage to more antagonistic attacks on critical infrastructure. Operators of critical infrastructure and ICS are well versed in the threat of nation-state attacks, as exemplified by statistics showing that between 2017-2020 10% of nation-state attacks were directed toward critical infrastructure. One thing is for certain, for organizations across the ICS space, the threat of nation-state attack looms large.
Devices that run digitally have become another attack surface for criminals, especially cybercriminals. It means that criminals can carry out large-scale damage without being on the ground. To circumvent international war policies, proxy wars have become more popular for countries than traditionally fought wars as they lack the legal consequences of international warfare. Proxy warfare allows countries to exercise and increase influence and/or power without taking part in action directly. By these parameters, it is easy to see why this idea is often applied to and carried out within the cyber sphere. Where academics might label such attacks as cyber proxies, across the cybersecurity industry, the activities of state-sponsored threat groups are often referred to as Advanced Persistent Threat (APT) groups. These groups are often funded by a nation-state (proving to be cost-effective) but it means that attribution becomes trickier.
An example of a cyber proxy in action is the attacks against Ukrainian critical infrastructure and ICS conducted by SaintBear a Russian APT group since the beginning of the war, which is thought to be at least partially state-sponsored. This group tends to target the energy and government sectors. In February 2022, a Ukrainian energy organization was targeted by the group, as part of a wider campaign. The attack was attributed to SaintBear by the Computer Emergency Response Team of Ukraine (CERT-UA). The group managed to infiltrate the software after a sophisticated spear phishing email campaign, with sent emails that purported to be from the National Police of Ukraine.
More generally, cyber proxies have been proven to be safer for diplomacy, more practical in capability/technicality terms, and less costly, which makes them appealing.Defining an Attack: Hacktivism, Cyberterrorism, Cyberwarfare
As previously stated, classification is hard, and mistakes can be troublesome when it comes to international relations. Thus, threat researchers and analysts often look at the intended goal of an attack and the nature of the perpetrators to identify the distinction between different events and classifications. The three biggest categories are hacktivism, cyberterrorism, and cyberwarfare.
- Hacktivism: Hacktivism (derived from ‘hacking’ and ‘activism’, an act that is marked by civil disobedience) is defined by an agenda. A group’s objectives, whether they be political, religious, or economic, are advanced through cyberattacks. Hacktivists are necessarily non-state agents. Hacktivists, ultimately, do not intend to cause harm, rather they aim for disruption.
- Cyberterrorism: Cyberterrorism is not unlike hacktivism, which makes labeling attacks tricky. They both, for example, are undertaken by non-state agents and they also have an agenda. What differentiates the two is the aim of the attack. With cyberterrorists, the act aims to cause disruption AND harm, or threat thereof. Cyberterrorists often target critical infrastructure because these sorts of attacks insight terror and put pressure on governments to heed demands to meet objectives.
- Cyberwarfare: Importantly, only states can wage war. As such, cyber warfare must involve two or more state agents. However, it is hard to determine if a threat actor is tied to a nation (hence the popularity of proxies).
ICS Systems: Why Are They So Vulnerable to Attack?
Critical infrastructure is usually defined as an organization that builds up national capabilities. There are many critical infrastructure targets for cybercriminals to exploit. According to the Presidential Policy Directive/PPD-21, in the United States, there are 16 sectors understood as critical infrastructure. They are commercial facilities, communications, defense industrial bases, chemical, dams, critical manufacturing, emergency services, financial services, energy, government facilities, healthcare, and public health, food and agriculture, information technology, nuclear reactors, materials and waste, transportation systems, water and wastewater. Such sectors are identified by examining national priority, which varies from nation to nation worldwide. On this list, eight out of 16 sectors use ICS management systems. But why is this so worrying?
The software element of ICS, the Supervisory Control and Data Acquisition Systems (SCADA), is a key target for cybercriminals because they’re prone to vulnerabilities. SCADA systems are mostly used by organizations to control processes across multiple industries. One of the most well-known SCADA/ICS attacks is the hack that targeted Siemens PLC controllers that were installed in Iran’s Natanz nuclear enrichment complex. Developed by the US National Security Agency, Stuxnet was unleashed in 2009. It entered the SCADA system through three zero-day vulnerabilities in the Microsoft Windows operating system and then wrote over the ladder logic of the uranium centrifuges’ PLCs. This meant that they could not accurately enrich uranium at the desired concentrations. More generally, attacks on SCADA devices can issue unauthorized commands.
However, SCADA systems have multiple stakeholders outside of just governments. State, local, tribal, and territorial (SLTT) and private entities are also implicated in defending against attacks targeting critical infrastructure. Cyberterrorists and cyber proxies will use all their technical capabilities and financial support to attack critical infrastructure, while we rely on private actors and SLTT to defend the nation’s most critical assets.
How Can Organizations Protect Themselves?
No matter how an attack is classified, there is an aim for an APT to spread a message, whether that be destruction, disruption, or terror. With nation-state attacks, becoming more popular against ICS and critical infrastructure, organizations must protect themselves adequately. The consequences of an attack on such important infrastructure are wide-ranging and could impact the public’s everyday lives. This is why threat intelligence is crucial for organizations to identify and stop threats before they become a problem. Equally, sharing intelligence can reduce the risk of APTs successfully carrying out attacks.
Furthermore, the power of threat intelligence can initiate targeted improvements to the infrastructure, especially when the data is being continuously updated with intuitive information about threat actors, campaigns, IOCs, attack patterns, tools, signatures, CVEs, and more. Having such rich data will reduce information overload and shorten incident response times, empowering your security team with powerful threat management insight that can be incorporated into the defense systems in place such as firewall configuration.
Moreover, having threat intelligence will speed up your organization's cybersecurity processes to effectively reduce the overall attack surface and defend against threats known in your sector before the attackers can strike.
Embracing the power of threat intelligence and having the knowledge to prevent cyberattacks before they occur is the proactive mindset organizations need to take to reduce the attack surface. Arm the security teams, threat responders, and analysts, with real-time insight to safeguard the security posture and the critical assets held within the perimeter.
About the author: Eren Cihangir is a cybersecurity expert at Outpost24 Group. He works as a Product Specialist and Technical Liaison, helping organizations to implement solutions to address a wide range of cybersecurity challenges. Building from over a decade of wide-ranging experience in software development, vulnerability management, penetration testing, and business intelligence, Eren seeks ways for clients to incorporate excellent strategies to protect their critical operations and data.