industry unlocked
non-commodity skills, techniques
and a pre-built playbook for pivoting
from an IT environment towards an OT
environment,” Barak said.
For sale: Access to a power
transmission substation’s IT and
OT environments
The honeypot environment went live
on July 17. In addition to the IT and OT
environments, there was an HMI (human
machine interface), protected by a
firewall, connecting the two, allowing
people in the IT environment to control
the OT systems.
The honeypot contained bait to entice
attackers, including three Internet-facing
www.intelligentciso.com
|
Issue 06
servers (SharePoint, SQL and domain
controller) with remote access services
like RDP and SSH and weak passwords.
Nothing was done to promote the
servers to attackers. had discovered it based on a toolset that
had been installed in the environment.
The tool – xDedic RDP Patch – is
commonly found in assets that are being
sold in the xDedic black market.
There were no posts to Pastebin or
black-market forums about the servers.
However, the servers’ DNS names were
registered and the environment’s internal
identifiers were names that resembled
the name of a major, well-known
electricity provider that serves both
residential and business customers in
the United States and United Kingdom. Under new ownership
Two days after the honeypot was
launched, Cybereason researchers
determined that a black-market seller
The honeypot was silent until July 27
when, what Cybereason’s researchers
assume were the asset’s new owners,
connected to it by using one of the
backdoors. Based on the actions
they took, they were fully prepared to
navigate the ICS environment of an
electricity provider.
Their first move was to disable the
environment’s security features,
45