Insecure Military ICS Infrastructure poses a risk to National Security

Exposed Thermal imaging Cameras Detrimental to Physical Security   

Introduction

Recently, Cyble Research & Intelligence Labs has observed Threat Actors and Hacktivist groups speedily enhancing their capabilities to exploit Industrial Control System (ICS) devices and protocols. These devices are mainstays for national services – a fact that cybercriminals are well aware of. This incentivizes them to exploit ICS due to the far-reaching effects of publicizing attacks on these systems.

ICS devices also help regulate a large suite of military equipment, particularly Thermal Imaging (TI) cameras that have long been the nuts and bolts for border surveillance and aiding Military and Law Enforcement Agencies (LEA) in guarding sensitive installations. It is thus imperative for these agencies to protect these surveillance assets not just from physical damage but from gnawing cybersecurity risks.

Activities targeting Military ICS Infrastructure in the Underground

Cyble Research & Intelligence Labs (CRIL) monitors alarming trends in the Darkweb impacting LEA, including sensitive documents, installation plans, proprietary software, and Personally Identifiable Information (PII).

In one such recent development, an actor claimed access to the Supervisory Control and Data Acquisition (SCADA) systems and Thermal Imaging camera allegedly used by the Military organization of a North African country.

A Threat Actor (TA) posted links to images to prove their claims of compromise, along with some IP addresses, as shown below.

Analysis 1: The TA posted a noticeable sample as an image reflecting the access panel of a Thermal Imaging (TI) camera system. A closer look into the panel and the IP provided in the sample led CRIL researchers to ascertain that the panel belonged to a prominent OEM involved in the manufacturing of military-grade TI cameras for several armed forces globally.

The image of the camera below shows the pan-tilt variant of the TI camera widely used for the following:

• Real-time control and monitoring of vital physical assets
• All-weather and expansive perimeter monitoring
• Automated Target Recognition
• Moving target identification  
• Hazardous environment monitoring

The image also reflected this particular asset’s ‘network access code’, indicating the possible scenarios of using leaked data, which the TA may have exploited to gain network access to asset(s).

Alternatively, the TA could have gained wider access to several such assets by adversely reconnoitering them and had mentioned the network access code of one such asset.

Along with the sample, the TA also posted two more images reflecting the physical location of an IP address on a map and aerial imagery of a military base situated in North-Africa.

CRIL investigated the product’s exposure, which was visible in the Threat Actor’s (TA) screenshots. One online scanner shows around 607 exposed instances of the same product, as shown in the geographical representation below.

Upon further investigation, it was found that the exposed TI cameras have multiple vulnerabilities, such as information disclosure, unauthenticated Remote Code Execution (RCE), and hardcoded credentials issues.

The presence of the vulnerabilities can not only provide adversaries with surveillance capabilities over military bases but also allow them to penetrate Operational Technology (OT) networks.

Researchers at CRIL observed that the multiple exposed Thermal Imaging cameras (TI-cameras) still operate with default credentials (figures below). This allows a malicious attacker to utilize misconfigured internet-exposed cameras to manipulate reading or to disrupt surveillance capabilities of the Military and even gain insights into the internal network.

Performing granular reconnaissance with the Thermal cameras can allow intruders to launch further cyberattacks on the victim organization(s).

Analysis 2: Among these images, we identified screenshots indicating exploitation attempts of Modbus protocol, as shown below.

Threat Actor exploiting Modbus Protocol

Modbus protocol is one of the most widely used communication protocols designed to exchange control messages across industrial networks.

Recently, it’s been observed that TAs are actively scanning Modbus servers to perform reconnaissance activities and gain details related to electronic devices, such as vendor name, product name, coils/register details, and version number.

As vulnerabilities exist in the Modbus protocol, remote attackers can send malicious packets to the Programmable Logic Controllers (PLCs) running on Modbus to sabotage operations and processes within a Critical Infrastructure Sector.

As observed from the aforementioned screenshots, the TA is using the “Metasploit” framework. Metasploit has been one of the prominent tools used by TAs to target ICS assets, as it provides various modules to perform reconnaissance and exploitation.

The figure below shows various modules available within the Metasploit framework that TAs leverage to target the Modbus protocol.

Cyble Research & Intelligence Labs (CRIL) actively monitors scanning and exploitation attempts of the Modbus protocol via our extensive Cyble Global Sensor Intelligence (CGSI) Network.

The figure below shows the scanning exploitation attempts by TAs observed by CGSI in the last 30 days.

These insights and findings highlight that attacking Modbus-connected devices is still one of the primary attack vectors followed by TAs.

Analysis 3: In the following screenshot shared by the TA (Figure 11), TA appears to be targeting the web interface of DATAKOM RAINBOW SCADA software.

Rainbow SCADA is a multi-functional remote monitoring system that is internet-based and supports all Datakom products and third-party devices, such as energy meters and industrial controllers. CRIL researchers believe that the TA gained access to the SCADA web interface via factory default credentials.

 

Threat Actors Exploiting exposed SCADA system

SCADA systems are one of the most critical and valuable assets within organizations dealing with Operational Technology (OT). However, due to improper network segmentation and lack of visibility of assets, various operators may inadvertently leave SCADA systems exposed over the internet.

Exposing the SCADA system over the internet can cause severe damage to operations and cause physical harm to the engineers working near heavy machinery. TAs actively scan internet-facing devices belonging to the target organization, state, or country to find SCADA devices that can be further exploited to directly target field devices and manipulate the alarm settings and set-points that operators configure.

As the targeted SCADA systems are web-based, researchers at Cyble investigated the exposure of these particular assets to understand the attack surface from the TA’s perspective. One of the online scanners shows that there are 39 exposed SCADA systems. The geographical representation of the same is shown below.

Upon investigation, it was found that multiple instances are still running factory default credentials. Numerous alerts by CISA and OT vendors have been released in the past to change the factory default credentials of ICS assets. However, operators’ negligence and lack of visibility into assets are still a major concern when it comes to this issue.

Conclusion

There has been increased adoption of Commercial-Off-The-Shelf (COTS) technologies in military hardware in the interest of standardization and future upgrades. The overlapping use of these critical components in industries and the Military has led to underlying cybersecurity risks.

Exposed ICS instances, misconfigured assets, and vulnerabilities can lead to not just industrial failures but also several physical security concerns, previously highlighted in our analysis – “Defenceless Critical Infrastructure”.  

Cybercriminals are extensively using open-source tools and scripts to perform reconnaissance and exploitation of ICS assets, carrying out systematic and in-depth research into OEMs and vendors to target entities that deal in national security.

The above investigation into the incident and exposed sensitive IP addresses by the threat actor led us to concur with the IPs from a country in North Africa and the assertion of their claims.

Recommendations

• Implement proper network segmentation to prevent attackers from performing lateral movement and minimize exposure of critical assets over the internet.
• Keep critical assets behind properly configured and updated firewalls.
• Utilize Software Bill of Materials (SBOM) to gain more visibility into assets.
• Keep software, firmware, and applications updated with the official vendor’s most recent patches and mitigations. This is necessary to prevent attackers from exploiting vulnerabilities.
• Implementing proper access controls.
• Regular Audits, Vulnerability, and Pentesting exercises are key in finding security loopholes that attackers may exploit.
• Implement Multi-Factor Authentication wherever possible.
• An organization should always follow a strong password policy and change factory default passwords.
• Cybersecurity awareness training programs for employees within the organization.
• Implement secure backup, archiving, and recovery processes.
• All military equipment suppliers should be able to comply with quality clauses and be subject to audits as part of the COTS vendor’s supply-chain management. This should be done with the help of an approved vendor list.

Disclaimer

This document is created to share our findings and research with the broader cybersecurity community from an academic and knowledge-sharing standpoint. It is in no way an endorsement of the activities described in the report or to cause any damage to the affected parties. The data points and observations indicate events observed for the period discussed in the report and publication time. Cyble is not liable for any action(s) taken based on these findings and any ensuing consequences.