Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an advisory giving a brief overview of the McAfee Night Dragon Report. This ‘Night Dragon’ (the McAfee code name) cyber attack on multiple companies in the oil and gas sector was mainly an IT system cyber espionage attack; ICS-CERT notes that data was also collected from SCADA systems.
There is an article on CNET.com that provides a better narrative about the long term operation that apparently originated from China and ICS-CERT was kind enough to give the link to the McAfee white paper about this attack. While both of those sources are worth reading, this Advisory provides a brief and concise description of the indicators of the various parts of the attack code that would allow a cyber security team to determine if their systems were similarly attacked.
There is nothing in these reports that indicates that ICS attacks did anything more than collect information from the affected control systems. However, we now know (thanks to analysis of the Stuxnet worm) that the types of information collected from SCADA systems might allow a targeted Stuxnet-like attack on those systems. More importantly, this attack methodology would apparently allow an attacker to gain the ICS system access necessary to initiate a Stuxnet-like attack.
The scariest thing about Night Dragon is not the extent of the attack, but the fact that this apparently very successful attack used no new vulnerabilities, technology or techniques. The use of spear phishing attacks to compromise VPN accounts should be of special concern to ICS security managers. It is obvious that ICS users with authorized remote access via VPN need to have recurrent training on identification and avoidance of spear fishing attacks.