1

Darkness in the Ukraine

Thomas Norlin, Account Executive – Denmark & Finland

2

“The big lesson here is that…someone actually brought down a

power system through cyber means. That is an historic event, it

has never occurred before.“

- Robert M. Lee, Cyber Warfare Operations Officer for the US Air Force

The First of its Kind: Attackers Turn the Lights Off

K N O W N T A R G E T :

WHOThree electric utility companies in

Ukraine

W H A T H A P P E N E D:

IMPACT 225,000 customers lost power

3

Step 1: Perimeter Compromise

Spear-phishing campaign

Targeting employees

1

Endpoints infected

Employees open email and

malicious attachment

2

Attackers gain access

Malware installs RATs to

establish backdoor access

3

Reconnaissance

Information and credentials

are collected

4

PERIMETER

****** ******

4

CyberArk Discovery & Audit (DNA)

5

• Lose control of the data

• Lose control of IT systems

• Lose control of the business

Compromised Privileged Accounts – “Game Over”

6

Cyber Attacks Typically Start with Phishing

“If an attacker sends out twenty to thirty phishing emails,

there’s a good chance he’ll penetrate your network.”

Verizon RISK Team (Threat Report: Privileged Account Exploits Shift the Front Lines of Cyber Security, November 2014)

7

An Attacker Must Obtain Insider Credentials

Mandiant, M-Trends and APT1 Report

“…100% of breaches

involved stolen

credentials.”

“APT intruders…prefer to

leverage privileged accounts

where possible, such as Domain

Administrators, service accounts

with Domain privileges, local

Administrator accounts, and

privileged user accounts.”

8

Step 2: Lateral movement and escalation

PERIMETER

Attackers VPN into the OT environment and gain access to the control systems

Using the credentials, attackers laterally move, learn the network and install KillDiskLateral

Movement

VP

NOT Environment

VP

N

9

Privilege Escalation Enables Asset Escalation

10

Privilege escalation drives asset elevation

Endpoints

Servers

Domain

Controllers

11

Step 3: Executed attack against electric grid…

The Reality

Outside:

The Reality

Inside:

Attackers used their control to

disconnect electricity breakers and

cut power in regions across Ukraine

Attackers took control of the HMI

software and disconnected the

keyboard and mouse so that

operators could not interfere.

12

…and proactively prevented remediation

Attackers simultaneously launched a

DDoS attack against call centers

And activated KillDisk malware – wiping

all infected endpoints and servers

13

The Role of Privilege

Captured admin credentials

from infected machines

Used credentials to laterally

move and elevate privileges in

IT and OT networks

Used privileged access to

launch a coordinated attack

1

2

3

14

And the attack surface is huge

Privileged accounts are in every piece of

hardware and softwareon the network

• Windows systems

• Unix systems

• Databases

• SaaS applications

• Social media portals

• Industrial control systems

• Network devices

• Hypervisors

• Applications

15

Privileged Account Security –

Now a Critical Security Layer

16

Comprehensive Controls on Privileged Activity

Protect privileged

passwords and SSH

keys

Lock Down

Credentials

Prevent malware

attacks and control

privileged access

Isolate & Control

Sessions

Implement continuous

monitoring across all

privileged accounts

Continuously

Monitor

Enterprise Password VaultSSH Key Manager

Application Identity Manager

Privileged Session ManagerOn-Demand Privileges Unix

and WindowsPrivileged Threat Analytics

17

How Could CyberArk Help

Once breached,

Contain the breach

from moving Latterly

Detect anomalous

use of privileged

accounts

Make a breach attempt

expensive, complexed

and challenging for the

attackers

18

How could CyberArk help?

Proactively secure all privileged and ICS credentials

Rotate admin credentials after each use

Establish a single, controlled access point into ICS systems

Monitor privileged account use to detect anomalies

Control applications to reduce the risk of malware-based

attacks

19

Solution: CyberArk Discovery & Audit (DNA)

▪ Identifies all Privileged accounts and

Pass-the-Hash vulnerabilities

▪ Standalone, easy to use tool

▪ Powerful scanning with minimal

performance impact

￭ Requires no installation

￭ Consumes very low bandwidth

▪ Provides status and vulnerability of each

Privileged account

▪ Creates Pass-the-Hash Organizational

Vulnerability Map

20

Tak!!