Skip to content

Trending tags

Trickle-down Cyber Threats: From Nation State to Common Crim

Noora Hyvärinen

21.04.17 6 min. read



During the latter half of 2010, details emerged on the Stuxnet sabotage operation, the first widely publicized cyber attack on physical infrastructure. As the world came to the realization of what future cyber attacks might look like, security researchers around the world started digging into the details in order to learn how feasible it might be to replicate such an attack.

It didn’t take them long to realize that industrial control systems, and the infrastructure around them, are both heavily insecure and easily exploitable. What also became quickly obvious was that these decades-old systems and technologies wouldn’t and couldn’t be updated overnight. A whole new window for attack opened up to the world.

It goes without saying that, less than a decade later, that window still very much exists. But whereas a handful of years ago it took the resources and tools of a nation state to execute such an operation, some of those same capabilities are in the hands of today’s everyday cyber crime groups. Stuxnet was the catalyzing moment in which criminal gangs turned their gaze toward industrial control systems.

Havex: Nation State…or just a Privateer?

In 2014, researchers from our Threat Intelligence team looked into one of the command and control servers that formed part of the Havex malware infrastructure. The campaign behind the Havex trojan, dubbed “Dragonfly” or “Energetic Bear,” were at the time known to be performing data collection (espionage) activities in Europe and the US, and were suspected to be operating with nation-state support.

Our researchers noted that multiple trojanized ICS controller software installers had been found on the C&C in question (Windows-based software used to control ICS systems, not the firmware actually installed on the devices themselves). Further investigation revealed that this group had managed to place the same trojanized packages directly onto vendor download sites, where unsuspecting victims would download and install them. Given that the Dragonfly group were only known to carry out espionage-related activities, the group’s motives for using these trojanized installers were unclear (at the time).

Later that year, the same group performed a series of espionage campaigns against energy sector companies in the US and Europe, only to promptly disappear shortly thereafter. Further analysis revealed that the trojanized ICS software had been deployed into target organizations in order to harvest data from affected systems, map out network topology (using tools like fing), and as a rather good hiding place and pivot-point within the breached infrastructure.

The Dragonfly campaign’s state ties were never proven. But given that the Havex infrastructure smelled more like a privateer campaign than a well-organized nation-state operation, we have to wonder whether the group was merely “state-tolerated.” Reports indicate that they briefly resurfaced last year, but there’s no indication as to whether they’re still operational or not.

Opportunistic Attacks on Physical Infrastructure

During 2016, analysts from our Cyber Security Services division responded to incidents in which industrial control systems in the field were once again under attack. This time around though, the motives behind these operations seemed purely financial. Targeting the manufacturing sector, these new campaigns involved locking down or gaining control of key systems in a victim’s organization, and subsequently, demanding a ransom. Ransom demands hinged around two main themes: returning control of locked out systems, or payment for not remotely shutting down operations.

The latter scenario is a significant reason for paying a ransom. If the machinery in a manufacturing plant is shut down, it can often take days or weeks to bring it back online. This is because systems need to be spun up in a certain order. It’s a timely process. An uncontrolled shutdown initiated by an untrained external attacker can damage machinery (when not performed in the correct order). Such scenarios will always result in the victim incurring heavy operational and financial losses, and possibly even breakage to machinery or infrastructure.


cyber attacks on physical infrastructure


In December 2016, a ransom attack against San Francisco’s Municipal Transport Agency made news headlines around the world. What is less known is that the individual behind that attack had previously successfully managed to ransom several other US manufacturing firms. Typically, these types of attacks rarely make news headlines. But they happen globally and frequently.

What’s also interesting about these attacks is that they aren’t strictly targeted. They’re opportunistic. The actors behind these types of operations perform wide-sweeping scans of the Internet, looking for systems with known, easily exploitable vulnerabilities. Attackers search through their scan results looking for potential whales. Working from a prioritized list, the attackers manually access the victims’ systems, hand-deploy their malware, and then demand their ransom.

Given the number of vulnerable, unpatched, and neglected systems directly connected to the Internet, this modus operandi is highly effective. So effective, in fact, that entire families of ransomware have been designed to carry out such operations. Petya is one example – a family of crypto-ransomware that renders the entire system unbootable (via an encrypted MBR) until the ransom is paid. While entirely impractical against a regular consumer system (you can’t pay the ransom if you can’t even use your computer), Petya is an ideal tool for a large-scale lockdown of payment terminals, servers, control consoles, and other corporate infrastructure.

Last year we would have told you that many of these types of attacks could be attributed to Chinese threat actors. This year, we’re seeing similar campaigns coming out of other geographic locations, including Eastern Europe and Russia. And these campaigns are largely targeting companies in both Europe and the US. In many cases, it’s manufacturers that are being hit – most likely because of lax cyber security practices.

Lowering the Barrier to Entry

Sophisticated cyber attacks tend to start at the top and work their way down. It’s the opposite of “low-hanging fruit.” When new types of attacks are discovered, they’re usually attributable to highly resourced threat actors (such as nation states). These actors, by default, go after the highest-value targets first. As the TTPs used in such attacks are made available to the public, less-organized actors take them into use.

We see attacks trickling down from defense contractors to banks to critical infrastructure to heavy industry and eventually to everyone else (manufacturing, retail, SMEs, etc.). And we usually see these trends start Stateside before they move to Europe. During 2016, many targeted cyber attacks were perpetrated by individuals, not organized groups. As the tools and methods used in these attacks become further refined, we expect the barrier of entry to this game to lower even further. Expect a lot more of these in 2017.


This article was adapted from our recent report, The State of Cyber Security 2017. Read more about cyber security trends and topics when you download the full report here.


[fsecure-eloqua name=”F-Secure%20State%20of%20cyber%20security” url=”” description=”F-Secure%20State%20of%20cyber%20security”]




Noora Hyvärinen

21.04.17 6 min. read


Related posts


Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.