SCADA Ransomware Attack - Proof of Concept

Recent research into the possibility of attacks against SCADA (Supervisory Control and Data Acquisition) systems has resulted in a proof of concept attack being developed.

Threat ID:: CC-1382
Category:: Ransomware
Threat Severity:: Medium
Threat Vector:: Exploit
Published:: 4 May 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Recent research into the possibility of attacks against SCADA (Supervisory Control and Data Acquisition) systems has resulted in a proof of concept attack being developed.

Threat details

Closed announcements were subsequently rushed to organisations to restrict the potentially widespread impact could result.

The proof of concept attack, named Scythe targets various I/O devices which offer a web server capability. The details around which devices or vendors are affected by Scythe have yet to be released to allow the industry time to implement mitigation by way of patches or other remedial action where appropriate.

The attack itself is described as being slightly different for each device and would require the attacker to gain physical access to a vulnerable device to begin hardware reverse engineering activity to enable the attack to work.

The technical details of the attack are being closely guarded for now but it is known that the attack relies on a firmware validation bypass which allows legitimate firmware to be replaced with malicious firmware which causes the device to function improperly. When a technician accesses the device to troubleshoot functionality, they would then be presented with a ransom note. If the ransom is not paid, the firmware will be corrupted and any configuration files would be overwritten.

It should be noted that this is not the only use case of SCADA systems for attackers. With full access to a device, the operation could be modified, not just to cause denial of service but even to the point of causing physical damage to equipment.

Remediation steps

Type	Step
	Ensure all network enabled SCADA networks are registered as part of a full audit with all relevant details recorded to enable efficient mitigation application where necessary. Where SCADA systems are connected to untrusted networks, consider removing this access, blocking access with the use of a firewall or deploying an IP whitelisting policy. Ensure all configurations and firmware are backed up and easily obtained so that in the event that an attack is successful, service can be quickly recovered without the need to pay a ransom.

Type

Step

Ensure all network enabled SCADA networks are registered as part of a full audit with all relevant details recorded to enable efficient mitigation application where necessary.
Where SCADA systems are connected to untrusted networks, consider removing this access, blocking access with the use of a firewall or deploying an IP whitelisting policy.
Ensure all configurations and firmware are backed up and easily obtained so that in the event that an attack is successful, service can be quickly recovered without the need to pay a ransom.

Last edited: 17 February 2020 11:38 am