Commentary: Iranian cyberattacks threaten our daily operations
A series of documents, reportedly compiled by an attack group from Iran's Revolutionary Guard Corps, provide a glimpse into how malicious actors are increasingly targeting industrial and building management systems, writes Rotem Bar, senior ICS/OT division manager at BDO Israel
Cybertech
| 02/08/2021
Photo: BDO Israel
By Rotem Bar
According to a Sky News report obtained from classified documents allegedly from Iran, a cyberattack could sink a cargo ship or blow up a fuel pump at a gas station.
The Sky News report also details how satellite devices are used by the shipping industry globally and how a computer-based system controls lighting, heating, and ventilation in smart buildings worldwide.
According to a security source with knowledge of the five research reports, the 57-page collection was compiled by an offensive cyber unit called Shahid Kaveh, part of Iran's terrorist-linked Islamic Revolutionary Guard Corps (IRGC).
"They are creating a target bank to be used whenever they see fit," said the source, who requested to remain anonymous in the direct discussion of the documents.
Almost all of the reports include a quote that appears to be from Iran's supreme leader, Ali Khamenei: "The Islamic Republic of Iran must become among the world's most powerful in the area of cyber." Sources describe this quote as something like a commander's statement of intent.
The front pages of only two of the reports contain the purported date of completion.
The first one, dated 19 November 2020, examines building management systems - the computer technology that controls things like lights, heating, and ventilation in smart buildings.
Also listed in the documents are companies that provide these services, including Honeywell in the United States; Schneider Electric, a French electrical equipment company; Siemens, a German company; and KMC Controls, another US company.
Another report, the most comprehensive one, dated 19 April 2020, deals with a German company called WAGO, which makes electrical components for the industrial automation market.
The report examined vulnerabilities in a programmable logic controller (PLC) – a computer control system.
"Continuing the investigation, to use these processes, we noticed the vulnerabilities within these systems are irreparable. If there is an attack, the damage will not be easy to fix," the report said.
"Therefore, compared to other PLC brands, this brand is impenetrable once connected online. When online, the infrastructure and intelligence on engineering cannot be reached and cannot be lost.
"For our benefit, the best situation is for the PLC not to work as intended, and for that to happen, a project must be written in "ladder" language and have multiple exits, as many as possible. But the problem with this project is that we wouldn’t be able to assess the damage caused. The other option is to assess the PLCs and software's weak points and dangerous points to attack our target. This option needs separate investigation and research before we can find the weak points."
The Iranian attack unit 13 is not operating in a vacuum. There are many attack groups for nations, companies, and criminals, with the last two seeking money. Governments do not follow those rules, and their agenda might not be as clear.
This is why documents like the aforementioned ones openly describing targets are rarely published or exposed in such a manner.
The documents provide a glimpse of the attacker's way of thinking about a target's organization as well as the possible attack vectors and destructive capabilities that can be used against a target.
Until today, owners of smart buildings have not considered nation-states as possible threats, but in consideration of the reports, it's clear that this is a mistake that needs to be addressed.
WAGO, the German manufacturer of industrial automation, was one of the targets described in the documents. Many types of automation equipment are used in the industrial automation market and with cloud PLC service.
Many of the devices used in industrial automation and building automation are not updated. Published vulnerabilities are not addressed, allowing the Iranians and other attackers to remain in the victims' systems for many years.
We depend on industrial and building management systems for our safety. With millions of such systems globally, the attack groups pose a significant risk to these modern systems that we use in our daily lives.
Rotem Bar is senior ICS/OT division manager at BDO Israel
A series of documents, reportedly compiled by an attack group from Iran's Revolutionary Guard Corps, provide a glimpse into how malicious actors are increasingly targeting industrial and building management systems, writes Rotem Bar, senior ICS/OT division manager at BDO Israel
Photo: BDO Israel
By Rotem Bar
According to a Sky News report obtained from classified documents allegedly from Iran, a cyberattack could sink a cargo ship or blow up a fuel pump at a gas station.
The Sky News report also details how satellite devices are used by the shipping industry globally and how a computer-based system controls lighting, heating, and ventilation in smart buildings worldwide.
According to a security source with knowledge of the five research reports, the 57-page collection was compiled by an offensive cyber unit called Shahid Kaveh, part of Iran's terrorist-linked Islamic Revolutionary Guard Corps (IRGC).
"They are creating a target bank to be used whenever they see fit," said the source, who requested to remain anonymous in the direct discussion of the documents.
Almost all of the reports include a quote that appears to be from Iran's supreme leader, Ali Khamenei: "The Islamic Republic of Iran must become among the world's most powerful in the area of cyber." Sources describe this quote as something like a commander's statement of intent.
The front pages of only two of the reports contain the purported date of completion.
The first one, dated 19 November 2020, examines building management systems - the computer technology that controls things like lights, heating, and ventilation in smart buildings.
Also listed in the documents are companies that provide these services, including Honeywell in the United States; Schneider Electric, a French electrical equipment company; Siemens, a German company; and KMC Controls, another US company.
Another report, the most comprehensive one, dated 19 April 2020, deals with a German company called WAGO, which makes electrical components for the industrial automation market.
The report examined vulnerabilities in a programmable logic controller (PLC) – a computer control system.
"Continuing the investigation, to use these processes, we noticed the vulnerabilities within these systems are irreparable. If there is an attack, the damage will not be easy to fix," the report said.
"Therefore, compared to other PLC brands, this brand is impenetrable once connected online. When online, the infrastructure and intelligence on engineering cannot be reached and cannot be lost.
"For our benefit, the best situation is for the PLC not to work as intended, and for that to happen, a project must be written in "ladder" language and have multiple exits, as many as possible. But the problem with this project is that we wouldn’t be able to assess the damage caused. The other option is to assess the PLCs and software's weak points and dangerous points to attack our target. This option needs separate investigation and research before we can find the weak points."
The Iranian attack unit 13 is not operating in a vacuum. There are many attack groups for nations, companies, and criminals, with the last two seeking money. Governments do not follow those rules, and their agenda might not be as clear.
This is why documents like the aforementioned ones openly describing targets are rarely published or exposed in such a manner.
The documents provide a glimpse of the attacker's way of thinking about a target's organization as well as the possible attack vectors and destructive capabilities that can be used against a target.
Until today, owners of smart buildings have not considered nation-states as possible threats, but in consideration of the reports, it's clear that this is a mistake that needs to be addressed.
WAGO, the German manufacturer of industrial automation, was one of the targets described in the documents. Many types of automation equipment are used in the industrial automation market and with cloud PLC service.
Many of the devices used in industrial automation and building automation are not updated. Published vulnerabilities are not addressed, allowing the Iranians and other attackers to remain in the victims' systems for many years.
We depend on industrial and building management systems for our safety. With millions of such systems globally, the attack groups pose a significant risk to these modern systems that we use in our daily lives.
Rotem Bar is senior ICS/OT division manager at BDO Israel
