Part 1 – Intro SCADA hacking is one of the most dangerous forms of cyber attacks today. These systems control industrial processes, critical infrastructure, and manufacturing lines. Despite their importance, most SCADA setups remain poorly secured. They often run on outdated software, use default configurations, and lack even basic protections. Specialists from IOActive and Embedi […]

The post SCADA Hacking: Inside Russian SCADA/ICS Facilities first appeared on Hackers Arise.

Part 1 – Intro

SCADA hacking is one of the most dangerous forms of cyber attacks today. These systems control industrial processes, critical infrastructure, and manufacturing lines. Despite their importance, most SCADA setups remain poorly secured. They often run on outdated software, use default configurations, and lack even basic protections.

Specialists from IOActive and Embedi examined the security of applications for SCADA systems. After analyzing randomly selected solutions from 34 different manufacturers available, the experts concluded that virtually all the reviewed applications contain vulnerabilities. Moreover, many of the discovered flaws were found to potentially have a direct impact on the safety of industrial processes and could lead to the compromise of the entire enterprise infrastructure.

In Russia, the situation is even worse. A large portion of the SCADA software still in use was developed in the early 2010s. Many of these systems have never received updates since they were first deployed. Patches aren’t available, vendors are no longer in business, and documentation is outdated or missing. Because of this, attackers often don’t even need to create new exploits, they can reuse old public vulnerabilities that remain unpatched.

The use of legacy operating systems is also common. You can still find SCADA systems running on Windows XP or Windows 7, completely disconnected from modern security practices. When a network is poorly segmented, compromising one computer could lead to a complete compromise of a SCADA system. In one of the following articles you will see how a SCADA system facilitated the compromise of the entire domain due to credential reuse and outdated software.

The researchers conclude that the situation in this sector is only getting worse, with the average number of vulnerabilities per application increasing to 1.6.

For their tests, the specialists used various techniques, including reverse engineering and fuzzing. As a result, the five most common issues identified are as follows:

1. 94% of applications are vulnerable to code tampering





2. 59% of applications have authorization security issues





3. 53% of applications lack strong obfuscation and are susceptible to reverse engineering





4. 47% of applications store data insecurely





5. 38% of applications have poor communication security.

Kaspersky

Experts from the Kaspersky ICS CERT (Industrial Control Systems Cyber Emergency Response Team) report that attackers are actively targeting integrators, trusted partners, and contractors and this trend is especially noticeable in Russia.

In the chart above, you can see several sectors represented: Building Automation, Energy, Engineering, Manufacturing, Oil & Gas, Biometrics, and Construction. Green indicates Russia, while grey represents the world.

It’s clear that certain industries in Russia are experiencing a higher impact compared to the global average. It’s important to note that the data in the report only reflects publicly disclosed incidents. Russia continues to suppress the true number of breaches, relying heavily on a strategy of security through obscurity. OTW has repeatedly warned about the risks of this approach.

In the first quarter of 2024, malicious web resources were blocked on 7.5% of ICS computers in Russia. A significant portion of these malicious resources were used to distribute harmful scripts and phishing pages, which were blocked on 4.6% of ICS computers. Phishing remains one of the most common initial methods of system compromise used by attackers targeting industrial facilities.

“A successful attack on automated control systems can have severe consequences: halting production, disrupting global logistics and supply chains, and even endangering human health and the environment,” commented Vladimir Dashchenko, an expert at Kaspersky ICS CERT. “We see that attackers are refining existing tactics and techniques for attacking industrial systems, and they are also employing new types of malicious activity. Unfortunately, humans remain the weakest link in an organization’s cybersecurity: we often observe employees falling for phishing, which is sometimes highly targeted, or deliberately violating cybersecurity policies.”

Dragos

Cybersecurity analysts from Dragos have released an interesting report on attacks targeting industrial control systems. For their research, the specialists analyzed over 500,000 different attacks on industrial facilities and more than 30,000 malicious files and installers that have been uploaded to VirusTotal since 2003.

The Dragos report shows that most incidents involving attacks on ICS are actually accidental, where typical malware that was not designed for ICS environments ends up on an organization’s network.

Typically, industrial control systems consist of two main components: SCADA equipment, which gathers data from sensors and controls machines, and software that allows human operators to manage the equipment. Malware capable of running on actual SCADA hardware is extremely rare, most of the risk lies with the computers used to control these systems. And although one of the fundamental cybersecurity rules is the complete isolation of SCADA systems and their control computers from the internet or any other networks, it’s not always followed.

Dragos researchers write that the lack of proper network segmentation allows common malware like Sivis, Ramnit, or Virut to make its way onto machines that control SCADA equipment. These infections occur by sheer accident, they are not targeted attacks carried out by “government hackers”. According to the researchers, more than 3,000 industrial facilities have already been affected by such accidental infections.

That said, it’s not accurate to claim that targeted attacks on industrial control systems don’t exist at all. One cannot forget threats like Stuxnet, Havex, or BlackEnergy2. Dragos analysts report that they have identified dozens of targeted ICS attacks. One of the most interesting incidents dates back to 2013, when several enterprises noticed suspicious software allegedly designed for Siemens programmable logic controllers (PLCs). Initially, antivirus products flagged these files as false positives, but they were later recognized as malware.

Dragos researchers discovered that in the four years that followed, various versions of these files supposedly intended for Siemens controllers became ten times more common, with a sharp increase in early 2017. It turned out that unknown attackers had been disguising their malware as Siemens firmware all along and it worked.

Efficiency

To carry out a successful attack, a hacker must understand the physical operation model of the plant. In other words, the technical process: how chemicals are produced and which units are used in the process. The illustration shows a schematic of the technological process for producing vinyl acetate.

Such understanding is essential for an effective attack. Blindly attempting to disrupt the process by, for example, triggering an overheating procedure in a storage tank will most likely just result in an emergency shutdown being activated.

An attacker, however, aims to cause more serious damage to the facility, which requires a subtler approach. For instance, they might slightly alter the technological process so that the output contains impurities instead of being a pure chemical. As an illustration, the table shows the cost per kilogram of pure paracetamol (100%) versus paracetamol with minor impurities (99%). The difference is a factor of 1.641, meaning even one day of sabotage could cause serious financial damage to the enterprise.

In addition to product sabotage, another attack vector is damaging equipment by overloading it (as demonstrated by Stuxnet).

A successful attack consists of several stages, some of which can be carried out in parallel, while others require a precise understanding of the industrial process, knowledge that IT professionals typically lack.

Conclusion

SCADA systems are critical to the functioning of industrial infrastructure, yet they remain one of the most poorly secured parts of the digital landscape. In Russia, the problem is especially severe due to outdated software, unpatched vulnerabilities, and a reliance on obscurity rather than transparency. Both accidental infections and targeted attacks continue to pose real threats, and incidents are rising across key sectors. The lack of proper segmentation, insecure coding practices, and limited operator awareness only make matters worse. As industrial operations grow more connected, the risks become harder to contain.

In Part 2, we will walk you through the compromise of a SCADA system controlling water towers.

The post SCADA Hacking: Inside Russian SCADA/ICS Facilities first appeared on Hackers Arise.

Source: HackersArise
Source Link: https://hackers-arise.com/scada-hacking-inside-russian-scada-ics-facilities/