Continuing our look into the South Staffs Water ransomware attack from earlier this year – As we reviewed in Part 1, the breach was legitimate and substantial when looking at the large volume of admin/HR data released to the public. In addition, the press and security industry was quick to jump to conclusions whenever critical infrastructure was involved.
But why trust the first tweet you see or the initial news article you read? Let’s work together to demystify the “dark” web, look at the evidence presented to us (safely), and draw our own conclusions as we move forward. Make no mistake; ransomware will continue to be a cross-industry challenge. Splash damage will occur. The more equipped the industry is to know and understand ransomware and its effects, the better off we all will be.
Why did I go through all the breach data? Honestly, it was all the quick and unverified conclusions about what the breach meant for the industry. Let’s start there as we continue our journey.
Jumping to Conclusions
Soon after the Cl0p gang released preview breach data on August 15th, speculation online ran rampant. Due to 2 images of what looked to be SCADA (supervisory control and data acquisition) HMI (human-machine interface) screen captures, many assumed that the attackers must have had direct and interactive control of the water control systems. The two screenshots that started it all:
Among the dozens of other file screenshots that included numerous passports and other PII (personally identifiable information), these two screenshots were one of the few indicators that this breach may include non-HR data. Now keep in mind how the release of breach data works.
As detailed in Part 1 (https://synsaber.com/south-staffs-water-hack-part-1/), preview data is released as a way to verify to the public that a breach has occurred. But details and actual release of breach files occur some time after the previews are shown. This didn’t stop media and online researchers from making some initial assumptions that were then amplified by experts.
But with such a large amount of data that is only accessible via very slow communications networks, how does one actually validate or refute initial claims? First, let’s talk about the dark web and how to get to breach data.
The “Dark Web” – A Wretched Hive of Scum and Villainy?
You may have heard about it before, the deep dark web. For most, we assume it’s a back alley market where all the illegal parts of society operate. Like Mos Eisley, it’s not just about illegal activity, but also a place to get information, be anonymous, and generally find out what’s what. Here are some facts about the “Dark Web.”
What is the “Deep Web”
Anything Not Indexed By Search Engines
- Paywalls / Subscriptions
- Corporate Web
- Blocked by robots.txt
What is the “Dark Web”
Sites and data hosted on TOR
- Circumventing browsing restrictions
- And yes, illegal activities
How to Access the “Dark Web”
The Dark Web lives on a network of volunteer systems, relays, and exits known as “The Onion Router” network, or TOR for short. TOR has been around for a long, long time and is accessible via a “TOR Browser.” TOR isn’t just for illegal activities, but is often a vital technology to circumvent censorship or maintain anonymity.
You could use the TOR browser to visit normal or “Clear Web” sites like Google or Facebook from TOR exits around the world. This adds a layer of obscurity to your regular web browsing habits.
You can also use TOR to access websites that are only hosted and accessible via TOR. This is the focus of our discussion, as ransomware gangs use TOR sites to host breach data, such as South Staffs Water.
Download TOR Browser: https://www.torproject.org/download/
Once you’ve accessed the TOR network / dark web, you’ll need to know where the breach data is published. Although these onion sites may change from time to time, they are fairly easy to find… if you know where to look.
Option 1: Twitter – Yes, Twitter can be a powerful tool for monitoring when and where breaches occur.
Option 2: Watch Breach Aggregation Sites
There are a number of aggregation or index sites of related breach onion sites. Some are hosted on the dark web, but others, such as https://darkfeed.io/ransomgroups/, provide this information for you via the clear web. We can periodically check these sites to verify breach data preview and release as part of our process.
Digging Through South Staffs Water Breach Data Safely (and Efficiently)
As we mentioned in Part 1, the Cl0p gang released nearly 5TB of breached data on the Dark Web. One thing you may notice browsing through TOR is its speed… or lack thereof. If you haven’t had the pleasure of surfing the web in the dial-up days, go ahead and pop open a TOR browser. You are, at most, downloading files at 100KB/sec.
Note About Breach Data: Not Practical to Download it All
Due to the overall size and speed at which breach data can be downloaded, you want to be surgical about what data is targeted for analysis. In this instance, we want to determine what (if any) of the SCADA resources were accessed and, ideally, confirm that the two preview images were live or just another image on a file server. This, of course, can be difficult unless we employ some techniques.
Almost all breach data is broken up into many, many compressed chunks (typical zip files). For validation purposes, the first chunk of data released is often a Table of Contents, which is a zip file that expands into a list of directories, subdirectories, and file names. There are no actual files within this initial upload which is advantageous for us! Downloading and browsing through this ToC guides us through the rest of the process.
Downloading and interacting with the ToC Part 1 allows us to investigate the breach data structure. We can do this either by opening within a tool such as WinRAR, or by using basic Linux commands to expand the directory structure into searchable components.
This process can be rinsed and repeated across any and all breach data parts. For our part, we are focusing on SCADA-related data, specifically looking for validation around the claim that the water HMI systems were accessed interactively.
Even using something like WinRAR, interacting with the Part 1 ToC, will provide a wealth of information about the contents of the breach data without the hassle of downloading all 5TB+ of data. Double-clicking on individual files of interest has the side effect of flagging an error that indicates which part that file is contained in.
As we continue our data analysis, we can validate the location of the target file of interest and then go back and download that specific part file. For instance, if there is a file or directory of interest around a MIMICS file, double-clicking on that file will provide an error message indicating that file part 418 is required. Downloading just file part 418 and repeating the process will extract the specific and adjacent directories and files. These files can then be inspected.
After the initial hot takes were presented, I asked myself: Are these sound bytes based in reality? What is the process by which anyone can go and validate these claims? And the holy grail: Could I find the exact preview images as files within the breach data that could confirm or deny the claims of direct and interactive access to the water SCADA?
Given what we’ve learned today about the breach data itself, accessing the dark web, and the sheer amount of data released, it’s difficult to think that anyone making initial claims within the first 24 hours were based upon actual analysis. Sure the preview images were exciting, but bold claims should be based on evidence, not excitement.
For my part, finding that elusive smoking gun is still out of reach. The volume of data, files, and directories makes it impractical to validate any claims. And that’s the point, really. South Staffs Water says that the ability to deliver water was not affected. Should we, as a community, trust and assume that that meant no interactive access to the SCADA was present?
Twitter accounts and multiple media outlets saw the preview images and made the leap to access, control, and devastating potential to the SCADA system. What evidence is there to support or deny these claims? Using your knowledge of the analysis process, could anyone have 100% made those claims in such a short amount of time?
Demystification and understanding of the “how” leads us to self-validation of current and future events. Exercising these methods brings more wisdom to the community, with some important key takeaways to consider:
Ransomware Splash Damage Will Continue:
IT systems will continually be attacked, and OT systems will always be in question.
Dark Web Demystified:
Don’t let “experts” scare you away from knowledge.
Knowledge is Power:
Help your peers and community with personal insights.
Together we can better defend our operations from future attacks. While we will continue to have unfortunate breach and disclosure events such as the South Staffs Water hack, let’s not waste this opportunity to learn and grow together. Knowledge is power. You have the home-field advantage and are best equipped to defend your ICS environments!