Becolve Digital
Select Page

Dragonfly and Sandworm in OT Networks: Impact and Countermeasures

What impact can Dragonfly and Sandworm have on your OT network? What are the most appropriate countermeasures? In this post, we will try to provide you with the solution. We talk about it in this post...

Becolve Digital
Blog cover

After studying in depth the characteristics and attack vectors used by the APTs Dragonfly and Sandworm, it is time to analyze the impact they can have on an OT network.

Among the main consequences, we can highlight the following:

      1. Execution of unauthorized code: Due to the existence of equipment in OT environments with “administrator” authorization levels, it is very easy for this type of malware to perform any type of malicious action, taking advantage of the fact that there are maximum privileges.
      2. Disclosure of information: Which can be the basis for more targeted attacks. In particular, that associated with browser passwords, VPN configuration information, and VPN credentials that can be used to access field devices in an unauthorized manner.
      3. Unauthorized remote access: Through the installation of software with Trojans downloaded from ICS vendor websites, as has already been seen. This would allow direct access to OT environments.
      4. Writing on control systems: Through OpcEnum, it is possible to identify OPC client-servers, and if there are no countermeasures, it is easy to access these servers to write to the OPC Tag Database.
      5. Denial of service through RATs: Causing the restart of machines due to infection, the degradation of the performance of infected systems.

What Countermeasures Seem most Suitable to Eliminate and/or Mitigate this Type of Threat?

  1. Associated with segmentation and fortification of networks.
    • Perform an in-depth analysis of the state of the networks.
    • Incorporate anti-phishing and drive-by download solutions.
    • Segment IT and OT physically, and within OT, segment and fortify logically through VLAN or even physically again by isolating critical systems.
    • Incorporate network electronics devices that allow traffic segmentation (network whitelisting).
    • Perform protocol whitelisting.
    • Fortify field devices with DPI firewalls.
  1. Associated with establishing policies and procedures.
    • Develop Industrial Cybersecurity Master Plans.
    • Download software in controlled environments (DMZ).
    • Test software in test environments before moving to production.
  1. Associated with establishing secure network architectures.
    • Include application whitelisting.
    • Use secure industrial protocols (OPC UA, SecureDNP3, etc…) or use devices that perform “Sanity Check” of industrial protocols.
    • Perform remote access based on the network segmentation performed and with double authentication.

 

 

Related articles