TrapX Deception Grid for manufacturer of steel products

Additional information

Source: Web-site of vendor

Description

The manufacturing case study focuses on one of the largest manufacturers of steel products to include tubing, pipe and sheet. Assets included a very large network for industrial control systems (ICS) and the necessary supervisory control and data acquisition (SCADA) components which run their manufacturing processes end to end. Prior to our involvement, this manufacturer had routinely removed routine threats but were unaware of sophisticated malware infection or advanced persistent threats. The customer had a large industry suite of cyber defense products which included a firewall, anti-virus suites, multiple intrusion detection software products, endpoint security and other software. Immediately upon installation, the TrapX DeceptionGrid generated ALERTS and identified malicious activity in two key locations. Both of these were on SCADA processors which were central to the manufacturing process. An attack in this area could severely disrupt ongoing manufacturing processes causing both a shut-down and millions of dollars in potential loss. Our analysis it was determined that both of these malicious processes were communicating through TOR to their attackers. In one case the malicious process was attempting to establish a new command and control connection through TOR. In the other case command and control was established and many types of malware were resident on the station. Broad Scale Attack Deployed Through One Entry Point TrapX found several types of malware deployed in this SCADA processor. TR-Dropper.Gen2.trojan allowed full access and control of the infected end-point. It allows for the collection and exfiltration of confidential data. Additionally we found Packed.Win32.Katusha.e malware stealing passwords which was communicating back to attacker IP addresses through TOR. Over several additional weeks, DeceptionGrid detected lateral movement by attackers that identified two additional command and control sites. The customer coordinated with TrapX and SCADA component vendors to determine the impact of the attack, to eliminate it and then to reprovision the software in all of the effected components.

Details

Business tasks

Reduce Costs

Ensure Security and Business Continuity

Problems

Unauthorized access to corporate IT systems and data

Risk or Leaks of confidential information

Malware infection via Internet, email, storage devices

Risk of attacks by hackers

Risk of data loss or damage