We often talk about the threat of a company hacking a competitor, either to gain some insider knowledge of the competitor’s operations, or to actively sabotage them. It’s easy to throw out hypothetical situations like this, and even easier to dismiss them as classic “Fear, Uncertainty, and Doubt” (FUD); which is too often the go-to tactic when talking about cutting edge technology that most people aren’t too sure how to get a handle on.
So when you see an article about it in the international news, it’s something of a special occasion. While unquestionably a disheartening event for the targeted company, it’s an invaluable case-study for those of us who aim to prevent this sort of thing in the future, and a stark reminder that this sort of attack isn’t just the kind of thing you see in the movies.
In their 2014 report, Germany's Federal Office for Information Security describes a sophisticated attack carried out against an un-named German steel company.
The first phase of the attack consisted of social engineering and targeted email phishing (often referred to as spear phishing) to gain access to the company’s office network. From there, the attackers were able to access the network which controlled the actual production of steel, which is where things get interesting.
It appears that the goal of the attackers was to slow down or halt the production of steel by interfering with the system’s ability to control the machinery. But things may have gone a little farther than the attackers intended, because when the system lost control the operators were unable to properly shut down a blast furnace. With the furnace in an undefined state, physical damage was done, though to what extent and if it was permanent was not disclosed in the report.
While the report goes on to say that any determination at this point would be little more than an educated guess, “competitive sabotage” is mentioned as a possible intent, given the extremely specific nature of the attack.
There isn’t much in the way of details about the attack, it’s unknown what kind of software was used and how it was deployed, but one thing is very clear: the attackers clearly knew what they were doing.
Being able to take control (or even take control away from the operators) of industrial hardware such as this is a bit out of the reach for the bedroom hacker; it requires knowledge of the specific hardware being targeted and the operating systems and software used to control it.
If this sounds familiar, it’s because this attack has similarities to the infamous Stuxnet, which targeted Iranian nuclear enrichment centrifuges. In both cases, the combination of software and hardware targeted was so specific that the attack had little widespread use; it was only damaging at the location it was intended to attack.
As increasingly advanced technology that becomes available to attackers, sophisticated and targeted attacks like this may move from being interesting footnotes to common occurrences.