How threat actors abuse ICS-specific file types

By Nadav Erez, Director of Innovation at Claroty

The information technology (IT) security community is well educated on the risks of cyber threats, with precautions such as anti-virus systems, dedicated security teams and intrusion detection systems (IDS) set up to fight against malicious attacks. However, while anti-malware systems have been developed to fight adversaries, these systems have historically not been present in industrial control systems (ICS).

Project files are integral to ICS, providing all the necessary data and instructions each machine on the operational technology (OT) network needs to operate.While engineers will use them to ensure the smooth running of operations, security teams can use them to gather an accurate picture of what machines are running on the system along with other critical data, such as where they are and what they are supposed to be doing.

However, extracting information from ICS project files is not always straightforward. While some vendors offer simple import-export functionality supporting standardised file types such as CSV, others use binary, proprietary formats that can only be interpreted using vendor-specific software. 

A lack of full visibility into what is running on the network and how it normally functions presents a significant security risk, because threat actors could infiltrate the network and the security team would be none the wiser. Further, due to their inherent vulnerabilities, ICS project files present an opportunity for threat actors to change how machines operate to cause significant damage, which can be achieved by luring engineers into phishing scams.

What is an ICS project file?

An ICS project file is made up of several different files containing a whole range of data that is necessary to carry out the saved project. 

What information should we expect to see in these project files? At the top level it would be the network layout, which holds information about what assets are on the network. This might be a PROFIBUS, a standardised, open, digital communications system used in manufacturing automation, along with any stations connected to it. 

Additionally, the project file needs to contain details about each individual asset on the network. This will include the devices’ IP addresses and serial numbers, as well as data about the slots that each device has and what they are being used for, including module details and order numbers. 

The logic necessary for these devices is also saved on the project file, which includes function block or ladder diagrams. Function block logic and ladder logic are programming languages used for developing logic expressions in order to automate tasks. Such tasks include counting, timing, arithmetic, sequencers, PID control, and data manipulation functions, to name a few. 

What do ICS project files look like?

ICS project files come in all shapes and sizes. The most basic are text files such as Excel documents containing information about the asset, including IP address, model number and the application version it is running.

However, many ICS software vendors use project files in proprietary binary format. Retrieving the information out of these files requires either specialist software or even reverse engineering. Retrieving the information out of these files requires either specialist software or even reverse engineering.

Project files can also be directories, which in turn contain subdirectories holding various types of files. In this case it is not just about being able to read the file, but also understanding where it is in the first place – a task easier said than done when such directories can contain thousands of files. This is further complicated by the reality that while most of these directories will be stored as .zip files, some are still stored in .cab format, which has long been superseded by .zip, meaning that the right script needs to be found to open up the file.

Why are project files useful?

Project files give a clear picture of each asset’s role and lists information of the role; they are also used to track data to operate machines smoothly. It allows the security team to have an overview of what happens within the system in the event of a malfunction so that the root cause can be addressed directly. This also gives the team a baseline to compare usual activity on the network to identify new activities, such as new devices being connected unexpectedly. 

Security teams wishing to understand the layout of their OT network can do so by capturing the traffic running across it and building a topography based on that information. However, this does take considerable time and effort. Alternatively, if security teams are able to extract and read the information from those project files accessible on engineers’ servers, these together will more quickly provide a complete picture of what the network looks like, what’s running on it, etc.

Using the project file created map as a baseline, a security team can then compare this to what is actually happening on the network to identify any suspicious activity, such as new devices being connected.

Project files are also useful to threat actors

The format of project files pose vulnerabilities that threat actors can exploit as part of their attack. The files saved in a .zip format, for example, can be modified to reroute paths, meaning that when these files are unzipped, malicious files can be uploaded to different locations.

If threat actors manage to access project files, they will have full access to understand the role of each machine connected to the network, as well as its function. Threat actors will be able to use this information to target crucial machines to cause disruption in operations or control over a system to overwrite programs. 

There are also significant vulnerabilities within project files themselves that threat actors can exploit as part of their attack. For example, we have already seen that project files often come zipped, particularly when they need to be transferred from one system to another. The ‘zip slip’ vulnerability enables attackers to modify paths within a .zip file so that when it is unzipped, the files contained within it are uploaded to a different location to the target file. This means that the attacker can write files to anywhere on the network to which the file is extracted. Such a capability means that the attacker could take over a computer, for instance if they overwrite a program in the start-up directory. 

The binary formats used in many types of project file are vulnerable as they are created using code that is usually many years old. This would often have been written in a time before coders were aware of how to protect their code, and this is unlikely to have been maintained since then. Vulnerabilities of binary formats continue to be published on a regular basis and create a real issue for owners.

How an attack might play out 

One way a threat actor could attack an OT network is through uploading a Dynamic Link Library (DLL) file, which contains instructions that other programs use to carry out specific tasks. 

To carry out such an attack, a threat actor would first need to create or clone a project file that has a vulnerability, such as an instruction to import a file from a specified location when the project starts. They can then change the code to ensure the imported file contains a malicious DLL to carry out an assigned task, which could be used to shut down the system. 

To get an engineer to open the file, the threat actor could send a phishing email with it attached. To make this look convincing, the file is likely to be in an engineer-friendly format, one that the victim would be familiar with and that opens through an ICS software. This makes it more likely to pass casual scrutiny than, say, a .doc file, and makes the engineer more curious about the contents. This has the added benefit that the engineer will open the file up on a computer that has engineering software on it, which will most likely be connected to the OT network. If it were a simple .doc file, the engineer might just use their home PC, meaning the threat actor would not be able to continue their attack. 

Motives for an attack

While one motivation for these attacks might be to shut everything down and demand a ransom for its release, the most likely reason is to cause sabotage. Attacks against OT networks tend to focus on critical national infrastructure (CNI) and industries necessary to the economies of nation states and look to cause as much disruption as possible. For example, an energy company in Taiwan was subjected to a ransomware attack last year, causing a system outage. 

Protecting against attacks

To prevent malicious project files from being downloaded onto the network, organisations need to look at deploying strong endpoint protection and email security to prevent phishing emails getting through to the engineers, as well as restricting what they are able to download onto the OT network. This will prevent a vast majority of these files getting onto the system in the first place. Also worth considering is cyber security training for engineers so that they are able to spot a suspicious file and know how to handle it.

Yet despite these measures, there is always a possibility that a malicious file will make it onto the network. As such, security teams require visibility of all project files on the OT network, regardless of what format they are in, and know how these should normally look. Further, they need to be able to monitor the network traffic to be able to identify anomalous behaviour that could indicate a project file has been compromised. This monitoring should also include looking at any intersections between the IT and OT networks, so that any files being moved from one to the other, which could be a potential security risk, are flagged.

As the average OT network will run on many thousands of project files, this is not a task that can be achieved manually. Therefore, automated solutions that can carry out this monitoring and alert the security team to anything that requires attention are essential. 

Project files are a vital component of any OT network, but they are also one of the most vulnerable. By knowing how they work and what the inherent risks are, security teams can take appropriate steps to ensure those project files that are so useful to engineers are not as beneficial to threat actors. 

This site uses Akismet to reduce spam. Learn how your comment data is processed.