Schneier on Security

Some Guy • April 16, 2019 10:05 PM

Attribution is difficult. It matters in overall situational awareness but not as much in identifying and addressing operational and technical vulnerabilities.

History
Stuxnet used by US/Israel against Iran nuclear sector

Shamoon used by likely Iran for espionage and to destroy Saudi Aramco network.
Havex likely developed by Russia and used against energy sector and defense.for espionage and potentially battlefield prep

BlackEnergy likely used by Russia in Ukraine Distribution attack – only used as one tool as the real attack was theft of VPN user IDs used to take control using legitimate means

CrashOverride likely used by Russia in Ukraine transmission attack

Triton/Trisys used by unknown against Mideast oil (Saudi Aramco??) likely as battlefield prep.

Attack vector
In every case but Stuxnet , the vector has been

Compromise of corporate networks via phishing or similar often using a supply chain victim/partner

Exapansion of Control and lateral movement in corporate net

Theft of credentials including OT credentials

Eespionage or corporate destruction (Shamoon)
Or
Entry into control systems by legitimate means.

The attacks may have been made through supply chain business partners with a higher level of access either through cooperation or exploitation of business partners

To me, the lesson here is that there are too many vulnerabilities and one will always be available to attackers. It’s not the inbound traffic that matters as much as monitoring the outbound communication to detect the attack. Security by patching is necessary but not sufficient. Defensive measures that stop the commobly repeated patterns (the kill chain) is where defense needs to evolve. Monitoring of business partner communication is critical.