U.S. critical infrastructure subject to stealth living-off-the-land techniques

If you are not familiar with a "Living-off-the-Land" (LOTL) cyber attack it is a technique where attackers use legitimate tools already present within the victim’s system to carry out their malicious activities. This approach is considered fileless because it doesn’t require the attacker to install new code or scripts on the target system. Instead, they exploit existing tools. Meaning, all they need is access to a building control system (BCS). As Censys , Shodan , and others like them show there are numerous systems attackers can choose from.

Unseen, An Easy Place to Hide

The stealthy nature of LOTL attacks makes them particularly challenging to detect, as there is no "injected" virus/malware. And because building systems are not included in network monitoring strategies, the attacker and their actions can remain undetected up until the moment of attack.

Forensics for a LOTL attack will be almost non-existent. Not only because the systems haven't been monitored, the "fingerprints" of the attack will not be found. Why? Because only hijacked native tools or stolen credentials are used.

Everything Needed to Wreck a System

The example network drawing above shows what is typically found in buildings. The Application Host (AH) is exposed directly to the internet. In some cases, even the individual IP devices connected to the AH are also directly exposed. But regardless of if the IP devices underneath the AH are exposed, once the AH is breached, the attacker has access via the application that resides on the AH. This application is a legitimate tool that the attacker can use to exploit the system. The application can allow the user/attacker to force overrides that make the system/device run outside their recommended operating parameters which can cause equipment damage or worse, physical harm to humans. It also allows them to make programmatic changes that cause disruption resulting in operational outages.

However, if the attacker can't get through the AH, there are other ways to exploit the system. In the video I created a video a couple of years ago entitled BBMD Hacked in 22 Seconds - Full Control, I showed how using a free tool called YABE (Yet Another BACnet Explorer) anyone could be in complete control of numerous BACnet devices in less than 30 seconds. No username/password is required. Using this tool the attacker doesn't need to "get inside" the network. All they need is an exposed IP address to a BACnet device. If there is an exposed BBMD (BACnet Broadcast Management Device), the attacker can access hundreds of devices.

Who? Me?

After the attack is over, what do you do now? There is little to no forensic data. Why? Because...

• Monitoring the BCS network is non-existent, therefore there is no traffic activity recorded.
• If the AH was used to access the system the attacker most likely used a shared username like admin, engineer, etc. making it nearly impossible to figure out who it was. Since they have gained access to the AH, they can easily wipe out any traces they may leave behind.
• If they don't have the password a password cracker will be used. A password cracker is a tool or software used to guess or decrypt a password. Typically control systems default to unlimited password attempts. This means an attacker sends as many password guesses as they like. This is done with software that continues to try common passwords and/or various character combinations and the BCS will never lock them out.
• If they go directly to the devices using protocols like BACnet, Modbus, SNMP, etc. no trail is available other than maybe what they did and when. Because they have unrestricted access they will probably wipe this information out.

Can't Live off the Land if There Aren't Supplies

Volt Typhoon has been very effective and is known for its "living-off-the-land" (LOTL) tactics. They have compromised thousands of devices around the world. Some analysts believe the group has been targeting infrastructure since mid-2013. They are skilled in looking for and capitalizing on weak systems. They attacked weak internet servers, including a Houston port , followed by attacks on telecom corporations, government institutions, and utilities. Building control systems have bountiful resources to make LOTL tactics extremely successful.

It's time for organizations to remove the resources by analyzing building control system vulnerability/weaknesses to "starve out" threat actors so they can't live off your land!

Michael Baker International Akela Engineering & Consulting Building Cyber Security Real Estate Cyber Consortium Lucian Niemeyer E.J. von Schaumburg James Roberts Amanda Loeffert Brian Gearheart Ari R. Stacey Shepard, PMP Allison C.