Welcome back, my aspiring cyberwarriors!
As the war between Russia and Ukraine escalates, the risks to the world’s peace and prosperity intensifies. Russia has been using cyber war techniques against Ukraine for over a decade and if the sanctions against Russia intensify (their stock market fell nearly 50% on the first day of sanctions), it is likely that the Russian intelligence agencies will begin to use their well-honed skills against the West.
In 2020, the Russian hackers were able to implant shellcode into thousands of key computer systems throughout the US and the world using the Solar Winds update. Many of those implants are still active and can be used by the Russians when they need. An even more worrisome potential event is the potential for attack against the infrastructure of the western European countries and the US.
Russian hackers have developed various malware against these systems including Snake and Triton. The NSA and Homeland Security’s CISA have both noted that Russian hackers have been probing various SCADA/ICS systems in the US and the West. If the pressure on Russia becomes unbearable, they could pull the trigger on these systems. The effects could be devastating.
Given the probability of these events, the West can respond in kind. Having probed and tested SCADA/ICS systems for over 10 years, it is clear to me that Russia is prepared for such events. In recent years, the SCADA/ICS systems in Russia have become much more secure, while those in most of western Europe and the US are still largely vulnerable. This doesn’t mean that the Russian systems are invulnerable, but they are harder to compromise than the US systems, in general.
In the event of Russian attacks against western infrastructure, I give you a simple tutorial on finding vulnerable Russian SCADA/ICS systems.
More will follow.
Step #1: Open Shodan
The first step is to navigate to shodan.io and open an account. For more on the basics of Shodan, click here.
Step #2: Find Russian SCADA/ICS Sites
SCADA/ICS sites use entirely different protocols than your traditional TCP/IP. There are over 200 different protocols in use in these systems. Although the number of protocols is very large, the most common protocol is modbus. It was the first SCADA/ICS protocol, developed by Modicon (now a division of Schneider Electric) and is the most widely distributed. It uses port 502.
To find modbus-based systems in Russia, we can search using Shodan syntax for port 502 and country code RU
port:502 country:ru
Shodan finds over 1100 facilities using port 502 in Russia. Not all of these will be SCADA/ICS site, but most will be.
In addition to the port syntax, we can search using the name of the manufacturer. For instance, we can search for two of the largest manufacturers of these systems, Schneider Electric and Siemens, using the following syntax.
“schneider”country:ru
“siemens” country:ru
We can even get more specific and look for specific PLC’s of an manufacturer such as the Schneider Electric TM221
“Schneider Electric TM221″country:ru
The SCADA/ICS protocol DNP3 is commonly used among the electrical transmission industry. It usually uses port 20000. We can search for facilities in Russia using that port by entering;
port:20000 country:ru
To search for other SCADA/ICS protocols, you can use this table to search for commonly used ports by SCADA/ICS systems.
Summary
The war in the Ukraine has brought to the forefront the risks of cyberwar. Among the greatest risks in this arena are the multitude of infrastructure systems commonly referred to as SCADA/ICS. While attacks against information systems risks the loss or ransoming of confidential data, the risk of attacks against SCADA/ICS systems amount to lives. The loss of electrical, water, sewage and other life supporting systems can be devastating to the civilian population. If the western nations united against Russia apply too much pressure, I believe that Russian hackers will begin their attacks against these systems. Although Russia has done a much better job of securing these systems than the West, they too are vulnerable to attack.
For more on SCADA Hacking and Security, click here.