-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathIncidents.csv
We can make this file beautiful and searchable if this error is corrected: It looks like row 7 should actually have 20 columns, instead of 18 in line 6.
28 lines (28 loc) · 13 KB
/
Incidents.csv
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Incident,Time of Impact,Dwell Time,Targeted,Country,Target,Sector,Threat Actors,Threat Actor Country,System Type,Techniques,ICC Stage 1,ICC Stage 2,Scalability,Goal,Success,Impact,Time of Discovery,Reaction,Notes
Maroochy Water,03/2000,3 months,Yes,Australia,Maroochy Shire Council in Queensland,(waste)water,Individual (Vitek Boden),?,SCADA,Used a RF transmitter to control sewage pumping stations,Recon,Used a RF transmitter to control sewage pumping stations,No,Revenge for failing to get a job at the company,Yes,Millions of gallons of untreated sewage were released into waterways and local parks,late (at the consequence phase),Hired team of private investigators who located the attacker,
Stuxnet,2010,?,Yes,Iran,Nuklear facilities,Nuklear Power,US Gov / Israel Gov / British Gov,US/UK/Israel,SCADA,Malware that exploits 4 zero days / attacked S7 protocol / targeted SCADA & PLCs,?,attacked S7 protocol / targeted SCADA & PLCs,No,Sabotage the nuklear program by destroying centrifuges that spin nuklear material at enrichment facilities,Yes,Delayed Iran's nuklear R&D for years by shutting down about 1000 centrifuges at the main enrichment facility (1/5 of Irnas's centrifuges); modification or/and creation of cyber strategies in the world; increase in awareness of cybersecurity issues,?,?,Often considered to be the first cyber weapon
Conficker,11/2008-?,?,No,Multiple (+200),Untargeted,Multiple (15M hosts),Ukraine Criminals,Ukraine,Multiple (also non-OT),?,Exploited Windows vulnerability/use of binary encryption / digital signatures and advanced hash algorithms for its updates/hiding its tracks and preventing its removal from host machines by its use of code obfuscation,-,Yes,Build a botnet for a yet unknown attack,Yes,Disables Windows systems security services as well as third-party firewalls and anti-virus products -> leaving systems in a vulnerable state,?,?,
NightDragon,11/2010-?,?,Yes,Global,Multiple (targeted),Energy / Oil / Petrochemical,Probably China,China,Multiple (also non-OT),Social engineering / Spearphishing / Exploitation of Windows and AAD vulnerabilities / RATs,Social engineering / Spearphishing / Exploitation of Windows and AAD vulnerabilities / RATs,-,No,Information gathering,Yes,harvesting sensitive competitive proprietary operations and project-financing information about oil and gas field bids and operations,?,?,A set of TTPs
Duqu,2011,?,Yes,France/Netherlands/Switzerland/Ukraine/India/Iran (2)/Sudan/Vietnam/Austria/Hungary/Indonesia/UK + ?,Multiple (targeted),Multiple?,US Gov / Israel Gov / British Gov,?,ICS,Worm using a stolen digital certificate and other techniques similar to Stuxnet,disguise data transmissions as normal HTTP traffic,-,Yes,Information Gathering and Stealing,Partly,Information breach,?,?,Duqu bears a striking similarity to Stuxnet in terms of design philosophy / internal structure and mechanisms / implementation details and the estimated amount of effort needed to create it
Gas Pipeline Cyber-Intrusion Campaign,12/2011-?,?,Yes,?,Multiple natural gas pipelines,Energy,China (?),China (?),?,Spearphishing,Spearphishing,-,No,Information Stealing,Yes,Information Stealing,
Shamoon,08/2012;11/2016-?,?,Yes,Saudi Arabia / Quatar,Saudi Aramco (largest energy company worldwide) / RasGas (Qatari natural gas company),Energy,APT34/APT35/APT33,Iran,Non-OT (possibly also OT),Wiperware with information stealing component,overwriting the Master Boot Record (MBR) / the partition tables and most of the files with random data,-,No?,Steal data and cause disruption (no financial motivation),Yes,overwrote data on over 30.000 computers with an image of a burning American flag,late (at the consequence phase),Purchase much of the world's hard drives,
Flame/sKyWIper,2012,?,No,Middle East,?(Untargeted),?,?,?,?,Espionage Virus using the same framework as Duqu and using microphones / web cameras / key stroke logging / extraction of geolocation data from images,Steal information by using Microphones installed on systems / Web cameras / Key stroke logging / Extraction of geolocation data from images,-,Yes?,Steal information,Yes,Information breached,?,?,
Gauss,2012,?,Yes,Lebanon/Palestinian Territories/Israel,Multiple (targeted),?,?,?,?,Information Stealer Malware using the same framework as Duqu / ability to steal funds and monitor data from clients of several Lebanese banks,Stole Passwords / cookies and browser history / Computer network connections / Processes and folders / BIOS and CMOS RAM details / Local / network and removable drive information,-,Yes?,Steal information,Yes,Information breached,?,?
Red October,2013,Multiple Years? (started in 2007),Yes,Eastern Europe/USSR/Central Asia,Various international diplomatic service agencies,Gov / Research,Inception Framework,Russia,?,Espionage Malware,Data gathering / Recon,-,Yes,Gather intelligence from the compromised organizations,Yes,Breach of confidential information,?,?,Information harvested from infected networks was reused in later attacks
Target Store's HVAC,11/2013,?,Yes,US,Target Store's heating / ventilation and air conditioning (HVAC),Retail,?,?,ICS (HVAC),Part of a widespread operation that used a trojan tool known as Trojan.POSRAM,stole the login credential of a third-party HVAC contractor via Phishing,Uploaded malicious credit card stealing software,No,Steal credit card data from Target Stores,Yes,About $309M (attack, security upgrades, and lawsuits),late (at the consequence phase),Security upgrades,ICS -> IT network
New York Dam,2013,?,Yes,US,Bowman Dam (Small dam near Rye Brook (New York)),Water?,Iran (possibly Gov),Iran,SCADA,?,Access through through a cellular modem,Yes,No,Test for access,Yes,None,?,?,
Havex/Backdoor.Oldrea,2013,?,Yes,US/Europe,Multiple (targeted),energy/aviation/pharmaceutical/defense/petrochemical,Energetic Bear,Russia,ICS,RAT Information Stealer,RAT,-,No,Information gathering,Yes,Recon,?,?,
German Steel Mill,10/2014,?,Yes,Germany,Unspecified German Steel Mill,Manufacturing (?),?,?,ICS,Spearphishing / social engineering,Spearphishing / social engineering,cause multiple components of the system to fail,No,Probably to cause physical damage,Yes,Massive damage to the plant,?,?,
BlackEnergy(3),2011 - 12/2015,6 months,Yes,Ukraine,Power Grid (Distribution Level),Energy,RIS aka GRIZZLEY STEPPE aka Dragonfly aka Energetic Bear,Russia,ICS (SCADA?),BlackEnergy malware used for recon / No ICS/SCADA protocol or PLC payloads but mostly on the IT side / Initial infiltration via macro documents -> user credential compromise for access and manual manipulation of SCADA controls (HMI/rdesktop) / Firmware attacks (Uninterruptable Power Supply (UPS) / serial-to-ethernet) / Stage 2: 6 months learning about the environment (looking for assets and found 700 Windows PCs) / The attackers effectively became remote operators / After 6 months (dwell time) the attackers started to disconnect power and uploaded malware to serial-to-ethernet devices,BlackEnergy malware used for recon / Initial infiltration via macro documents (<-> phishing) -> user credential compromise for access and manual manipulation of SCADA controls (HMI/rdesktop),disconnect power and uploaded malware to serial-to-ethernet devices,No,Espionage / persistent access / sabotage,Yes,Power outage (67 substations disconnected at distribution level) -> 230.000-250.000 people without power in freezing temperatures,medium (at the attack phase),?,
Industroyer/CRASHOVERRIDE,12/2016,>= several months,Yes,Ukraine,Power Grid,Energy,Energetic Bear,Russia,ICS (SCADA?),Required significant pre-positioning / Many ICS/SCADA protocol payloads / many behaviors on both IT & OT side / Credential capture via Mimikatz (could be detected with a signature-based approach) -> Compromised user accounts & attacker created accounts / Used LoL (?) commands to pivot into ICS/SCADA via Windows LM/SQL / Spoofed ICS/SCADA command messages / At transmission level / Blueprint / not a targeted attack / Infection vector (kill chain stage 1) is unknown,Credential capture via Mimikatz (could be detected with a signature-based approach) -> Compromised user accounts & attacker created accounts / Used LoL (?) commands to pivot into ICS/SCADA via Windows LM/SQL,Deletion of ICS specific configuration files / Malicious operation of circuit breakers / Potential DoS to protection equipment / Wiping of SCADA human-machine interfaces (HMIs) to add confusion and delay the recovery,Yes,Inflict damage to the power grid lasting for weeks or months,Partly,700.000 people (1/5 of Kiev) without power in freezing temp (?),?,?,
“Kemuri” water company,2016,?,Yes,US (?),Undisclosed water company,Water,“hacktivist” group with ties to Syria,Syria,ICS,?,Once hacking the payment application hackers were able to gain access to an internet-connected AS400 machine and compromise customer PII and payment information,manipulate the amount of chemicals that went into the water supply,No,Unknown,Unknown,alter the amount of chemicals entering the water supply and affect water treatment and production capabilities causing water supply recovery times to increase / exposure of personal information of customers,?,?,IT and OT functions resided on the same AS400 machine with hundreds of Programmable Logic Controllers (PLCs) accessible from the internet
Op Ghoul,06/2016,?,Yes,Middle East + others (> 30 countries),>130 Industrial Organizations,industrial/manufacturing/engineering,Op Ghoul,?,?,Spearphishing,Spearphishing,-,No,Financial gain via compromised banking accounts or through selling intellectual property,Yes,Data extraction,Financial loss via compromised banking accounts and info loss through selling intellectual property,?,
WannaCry,05/2017-(?),?,No,Multiple,Untargeted,Multiple,Lazarus Group,North Korea,Multiple (also non-OT),Self-replicating ransomware using EternalBlue (SMB zero day developed by the NSA and disclosed by another hacker group),EternalBlue,-,Yes,Ransom payment,Yes,Monetary damage,late (After infection),?,?,
NotPetya,07/2017-?,?,Yes,Ukraine + other,Multiple,Multiple,TeleBots,Russia,Multiple (also non-OT),Self-replicating wiperware using EternalBlue & Mimikatz,EternalBlue & Mimikatz,-?,Yes,Create chaos,Yes,Monetary damage >9.000.000.000€,After infection,?,
BitPaymer,07/2017-?,4-6 weeks,Yes,Spain/Scottland + others,Multiple (targeted),finance/agriculture/technology/health/education/manufacturing,Indrik Spider,?,?,Ransomware / Banking Trojan / Non-Self-Propagating,Remote Desktop Protocol (RDP) brute force attacks,-?,Yes,Ransom payment,Partly,Encrypted files,late,?,
Dragonfly 2.0,10/2017,?,Yes,?,Multiple,Energy,RIS aka GRIZZLEY STEPPE aka Dragonfly aka Energetic Bear,Russia,?,?,malicious emails / watering hole attacks and Trojanized software / “living off the land” tools such as administration tools like PowerShell / PsExec and Bitsadmin,-?,No,Unknown,Unknown,Compromised a number of ICS equipment vendors -> infecting their software with a RAT,?,?,
Triton/Trisis/Hatman,2017,>= several months,Yes,Saudi Arabia,Petrochemical plant,Chemical (/Energy?),TEMP.Veles/Xenotime,Russia,ICS (SCADA?),SIS Tampering: Contained Safety PLC (SPLC) / Safety Instrumented System (SIS) payloads / relied on operator placement & execution / Modified control logic (reprogrammed SPLC/SIS to allow unsafe conditions to persist) / Exploited a vulnerability (injected custom PowerPC payload exploiting a vulnerability in the device firmware to escalate privileges disabling RAM/ROM consistency checking etc.),?,SIS Tampering: Contained Safety PLC (SPLC) / Safety Instrumented System (SIS) payloads / relied on operator placement & execution / Modified control logic (reprogrammed SPLC/SIS to allow unsafe conditions to persist) / Exploited a vulnerability (injected custom PowerPC payload exploiting a vulnerability in the device firmware to escalate privileges disabling RAM/ROM consistency checking etc.),No,Kill people (?),No,Plant temporarily shut down,medium (at the attack phase),Shutdown of the plant,
StoneDrill,2017,?,Yes,Saudi Arabia/1 Org in Europe,?(Targeted),?,APT34/APT33,Iran,?,Espionage- and Wiperware,heavy use of evasion techniques,-,?,espionage and wiping,Partly,Data leaked and hard drives wiped,?,?,
Shamoon 3,2018,?,Yes,Southeast Europe & Middle East (Saudi Arabia/United Arab Emirates),Saipem + others,Oil/Gas/Energy/Communications/Gov,APT33,Iran,?,Wiperware,Wiperware,-,No,Disruption,Partly,Infrastructure and data availability issues,late?,?,
LockerGoga,01/2019-?,?,Yes,Norway/France/US + others,Aluminum producer Norsk Hydro's Production Line in 03/2019/French engineering consulting firm Altran/American chemical companies (+others),Critical Manufacturing + others,FIN6,?,ICS,Non-self replicating ransomware,Attackers seem to already know targets' credentials at the start of an intrusion / LM via Metasploit and Cobalt Strike / Mimikatz / spread malware via Active Directory management,-,No?,Get ransom payment,No,300M NOK,late (at the consequence phase),Restored data from backup,
Maze/ChaCha,05/2019-?,?,No,Multiple,Multiple (untargeted),Multiple,Turla,Russia,Multiple (mainly non-OT),Ransomware,exploits kits / remote desktop connections with weak passwords or via email impersonation,-,Yes,Ransom payment,Partly,Retrieved ransom payment,late,payed ransom / restored from backup,