ELECTRUM: A SANDWORM APT
Introduction
ELECTRUM has been associated with the SANDSTORM Advanced Persistent Threat. It was responsible for the power outage in, Kiev, Ukraine, in December 2016. They blacked out some part of the city's electricity for about an hour. This was done via ICS malware CRASHOVERRIDE. They have been active since 2009 and mostly targets Ukraine.
Characteristics
ELECTRUM has entered into both developmental and operational role after the power outage incident. It does not depend on exploits or zero-day vulnerabilities. However, it leverages common exploitation behaviors and methodology. It also uses Microsoft SQL database servers as gateways to bridge both the industrial and business control networks. In this way, they can successfully compromise industrial control systems where they can use stolen credentials to execute code.
ELECTRUM is still active but evidence shows that it is not targeting Ukraine exclusively. It is considered as one of the most competitive and sophisticated threat activity groups present in the ICS industry.
Detection & Mitigation
Some of the prevention and mitigation techniques are as follows:
- Network and host hardening to reduce exposure to threats.
- Vulnerability management to reduce the security weakness in the exposed services.
- Using strong data encryption will reduce its usefulness even if it is stolen.
- Make use of Data Loss Prevention (DLP) and Endpoint Security to protect the sensitive data from leaking via the network or end-user devices.
- Use network and application-level firewalls to stop unwanted traffic from entering.
Conclusion
Nowadays, ELECTRUM is also targeting the organizations other than Ukraine's. It extensively uses common exploitation methods to attack their victims and compromise their network. Hence, a strong prevention strategy should be applied to prevent these attacks from compromising a network.
To know more, read- ELECTRUM
Comments
Post a Comment