CyberWarfare / ExoWarfare

Honeypot Highlights Danger to ICS Systems From Criminal Hackers

Nation-state attacks against the critical infrastructure of an adversary state are effectively military operations; and military operations are planned with incredible detail.


A security firm established a sophisticated honeypot masquerading as a power transmission substation for a major electricity provider. The purpose was to attract attackers and analyze how they operate against the energy sector of the critical infrastructure.

Within two days of going live on June 17, the honeypot developed and operated by Cybereason was found, prepped by a black-market reseller, and sold on in the dark web underworld. xDedic RDP Patch was found in the environment. This is a tool developed by the owners of the xDedic underground forum that allows multiple simultaneous uses of the same RDP credentials. xDedic is a forum that focuses on selling RDP credentials. The initial attacker, notes the report, “also installed backdoors in the honeypot servers by creating additional users, another indicator that the asset was being prepared for sale on xDedic.”

On June 27, eight days after the first incursion, a new criminal entity arrived. It was immediately clear, explains Cybereason in a report published today, that this attacker had just one purpose — to pivot from the IT side of the ‘substation’ and gain access to the OT environment.

The honeypot had been designed to look like a typical substation: an IT side separated by a firewall from the OT side, comprising the industrial control systems separated from the pumps, monitors, breakers and other hardware elements of the energy provider.

It was immediately clear that these were attackers with skills beyond script kiddies. “The attackers appear to have been specifically targeting the ICS environment from the moment they got into the environment. They demonstrated non-commodity skills, techniques and a pre-built playbook for pivoting from an IT environment towards an OT environment,” said Cybereason CISO Israel Barak.

The attackers showed no interest in anything but the ICS assets. But with access to the ICS devices on the IT side of the environment, the attackers were still denied immediate access to the target OT by the firewall. Blocked by the firewall, the attackers used multipoint network reconnaissance.

“The attackers,” reports Cybereason, “moved from the remote server, to the SharePoint server, to the domain controller, to the SQL server to run network scans to determine if one of these assets would allow them to access the ICS environment. Instead of scanning the full network, attackers focused on scanning for assets that would give them access to the HMI and OT computers.”

But this was not a nation-state attack. “I would place the attackers in the upper echelon of criminal hackers, just below the expertise of state operators,” Ross Rustici, Cybereason’s senior director for intelligence services told SecurityWeek. They made mistakes and were too noisy to be the best of the best — for example, they disabled the security tools on one of the servers, which would present an immediate red flag to the security team.

Cybereason had installed its own platform in the honeypot — but intentionally in a manner that would make its removal simple. The attackers removed it. The Cybereason platform was re-installed with some hardening, but less than the level recommended by the firm. Again, the attackers were able to disable the hardened version. “After that incident,” notes the report, “the platform was installed a third time based on our recommended guidelines and the attackers haven’t been able to deactivate it.”

This gives us some insight into the attackers. They were not sufficiently competent to be stealthy, but were not afraid of being discovered. They persisted, even though they would have known that their presence had been detected. This argues against a state actor, who would firstly avoid detection, but then, if detected, most likely silently withdraw.

To be fair, Rustici wasn’t expecting a state attacker. “Nation-state attacks against the critical infrastructure of an adversary state are effectively military operations; and military operations are planned with incredible detail,” he said. “Such adversaries will be aware of all an energy provider’s substations, and while we designed the honeypot sufficient to fool cybercriminals, it would not have withstood the standard reconnaissance and reconnoitering of a military operation.”

What this tells us, however, is that the critical infrastructure is a target for standard criminals. The most obvious motivation would be extortion — taking control of the substation and holding it to ransom. Detection would not be considered important if the endgame of extortion was still possible. But the motivation could also be just for the kudos or even CV-building.

ICS environments are often complex and use a diverse set of control system vendors. Without familiarity of the OT environment and assets, it becomes more challeging for attackers to cause any significant disruption.

The danger is that criminal hackers are more clumsy than elite state actors. Current geopolitical tensions encourage nation states to explore the critical infrastructure of adversaries looking for an advantage in case of an escalation into actual warfare; but for the moment, that type of preparatory cyberwarfare is stealthy reconnaissance. State actors do not wish to be discovered.

These criminals were clumsy and not concerned with being discovered. This type of activity, warns Cybereason, “dramatically increases the risk of a mistake having real-world consequences… Hackers seeking to make a name for themselves or simply prove that they can get into a system are far more likely to cause failures out of ignorance rather than malice. This makes incident response and attribution harder, but it also is more likely to result in an unintended real-world effect.”

The long-term danger to the critical infrastructure may come from nation-sate attacks — but the immediate danger is more likely to come from less competent cyber criminals. Cybereason recommends that companies with ICS environments should operate a unified SOC. “Companies may have a NOC monitoring the OT environment, but a combined SOC lets you see all operations as they move through the network. Having this visibility is important because attackers could start in the IT environment and move to the OT environment,” said Barak.

Boston, MA-based threat-hunting Cybereason raised $100 million in Series D funding from SoftBank Corp in June 2017 — bringing the total raised to $189 million. It was founded by Lior Div, Yonatan Amit, Yossi Naar in 2012. All three are veterans of Israel’s elite IDF 8200 intelligence unit.




Honeypot Buster: A Unique Red-Team Tool


One of the uprising trends in Red Team vs. Blue Team is the use of the marketing term “Distributed Deception” — offerings which are actually Honey Tokens, Honey Bread Crumbs, and Honey Pots used to detect attackers who have already breached the networks and are developing a plan to compromise or achieve the objective.

However, after reviewing some of the solutions offered by the cybersecurity community, we came to the conclusion that attackers with minimal knowledge can detect some of them or at least try to avoid “Honey-*” that might seem suspicious and/or fake.

Want to know how attackers avoid your deceptions?

Fake Sessions and Injected Memory Credentials Tokens

[MIMIKATZ use] This LOGON_NETCREDENTIALS_ONLY fake session is a method many solutions use to spread their fake tokens. Attackers can easily detect it when reviewing these two flags:



Mapped Drives and Credentials Manager Breadcrumbs

Another method used by more deception solutions is to spread their tokens via the Credentials Manager. The detection here might be trickier, but it is still possible. Correlating with more data collected from the Active Directory about the fake user token and target server, attackers realize they’re probably fake.



Is your vendor telling you their solution is “not a honey pot/token/breadcrumb/etc” ? Test it and find out with the Honeypot Buster tool.

During the research, we revealed there are 7 common types of Active Directory related Honey Tokens you might encounter as a Red Teamer:

1. Kerberoasting Service Accounts Honey Tokens, just like the one described in this ADSecurity article by Sean Metcalf.
Tricking attackers to scan for Domain Users with assigned SPN (Service Principal Name), and with {adminCount = 1} LDAP Attribute flag.
So when you try to request TGS for that user, you’ll be exposed as Kerberoasting attempt.
TGS definition: A ticket granting server (TGS) is a logical key distribution center (KDC) component that is used by the Kerberos protocol as a trusted third party.

2. Fake Memory Credentials Honey Tokens, creating a process using the ‘NetOnly’ flag will result a “cached fake login token”. Once the attacker tries to steal and use these credentials – he’ll be exposed.
This method is used by the DCEPTproject, Invoke-HoneyHash and other Deception companies.

3. Fake Computer Accounts Honey Pots, creating many domain computer objects with no actual devices associated to them will result in confusion to any attacker trying to study the network. Any attempt to perform lateral movement into these fake objects will lead to exposure of the attacker.

4. Fake Credentials Manager Credentials Breadcrumbs, many deception vendors are injecting fake credentials into the “Credentials Manager”, these credentials will also be revealed using tools such as Mimikatz. Attacker’s might confuse them as authentic credentials and use them although they aren’t real.

5. Fake Domain Admins Accounts Honey Tokens, creating several domain admins who have never been active and their credentials should never be used. Luring attackers to try brute-forcing their credentials. Once someone tries to authenticate to this user, alarm will be triggered and the attacker will be revealed. This method is used by Microsoft ATA.

6. Fake Mapped Drives Breadcrumbs, many malicious automated scripts and worms are spreading via SMB Shares, especially if they’re mapped as Network Drive Share. This tool will try to correlate some of the data collected before to identify any mapped drive related to specific Honey Pot server.

7. DNS Records Manipulation Honeypots, one of the methods used by deception vendors to detect usage of fake endpoints, is registering their DNS records towards the Honeypot Server. They will be able to point the attacker directly to their honey pot instead of actual endpoints.

The main idea behind these Honey Tokens is to lure attackers to use them, letting them think they’re on the right path to achieve privileged credentials or spread through the domain environment. However, attackers can study these Honey Tokens/lures and easily avoid them.

Using simple validations that take only a few minutes, an attacker can identify objects that are fake and avoid the trap. The validation of attackers and avoidance of Honey Tokens can be done without triggering any alarm and without authentication or lateral movement.

These results can be integrated with Red Team tools such as Empire or Bloodhound to enhance the automation of Red Team hacking processes.

Introducing Honeypot Buster

A unique tool that allows any Red Teamer to identify and avoid traps. The tool detects all seven common types of Active Directory related Honey Tokens you might encounter as a Red Teamer or adversary.

Written in PowerShell, it supports version 2.0 and above and has remote WinRM capabilities for the 2nd and 4th Tokens gathering. It leverages LDAP Queries to find domain objects and loads DLL to access the LSASS process for local tokens gathering (might trigger AVs soon). Honeypot Buster supports all Windows OSs; however, some of the features will not work with Windows Credentials Guard and Windows 10 Creators Update.


-CsvOutput “export folder path”

Export the results to csv files.

-ComputerName “hostname”

Remote endpoint to run the FakeCredMan and FakeSession gathering on, accesses LSASS, using WinRM.

Just import the module and execute the function:

Import-Module .\Invoke-HoneypotBuster.ps1

Give it a try!

Contact us: