Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

How I Hacked A Nuclear Power Plant

In cybersecurity, the worst-case scenario is that malicious hackers might gain access to, or control over, critical infrastructure. In that scenario, criminals or nation state actors might be able to leverage their exploits into a situation where lives are put at risk – in addition to the other severe ramifications. And of course, that worst-case scenario becomes an actual nightmare when we imagine the consequences of a malicious actor gaining access to nuclear power plants or missiles.  

While most of us assume – or at least hope – that nuclear power plants are hardened targets that should be protected by the most advanced digital security possible, is that actually the case? In this interview with Charles Hamilton, Principal Security Consultant for Trustwave SpiderLabswe discuss his experience conducting a penetration testing exercise for a nuclear power plant. For safety reasons, we won’t disclose where and when this exercise was conducted.  

Q: Did you actually hack a nuclear power plant?  

Charles: Yes, this was part of penetration testing. There are many details that I can’t reveal, for obvious reasons. But I’ve actually tested more than one.  

In the test we will talk about today, when I gained access to the plant, posing as a malicious actor, I found out that the management software was actually Windows NT 4.0, far past the time when that would have been appropriate.  

The point of the engagement, of course, is to see if an actor can reach the point where they gain control of the reactor. Thankfully, that’s rarely possible because there is a physical barrier between the corporate network and the actual power plant. That’s purposeful, thankfully, and it should do its job of preventing hackers from being able to trigger a meltdown.  

You might remember Stuxneta worm that was designed to target the nuclear capabilities of Iran. Whomever designed that exploit built it to account for the physical barrier, which is why they created it to spread by USBs, which they knew were being actually plugged into the reactor environment. But that’s the kind of activity that goes above and beyond what a penetration test is designed to discover.  

Q: What did you find during your penetration test?  

Charles:  The first major vulnerability I found was due to contracting work that they had hired out. Sometimes, just like other structures, a nuclear power plant needs to be fixed. In this case, the contractors had set up a WIFI spot which didn’t have a strong level of security. Via that avenue, I was actually able to get into the corporate network quite easily.  

The reality is that, when I get in, it was just like any other corporate network, with a bunch of Windows and Linux systems, and in this case they were running Windows NT 4.0 as well. I was able to gain direct access to the network and access to some interesting things, like monitoring tools 

In a related example, I tested wind turbine farm and found that it was set up the same way, with layers of networks where the actual system that was physically controlling the turbines wasn’t reachable remotely – it would have required direct physical access. So that’s something we can all be thankful for.  

Q: If you had been a malicious actor, what could you have done with the access you achieved? 

Charles:  In about one or two hours I had domain level privileged. I could have been able to gain information about how the power plant was performing. If I was involved in spy craft or actual nation state sabotage, I would have been able to see things like pressure rates, etc. In this specific case, the plant was actually shut down at the time, because it was under maintenance. The penetration test was actually part of their efforts to bring it back online, so it was a good thing that they were being proactive and diligent in exposing weaknesses. 

Q: Are there key takeaways that organizations should be aware of

Charles:  Definitely. Even for companies or organizations that aren’t involved in critical infrastructure, the key learning here is that your corporate network is always going to be one of your most vulnerable pointsFrom an external threat actor perspective, phishing exploits will be constant and ongoing. Always assume that your network is as vulnerable as your external perimeters.  

Most of the time when we do penetration tests, we find that external perimeters are actually a little bit more secure, because it’s publicly facing. Organizations tend to harden it a bit more, and unfortunately leave their internal networks a little bit more exposed.  

When you think about incidents like SolarWinds, what’s your opinion on how secure the infrastructure grid is in America?  The reality is that it’s mainly secure because of security through obscurity. When you look at things like SolarWinds, that exploit required a huge amount of time and a fairly large budget. That’s not really in the realm of possibility of your average hacker, who’s probably out to just make a quick buck.


17654_solarwinds-vuln-fact-sheet-cover
FACT SHEET

New Vulnerabilities Discovered in SolarWinds Products by Trustwave SpiderLabs

Download our fact sheet on the SolarWinds vulnerabilities that Trustwave SpiderLabs has discovered. All three vulnerabilities are severe with the most critical one allowing remote code execution with high privileges.

 

 

Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More