CyberZone, the company specialized in information security, revealed an experiment to create a giant digital trap, which is a huge fake information network, which appears through the electronic space as a network of a major company operating in the field of electricity at the level of the United States and Europe, in order to attract hackers, hackers and thieves sensitive data And other electronic crime professionals, to enter the trap, and practice their criminal acts, to understand and analyze it, in order to help put in place the necessary protection measures against it.
The company stated, in a statement published on its official blog, that during the experiment carried out by a team of information security experts affiliated with it, criminals managed within three days to discover the entire network and erase it, and to discover its weaknesses, and then attack it with ransomware, malware, and remote control tools.
Hit and run
"CyberZone" pointed out that during the experiment, the team of experts conducted dozens of hit-and-run operations, attacks and repel the attack, with many cyber crime professionals around the world, whether they are individuals, professional criminal groups working for their own account, or criminal groups sponsored by countries and governments, and implement Planned attacks by these countries.
Trap specifications
The experts pointed out that the trap included everything that makes it look like a giant information network for a company that works in the field of electricity, and rich in link lines, terminals, Internet of Things tools, servers, personal computers, databases, applications that are commonly found in networks of electricity utilities, important parts, Such as the main control center and sub-control centers.
They added that the trap was provided with common insurance and protection systems, with care to find some of the various security weaknesses, which seem logical and require effort to discover and exploit them, and the network was also provided with some security measures that make them invisible, and not easily discoverable through the cyberspace, Then it was launched, and put it into actual operation mode, by passing large quantities of data inside, so that all its components appear to be in a fully operational state.
Scan and monitor
Experts mentioned that it took criminals only three days to detect the existence of the network, then shed their survey and monitoring software, to scan it completely, to know the strengths, weaknesses, nature of activity, data movement, security procedures and systems working on it, and then launch attacks on them , In order to penetrate and control them, and try to dump them with their malware and malware.
According to the team, the network was under bombardment with a constant barrage of attacks three days after it was on the cyberspace, a result of the great speed with which criminals discover the existence of such networks, and then attack them.
password
Experts continued that after detecting and scanning the network, the attackers took advantage of remote management tools to access the network, knowing the administrator password to log in, and controlling the management and operation of the remote control protocol on the desktop, indicating that from here they created a back door to a server that was Hacked, and they used the attack tools known as the "PowerShell", in the forefront of which is the "Mimkatz" tool, which enabled them to steal the login credentials.
Ransom attacks
Experts pointed out that in the next stage, they planted "file-encryption and ransomware attacks" viruses on every device that was hacked inside the network, noting that everything was going on silently, without informing the victim's network of what they wanted.
According to experts, criminals felt that the stages of the attack were completed when they had two weapons, ransomware, passwords and credentials and the stolen validity, as they only had to launch encryption programs, announce the attack, and then request the ransom to decode, while at the same time waving using names Stolen users, passwords and credentials, to detect sensitive network data if the ransom is not paid.
Then, the attackers carried out the actual attack by running ransomware on all devices and infiltrated terminals at one time simultaneously, and this is a common feature of multistage ransomware attacks, the purpose of which is to amplify the impact of the attack on the victim.
Various attacks
CyberZone experts reported that networks that support information infrastructure in vital facilities sectors around the world have practically come under constant bombardment with a variety of attacks, in terms of patterns and levels of risk, and therefore must be flexible enough to ward off unwanted interventions, especially When it comes to information technology and operational technology networks.