KillNet: DDoS, IoT/OT, and Critical Infrastructure

Yesterday’s reports of the Russian cyber-criminal group KillNet bringing down websites of several airports might be seen as just another normal day when it comes to cybersecurity.  Mandiant reported that 15 airports were impacted, with most having their websites down for periods lasting up to a few hours.  For example, at LAX the FlyLAX.com website was mostly or partially offline, and there were no reports of any internal airport systems or operational disruptions.  Seems like this was a one-and-done, and life moves on – except for the fact that the Russian threat actors have made it clear that more of these attacks are coming and will likely target and disrupt other forms of critical infrastructure (think energy distribution or water supplies).  What lessons can be learned from this attack?

There are three primary takeaways, and one “side note” that I’ll bring up at the end:

  1. Vulnerable IoT devices are what form botnet armies for DDoS attacks
  2. Denial of service is all about identity and therefore zero trust
  3. Prepare ahead from a team and strategy perspective

Let’s start with how botnets are formed.  The three main ingredients needed are compute, storage, and networking; the malware used to form a botnet needs a platform with those three elements to host itself, perform operations, and execute DDoS attacks.  It’s here that threat actors have a choice:  use traditional IT infrastructure or instead leverage IoT/OT devices.  Assuming threat actors behave rationally they will always choose to deploy malware on IoT/OT devices.  Unlike traditional IT systems, IoT/OT devices are often managed by the line of business and not IT – presenting a skills and experience gap that favors cyber criminals.  In addition, IoT/OT devices exist at 10-20x the number that traditional IT systems do, and most importantly IT cybersecurity solutions that rely on agents do not work with IoT/OT systems that require an agentless approach.  So in order to stop the main approach threat actors use in forming botnet armies, you need to focus on agentless IoT/OT vulnerability remediation solutions. 

When we talk about denial of service, what we really are talking about is denial of service to users who should have access.  With most websites today when a DDoS attack is underway the solution is to send all traffic to a “blackhole”, effectively shutting down website access to all, whether valid users or threat actors.  As zero trust approaches spread and take hold, this can be a path to allow access conditionally to those who can prove their right to there and block those who cannot.  Extending zero trust to IoT/OT devices should also be a priority, as access to such devices should not be left to passwords (which in IoT/OT devices too often is the default). 

Whether DDoS or other forms of cyber attacks, organizations should be prepared ahead of time to coordinate across multiple departments to minimize the impact and restore operations more quickly.  Since cybersecurity is a team sport, who should your teammates be?  One best practice is to form an IoT Committee within your organization, with members from the CISO/CIO staff, other departments that manage IoT/OT devices like physical security, manufacturing, facilities, logistics, and others.  Organizations who have already formed such teams have also found an important side benefit: the processes used to monitor and harden IoT/OT systems provide important data to other parts of the organization (compliance and audit, cyber insurance negotiations, public reporting, and so forth), increasing the strategic value of the IoT/OT security efforts. 

The last lesson from Monday’s DDoS attacks on airports is really more of an observation or a side note than a recommendation on what to do.  When you think of the volume of attacks needed to bring down 15 or more airport websites it suggests the botnets launching those attacks are massive in size and well-coordinated.  The nature of IoT/OT is that is quietly does it’s specific business function in isolation or otherwise unobserved.  Exactly the right place to have planted malware a while ago, ready and waiting in vast numbers to be called into action.  It may very well be that your own devices were used in this attack or are infected and will be called into action at some future point.  If your organization is using IoT/OT devices (as most do), take some basic steps now to prevent them from being exploited by cyber criminals.  Ensure you have an agentless asset discovery solution so you can know all devices on your networks and if they contain vulnerabilities.  Be prepared to do remediation of IoT/OT devices quickly and at scale.  Assess your zero trust strategy and look to extend it to IoT/OT devices.  While this recent DDoS attack may not have cause significant disruption, KillNet has plans for more such attacks and next time we may not be so lucky. 

Share this