Finding statistics about APT’s? It’s complicated.

Have been following an email list thread that was generated from a request for statistical information about APT’s (advanced persistent threats). Many of the offers of information were very ransomware and cybercrime oriented. To me such descriptions are not a good fit to address what APT’s are. Thought I would share my contribution to that thread.

“First question I ask is: What is it that we are trying to protect in terms of APT? Since this thread started on a list that discusses industrial technologies, I assume that this means The technologies used to monitor and control processes governed by the laws of physics and chemistry and not about equipment and software found in an office environment. Rather it is about an environment where electricity is generated and distributed, fuel pumped or compressed down a pipeline, water is treated and provided to a community, refinery processes at a petrochemical plant and other potentially hazardous environments found in what is called critical infrastructure. Then we should consider What threatens these monitoring and control technologies? What falls away from the threat list is cybercrime and ransomware threats. So far a cybercriminal does not see much money to be made in trying to plant ransomware on a programmable logic controller. He can however achieve some success in planting ransomware on the billing department for an enterprise that pumps fuel down a pipeline as has been noted by one of our colleagues on this thread. This is about as far as a cybercriminal can go in terms of motivation and technical abilities. So then who does have these special capabilities and the resources to employ them without expecting a monetary return?

In the past 12 years it has been the state APT or state supported threat actor that has attempted with various levels of success to take away the view and control of critical physical processes from the operators of critical infrastructure. These efforts have succeeded in causing unauthorized changes to IACS/ICS that have threatened or have caused physical damage to people, equipment and the environment.

In 2010 we first learned of a state(s) operation directed against the critical infrastructure of another state’s nuclear enrichment facility. This operation which included the use of sophisticated intelligence capabilities and employed high levels engineering know-how succeeded in:

Taking away the view and control from the operator of a critical process
– Sent false data to control systems
– Disabled safety systems
– Compromised and manipulated IACS/ICS
– Causing physical damage to equipment at a plant

This attack description has been found in many of the subsequent cyber attacks on critical infrastructure that are thought to be the acts of APT threat actors supported by states. The STUXNET operation has been the gold standard upon which other attacks have been compared with (and copied by other perpetrators). Here is a list of some of the examples of APT attacks on critical infrastructure that we know about:

German Steel Mill (2014): operators lost the view and control of a smelter which resulted in physical damage to the plant

First cyber attack on part of Ukraine’s power grid (December 2015): Operator lost the view and control of a power grid and watched as a cyber intruder proceeded to open breakers at 30 substations putting a ¼ million customers in blackout, the attacker then proceeded to damage serial to ethernet servers used to link SCADA control with remote substations, planted wiperware on SCADA workstations and left.

Second cyber attack on part of Ukraine’s power grid (December 2016): Similar to what happened a year earlier but later investigators noted attempts to compromise Protective Relays (one can say they are like safety systems to protect bulk power equipment on power grids)

Cyber attack on petrochemical facility in the middle east (2017): 2 unauthorized plant shutdowns (safety systems tripped for no apparent reason). Later investigation discovered that attempts were made to compromise control code on safety systems (Triconix)

Fast forward a bit to the start of this year with the Russian invasion of Ukraine. Has been an interesting year for APT activity:

Cyber attack on VIASAT terminals started in Ukraine but with collateral damage as far as Germany where windmill operator ENERCON lost (bad firmware planted via the control network) 5800 terminals which resulted in loss of view and control of remotely located windfarms.

Cyber attack on Iranian steel mill: Attacker succeeded in taking away the view and control of plant operations from the operator, used the plants video surveillance system to film the attack which resulted in physical damage (no information about casualties provided) and share it for all to see on the Internet together with the attackers justification for the attack.

Discovery of set of attack tools tailor made to attack PLC’s: Called “Pipedream” by Dragos this set of tools apparently made for use by APT teams is designed to penetrate control networks, access PLC’s and manipulate them.

Please note that in all the above cited cases there was no mention of ransomware. This is because the effort was focused not on making money for a criminal, but on taking away the view and control from the operator of a critical process from the operator with apparent intent to cause physical damage to the plant’s personnel, equipment, and environment. Common features of these attacks are familiar to those who are aware of the STUXNET operation of 2010.

There was mentioned an interest in statistics. Some colleagues have provided links to sites where this information is available. However it is also useful to go deeper into the subject. Here are some useful sources of information.

STUXNET: If you understand this operation then you will know a lot about APT’s that go after technologies used to monitor and control processes governed by the laws of physics and chemistry:

Technical description. One of the best ones is by Ralph Langner at an S4 Conference: Watch his lecture at : STUXNET DEEP DIVE or if you would like to read his report about it read here:

A wider more layman’s approach to understanding STUXNET can be found here:

For those that are interested in the geopolitical or security policy implications of APT’s that attack C.I. read this article: (my published paper).

Sandworm is one of the more famous APT’s out there. The book to read is:

A good study of the cyber attacks on Ukraine can be found here:

Very good lecture on what happened to the Saudi Petrochemical plant in 2017 at an S4 by Julian Gutmanis

Information about PIPEDREAM from the same source that wrote about CRASHOVERRIDE: nice video presentation by Rob Lee here:

An official alert on Pipedream

Another issue which is of particular interest to me is the problem of IT security minded people that attempt to apply Office IT security best practices to IACS/IAC. Can find out more here: (my published paper)

To end this long and rambling rant. To summarize.

I know that ransomware has captured our imaginations. Especially with the case of the last years major fuel pipeline incident in the US. However, very few in the media appreciate the fact (as one of some thread contributors mentioned) that although the IT in the office was down, the IACS/ICS was intact and operating. Few noticed that when management gave the order to shut down a 8000 km-long pipeline all the IACS/ICS worked perfectly to safely shutdown the physical operations. This was done while IT specialists struggled to restore operations to the administrative departments in the offices. What few also appreciate is that if the IACS/ICS was really disabled (and could not shutdown the operation) because of a cyber-attack then the cleanup, recovery, repairs, investigations and litigations would still be underway today.

Not all actors are seeking to attack the IT in the office. They are also targeting the physical process and the technologies used to monitor and control them. To do that requires a different approach and a different set of knowledge and skills. Those that defend need to be just as aware of that.


NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in information technology and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations. He also collaborates with the International Society of Automation (ISA) and is member of ISA 99 Workgroup 13 that is developing Micro Learning Modules on the ISA 62443 Industrial Automation and Control System Security Standard and Workgroup 14 on security profiles for substations.

Related posts