Hacking an industrial enterprise: experience of Red Team testing

19 November 2024 10 minutes Author: Lady Liberty

The article describes the experience of the Red Team testing at an industrial enterprise. The preparation for the operation is considered in detail, including the collection of information about the object, the planning of actions and the selection of the necessary tools. Physical intrusion techniques are described, such as picking locks, bypassing access control systems, and using social engineering.

  • Disclaimer: All information provided in this article is for informational and educational purposes only. It is not intended to be a guide to action and may not be used for any illegal or malicious purposes. The purpose of this article is to raise awareness of vulnerabilities and help cybersecurity professionals better protect their infrastructure.

How to do it?

Hello everyone! This time an interesting project is presented, the details of which cannot be disclosed due to strict NDA conditions. All events and characters are modified and any matches are random.

It is important to note that the information provided is for educational purposes only, is not a call to action and cannot be used for malicious purposes. The main goal is to demonstrate vulnerabilities and shortcomings that need to be addressed by information security specialists in organizations.

The project began with a request from a large company that needed to check security systems based on the Red Team model. Several groups were involved in the process:

  1. Coordinators.

  2. Specialists in external influence.

  3. Support for C2 infrastructure.

  4. The group responsible for physical access.

  5. Representatives of the customer who controlled the process.

The task was to find and implement any possible attack vectors, taking into account the active confrontation. The project was important because it required a full demonstration of potential threats and vulnerabilities that could be used against the company.

The focus of this description is the activities of the team responsible for physical access to the facilities. The customer identified the main objectives: the company’s headquarters and a strategic facility that includes warehouses and technological resources.

The first stage was the conduct of OSINT. The information obtained made it much easier to plan the work, select the necessary equipment and estimate the resources that needed to be involved for the task.

The next step was to prepare the equipment. Given the large number of potential vectors, four 120-liter suitcases, six backpacks and several small bags were needed to transport the equipment. The cargo included technical equipment, tools, and documentation. The latter consisted of work contracts and authorization letters. All documents were carefully checked by lawyers, which made it possible to avoid possible legal errors.

Preparation of technical means for photo and video recording became an important stage of the work. In difficult conditions, using a smartphone turns out to be inconvenient and risky. For example, it is almost impossible to film your actions near the door of the shield room or in situations where there is a risk of falling. In addition, the lack of documented evidence of compromise significantly complicates the preparation of the report.

In such cases, the optimal solution is an action camera that ensures reliable recording of events. For convenience, a quick-release clamp is used, which allows you to quickly change batteries without unnecessary delays, even in stressful conditions.

An approximate list of what the team took with them

Machinery

  • Laptops: MSI, MacBook, MSI for HackRF

  • Raspberry Pi: 4B (1 pc.), Pi Zero (2 pc.)

  • GoPro + mounting, batteries (4 pcs.)

  • Flipper + modules

  • Proxmark (3 pcs.)

  • HackRF + antennas (2 pcs.)

  • Alfa: large and small with antennas

  • Walkie-talkies with antennas (2 pcs.)

  • Modem

Chargers

  • Laptop charger (3 pcs.)

  • chargers for radios (2 pcs.)

  • Powerbank: large (20000 mAh) and small

Tools

  • Soldering iron + solder

  • Tweezers

  • Locks (sets: English, perforation, Suwald, self-impression)

  • Lights: ordinary and headlamp, as well as for keyholes

Network equipment

  • Patch cords

  • Type-A – Ethernet adapter

  • SD card reader

USB devices

  • BadUSB Cactus + cases (15 pcs.)

  • Ordinary flash drives

  • Live CD

Equipment

  • Promalp equipment

  • Balaclava

  • Gloves (5 pairs)

Documents

  • Passports

  • Certificate (promalp)

  • Documents for the project (agreement, authorization letters)

  • Merch of the attacked company

Spenders

  • Reinforced insulator

  • Double-sided tape

At the next stage, a detailed work plan was drawn up, which determined the order of actions, the sequence of reconnaissance and the stages of the attack. Projects of this type are characterized by flexibility: sometimes you have to observe the object for days or even weeks to achieve the goal, and sometimes you can take advantage of a momentary vulnerable moment that arises unexpectedly.

Potential entry points were identified based on GEOINT results obtained during preliminary training. However, as often happens, circumstances have changed: the object’s environment has changed, and previously defined access vectors have become unavailable. This required revision of previous plans and adaptation of the strategy according to the new conditions.

The stage of reconnaissance and active actions, as a rule, is closely related to the direct implementation of the attack, so it is often carried out in parallel with other stages. During this stage, the team surveyed the territory of the designated object, maintaining a calm and unobtrusive demeanor.

Of particular interest were the pictures taken during the process, for example, the sleeping guards or the video wall, which was brightly lit at night. However, the images through the monocle were not always of sufficient quality for detailed identification of the image on the screens. Despite this, it was possible to obtain valuable information, for example, the number of cameras that are simultaneously available for viewing in the surveillance system. These data became an important element in further work.

To ensure effective communication, the team used walkie-talkies with headsets, which made it possible to maintain continuous communication even when working in separate pairs. During this stage, movement routes, guard change times, as well as their habits and behavioral characteristics were carefully recorded.

The information received turned out to be extremely useful for further planning of actions. The observations made it possible to better understand the internal security processes and identify potential weak points, which became a key factor for the successful completion of the task.

The stage of active actions began with the determination of the optimal penetration vector and the time when it was safest to act. The chosen entrance through the door with an English profile was not easy – the Chinese tool for opening the locks was not effective enough due to its design limitations. Using more professional equipment, such as Multipick, could significantly simplify the task. Despite the difficulties, the door was opened.

Movement through the territory was carried out calmly so as not to attract attention. Running or fast movements could arouse suspicion, so they kept to the most natural behavior. The team worked in pairs, with one remaining outside the perimeter monitoring the situation and relaying updates to reduce the risk of exposure.

All points protected by mechanical locks managed to be opened without significant difficulties – obviously, due to the low quality of the lock mechanisms. Critical nodes that could be used for further influence were recorded.

During the inspection of the buildings inside the perimeter, it was possible to find a pass, which greatly simplified movement. Although the Magic Plan application is usually used to draw up room plans, in this case such a need was eliminated, since the building plans were placed on the walls, which further accelerated the work process.

At the next stage of work, the team split up to perform individual tasks. One of the specialists went to install a hardware backdoor, which is a key element in further gaining access to the internal network. In parallel, other participants continued to work at the facility, performing additional tasks aimed at preparing for the implementation of the next stages of the attack.

At this time, work focused on the server rooms, which were one of the key targets. On the way, there were both doors protected by access control systems (ACC) and ordinary doors with a perforated profile, which also led to the necessary facilities.

The first door took a long time to open because it used a combing technique. The next door proved to be less difficult, with an average opening time of about 20 seconds using the popin pressing technique.

However, a variant with an interesting English profile happened between the doors, which turned out to be incompatible with the existing tool. Because of this, such doors had to be left closed, as further attempts might have been too risky or too time-consuming.

After completing all planned activities, the team organized an evacuation to the assembly point where the main group was waiting for them.

The next target was the headquarters in the same city, where the main goal was to penetrate and install a hardware backdoor to secure access. This time it was possible to do without an official pass. A social engineering scenario was implemented: through a call to the neighboring organization of the business center “A”, they presented themselves as potential customers who wish to personally discuss the terms of cooperation. Thanks to this, passes were issued at the reception, which allowed us to successfully overcome the first circuit without any extra questions.

There was already an ACS on the floor, but the system actually did not create significant obstacles. Using a tailgating attack, it was possible to enter the premises together with other employees. Once in the hall, the team headed to the kitchen, where it was possible to discreetly observe the employees, listen to their conversations and form a further plan of action based on the information received.

The team visually assessed the premises, identifying the places to connect to the network through sockets. After that, interaction with company employees was started. Under the guise of technical support, it was possible to connect to the network by replacing the printer cable with a hardware backdoor. After confirming that the C2 team received a signal and the connection was active, the team moved on to find additional access points.

The second connection was organized by hidden installation of the device behind the ceiling panel. For surveillance, portable cameras were installed that monitored activity in the connection area. The task in this circuit was completed, after which the team transferred access to other specialists who began to penetrate the infrastructure.

The work was completed by drawing up a draft version of the report on the actions performed. In parallel, materials for video documentation were prepared, because such dynamic stages of the project always attract attention and well illustrate the results of the conducted testing.

As a result, the customer was successfully tested both externally and internally. The conducted security audit revealed a number of interesting vulnerabilities. The outer perimeter was found to be vulnerable to certain Internet threats, while typical weaknesses were found in the inner infrastructure. The entire facility security testing operation, including physical and technical penetration, took approximately 7 hours. Full analysis and preparation of conclusions was completed after 10 days. After that, the team revisited the customer’s facility to conduct a detailed physical security audit, accompanied by them.

We hope this story was useful and interesting.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.