CyOTE Precursor Analysis Report: Cyber Attack on Thyssenkrupp Blast Furnace 2014

The Cyber Attack on Thyssenkrupp Blast Furnace 2014 Precursor Analysis Report leverages publicly available information about the Thyssenkrupp Steel Mill cyber attack and catalogs anomalous observables for each technique employed in the attack. This analysis is based upon the methodology of the Cybersecurity for the Operational Technology Environment (CyOTE) program. In December 2014, the German Government’s Federal Office for Information Security (BSI) released a report detailing a cyber attack on a German steel mill that occurred earlier that year, though exact dates and details of the attack were not revealed. While the report did not specify the name of the company, multiple sources identified the victim as one of Europe’s largest steel manufacturers, Thyssenkrupp AG.1,2 Further, Thyssenkrupp announced on 16 May of that year that Europe’s largest blast furnace, “Schwelgern 2,” located at its facility in Duisburg, Germany, would be offline for several weeks for repairs and upgrades,3 suggesting Schwelgern 2 was likely the target of the attack. The attack began in early 2014, when adversaries infiltrated the victim steel mill’s Information Technology (IT) network via a spearphishing campaign, then worked their way into the Operational Technology (OT) environment, where they executed software that caused denial of service, denial of control, and eventually a loss of control. This led to the blast furnace shutting down without proper safety procedures, resulting in catastrophic physical damage. No lives were lost in the incident, but ThyssenKrupp suffered $4 million in damage to the blast furnace and an additional $6 million in lost revenue.5 The adversaries required specialized knowledge and expertise in steel production, which enabled them to compromise a variety of internal systems and components across both IT and OT networks. The attack also demonstrated detailed knowledge of the industrial control systems (ICS) and production processes being used. This combination resulted in one of the earliest known publicly reported cybersecurity incidents resulting in physical damage to ICS equipment. Researchers and analysts identified 19 unique techniques (used in a sequence of 20 steps) utilized during the attack with a total of 454 observables using MITRE ATT&CK® for Industrial Control Systems. The CyOTE program assesses observables accompanying techniques used prior to the triggering event to identify opportunities to detect malicious activity. If observables accompanying the attack techniques are perceived and investigated prior to the triggering event, earlier comprehension of malicious activity can take place. Fifteen of the identified techniques used during the Thyssenkrupp cyber attack were precursors to the triggering event. Analysis identified 369 observables associated with these precursor techniques, 316 of which were assessed to have an increased likelihood of being perceived in the 120 days preceding the triggering event. The response and comprehension time could have been reduced if the observables had been identified earlier. The information gathered in this report contributes to a library of observables tied to a repository of artifacts, data sources, and technique detection references for practitioners and developers to support the comprehension of indicators of attack. Asset owners and operators can use these products if they experience similar observables or to prepare for comparable scenarios.