Three days before Halloween, on Oct 28, 2022 Aurubis, the largest copper producer in Europe, issued a press release announcing that it had been hit by a cyber attack. The company announced that it had shut down IT systems connected to the internet as a preventative measure to stop the attack from spreading, but was able to keep production running.

According to the press release, Aurubis believed it had been targeted as part of a wider cyberattack on the metals and mining industry. Stock prices for the company fell 4% when news of the attack became public.

The purpose of this blog is to give some context to the Aurubis attack, and attempt to answer the question of who may have been responsible. Is there a connection between the Aurubis cyber attack and the Russian invasion of Ukraine? Or was this more likely to have been the work of lower-level threat actors?

Aurubis' Questionable Timeline

Roland Harings, Chief Executive Officer for the Hamburg, Germany based Aurubis made a statement on Tuesday October 25th, three days before the cyber attack, asking the London Metal Exchange to enact an immediate ban on Russian metal. While many countries have levied sanctions against Russian oil, gas, and other commodities, there have yet to be any sanctions imposed on copper. However, Harings reported that demand for Russian copper is low, as consumers are avoiding Russian supplies of any kind. The fear is that the LME system could start stockpiling Russian metals leaving an opening for a possible future market manipulation incident. 

As it stands presently, Russia supplies the European Union with 292,000 of the 801,000 tonnes of copper it imports annually, which equates to 36%. If sanctions are enacted, this ⅓ of demanded goods would need to be supplied by other copper producers. In August, Aurubis posted a near 24% jump in quarterly profits and Harrings confirmed that the EBITA would be roughly in the neighborhood of 500-600 million euros. 

Next, on Monday October 31st, three days after the attack, Aurubis laid off 300 workers from its Buffalo, New York plant. Local Buffalo news station WGRZ aired a segment that night suggesting that there may have been a correlation between the Buffalo plant layoffs and the cyber incident several days earlier.

This timeline of events could be a coincidence but it’s worth questioning. Publicly asking for bans on Russian supplies while they are actively invading Ukraine and already feeling the bitter weight of sanctions might have put a large target on Aurubis’ back. Even more so when you consider that Russia allegedly has teams of trained cyber operatives working 9 - 5 jobs to ensure tactical advantages on the cyberwarfare landscape. 

A Threat From Legacy Equipment

An  examination of the timeline points to Russia as the attacker. However, it wouldn’t be prudent to stop there, chalk the event up to Russian cyber operatives and leave it at that. We also need to do a little digging and some open source intel gathering. Through a little of our own research, we discovered that the Buffalo plant has a high probability of using at least some of the following technologies as part of their IT/OT network:

  • Allen Bradley PLCs 
  • Siemens PLCs
  • Siemens gas analyzers
  • Siemens drives
  • Dr. Schenk vision systems
  • IBM AS/400 Server

All the above assets have well-known and well-documented vulnerabilities, but we want to specifically focus on the IBM AS/400 system as it inherently has some large gaps when it comes to security. 

Originally introduced in the late 1980s, this workhorse system is still widely used in the banking, casino, hotel, hi-tech, manufacturing, and insurance industries. There are still roughly 500,000 AS/400 servers active world wide. Some key security elements of these servers include:

  • Telnet service on by default
  • POP3 service on by default
  • FTP service on by default
  • LDAP service on by default

These services provide the ability to quickly perform user enumeration tasks. Often, when there is an available user list, the next step is trying to discover/bruteforce credentials. These systems have a high incidence of issues with identity management. They too often have been found to still be using default/shared passwords, have too many privileged users with special authorizations in place, there are outdated NetServer guest profiles still enabled and various other vulnerabilities. These security vectors would allow an attacker access to specific user accounts that could provide the ability to disrupt services inside the process.

When legacy equipment is deployed as part of a network, it is extra important to understand the complete picture of which user accessed what system inside the network, what activities or processes they initiated, and to map that back to a real identity in the system. This is key to assessing a business’ cyber security exposure. 

Knowing this information would help figure out who had responsibility for the Aurubis incident.

Finally, we went searching for any service/software/equipment that could be quickly associated and identified to the Aurubis, Buffalo plant operations. We discovered the following:

B2BConnex is a supply chain collaboration software package. By examining their “Clients" of the following technologies as part of their IT/OT network:” page we can see that Aurubis is definitely a subscriber.

Once again, this is not a confirmation that this was the origin of breach, merely a sanity check to see if the level of talent required was top level threat actors, supported by a Nation-State such as Russia, or was there enough low hanging fruit in this vulnerable network that someone else with lesser skill and experience would have been able to exploit.

While we can’t know for sure, and the suspicious timeline definitely points to that this was likely a coordinated attack by Russia, there is a warning lesson here for all manufacturers that still deploy insecure legacy systems. 

Make sure you have proper cyber security protocols in place that are fully able to monitor and detect potential cyber security breaches.  Don’t allow team members to share accounts, and always follow proper cyber security protocols. 

For additional information on keeping your network secure, download the whitepaper, OT Security For Vulnerable Devices. To see SCADAfence in action, and learn how it can help secure your OT network, please contact us today to request a demo.