Event description
Representatives of the Tube oil and gas company reported that the enterprise had been experiencing anomalous disruptions in process flows for two weeks. An investigation showed that Tube faced a sophisticated, multi-stage cyberattack. About six months ago, malware disguised as a legitimate system application infiltrated the computers of ICS operators. The malware, acting like a keylogger, had been stealthily recording every keystroke the entire time (including the instances when operators would enter their credentials). But the story doesn't end there. About two weeks ago, an unknown hacker group launched an attack on the company. Once they infiltrated the infrastructure, the attackers stumbled upon a pleasant surprise: Tube's computers were already infected! All the hackers had to do was extract the accumulated information and use the operator's credentials to access the company's critical systems. By manipulating equipment parameters, the attackers nearly caused a major accident. Fortunately, Tube specialists spotted the trouble just in time to prevent a disaster. However, it's still unclear whether any confidential data has been leaked.