Detection of Dark Web threats to critical infrastructure

Detection of Dark Web threats to critical infrastructure


The Utimaco Deep Dark Web System (DDWS) is an innovative Digital Risk Protection & Dark web monitoring platform that automates the monitoring of the surface, deep and Dark Web. This tool aims to protect companies, organizations (police and/or Law Enforcement Agencies (LEAs)), or critical infrastructure from becoming potential targets of criminal activities such as fraud or cybercrime.


Supervisory Control and Data Acquisition (SCADA) and Industrial control systems (ICS) are crucial components in the operation of industrial facilities and critical infrastructures. Successful cyberattacks can bring internal systems to a standstill, cause financial losses, and, in the worst-case scenario, result in the loss of human lives. SCADA and ICS have become high-value targets for attackers looking to disrupt business operations.

The challenge

Unfortunately, many ICS in nuclear plants, electric grids, dams, gas pipelines, water facilities and other industrial environments have large legacy IT systems that are not designed to be resilient to cyberattacks, due to their complexity.

As a result, threat actors are increasingly targeting these systems. Most of the attacks against the industrial networks are not complex because of inadequately secured legacy IT systems within these critical infrastructures.

Threat actors could use different attack vectors by taking advantage of existing configuration flaws in the industrial devices and interfaces, as well as operating systems vulnerabilities. Examples of attacks could include legacy systems lacking security fundamentals, misconfigured network systems, or unencrypted communication channels. Additionally, sabotage via DDos attacks, malware, or web application attacks via systems exposed online are also possible.

The solution

With DDWS, Utimaco provides customers with a turn-key solution with the ability to search across Dark Web data sources to gather intelligence-related data. The data sources are constantly maintained and updated, and new data sources are continuously added. Access to these data sources will allow authorities to gain a comprehensive understanding of the Dark Web’s activities and trends. This is accomplished through a user-friendly GUI which allows for the customisation of process flows, alerting and reporting to benefit an OSINT mission.

DDWS provides fully automated searches and detailed access to the Dark Web in order to monitor potential cyber-attacks or vulnerabilities in critical infrastructure such as Supervisory Control And Data Acquisition (SCADA) and Industrial control systems (ICS). By continuously monitoring DDWS for key words associated with systems, companies, or assets, threat intelligence can be generated, leading to the prevention and mitigation of cyber-attacks and financial losses.

With DDWS, it is possible to execute searches using a range of different parameters, allowing the user to conduct both wide or narrow searches depending on the specific requirement. A modular and flexible workflow integrates the searches and categories into a user-friendly model.

Scenarios of common issues:

Vulnerabilities and exploits

The Dark Web is abundant with so-called zero-day or zero-hour vulnerabilities – security flaws that vendors are unaware of and have no security patch. Yet. Finding DDWS provides information on the zero-day vulnerabilities and exploits, enabling investigators to identify and implement effective mitigating controls prior to the patch release. It also allows for the vulnerability to be fixed as soon as the patch becomes available.


Cyber criminals often sell active access to systems and devices on the Dark Web. Hackers who focus on scanning and gaining access to networks may decide not to exploit the target. Instead, they sell the access (using crypto) to other hackers who specialize in further exploitation. DDWS is used by investigators to potentially identify attackers before they commit crimes.

Passwords or accounts

Passwords are valuable assets; attackers are aware that people tend to reuse passwords across multiple accounts and use these to gain access to internal systems. DDWS is used by investigators to potentially identify data breaches as they happen and to proactively mitigate before an attack occurs.

Insider threats

Cyber criminals can be approached by insiders in order to buy their login credentials or to sell intellectual property (IP). Alternatively, ransomware can be specifically designed to steal IP. Criminals, for example, use malware to encrypt data and then extort insiders to release certain IP in exchange for decryption.

Key takeaways

  • Supervisory Control And Data Acquisition (SCADA) and Industrial control systems (ICS) are critical components in the operation of industrial facilities and critical infrastructures.
  • Successful cyberattacks on any critical infrastructure can bring internal systems to a standstill, cause financial losses, and in the worst-case scenario,result in the loss of human lives.
  • Search, monitor and investigate the Dark Web without the right tools is nearly impossible.  


Recent Examples of cyber-attacks on critical infrastructure

Taiwan’s state-owned energy company, CPC Corp.

CPC Corp in Taiwan, a national asset in charge of oil delivery and liquid natural gas import, was targeted with a ransomware attack during 2020. Though energy production remained undamaged, the hack threw the company’s payment system into chaos. Customers at CPC gas stations were unable to use payment wand VIP cards, and payment apps were all rendered useless, though cash and credit still functioned. A compromised flash drive is the supposed unconfirmed culprit, and authorities have not officially named a culprit, though hacker group Winnti is suspected.

Israeli water systems

Israeli water systems were cyber-attacked on a number of occasions in mid-2020. The attacks were designed to compromise the ICS command and control systems for Israel’s pumping stations, sewer systems, wastewater plants, and agriculture pumps. Though the attackers ultimately failed, the attacks aimed to attempt to spike chlorine and other chemicals in the water to harmful levels and disrupt the water supply during a heatwave and Covid-19. The terrorists exploited outmoded legacy systems still in use and inadequate password guidelines in place at those facilities. Regularly updating passwords is a seemingly obvious but under-implemented solution to these vulnerabilities, along with replacing outdated ICS equipment and keeping firmware updated. It is just as essential to identify unfamiliar network-connected devices and remove them immediately.

Iranian Cyber Attack on New York Dam

Iranian state-sponsored hackers, the ITSec Team, or Mersad Company, broke into the Supervisory Control And Data Acquisition (SCADA) systems of the Bowman Dam in New York. The system was connected to a cellular modem but was under maintenance during the time of the attack.

The hackers exploited the unprotected modem connection and lack of security controls for the Dam’s systems. Fortunately, the hackers only accessed a small sluice gate, but were able to manipulate the SCADA controllers expertly. The attack was not necessarily complex in nature but was deemed to be more of a penetration test to probe for weaknesses.

Critical infrastructure controllers must be kept separate from the internet at all costs. If they must have connectivity, the proper security controls, and segregation must be implemented, even for the smallest gates and pipes. In this case, it would also behoove the dam operators to work with the municipal and state government to test and improve their security regularly.

Source of Recent Examples of cyber-attacks on critical infrastructure:

Contact us

We look forward to answering your questions.

Get in touch with us

Talk to one of our specialists and find out how Utimaco can help you today.