Following recent attacks in the OT field such as the "Colonial Pipeline Ransomware Attack," a government transportation agency with several red team operations conducted in prior years wanted to ensure their ICS infrastructure was secure. They also wanted to ensure their blue team was prepared to handle such attacks.

After the OSINT phase, we began exploitation attempts on the organization's external attack surface. While some vulnerabilities were discovered, none allowed us to breach the external perimeter.

We then continued profiling employees and screening them for social engineering compatibility. Once we found our targets, we set up a phishing website that looked like the organization's VPN. Next, we made a call and performed vishing (voice-phishing) by impersonating the organization's IT staff. We were able to convince an employee to submit their credentials and MFA token while on the call with them.

We used the credentials to connect to the organization’s real VPN before the MFA token expired and gained access to the internal network. Once we were in the internal network, our main goal was to gain access to the railway control system while evading any of the blue team detection and response mechanisms.

We began by finding the right people in the organization in charge of those systems. We gained the necessary privileges, while evading detection, to take over the workstations of the relevant employees and let them do their thing. By targeting the right people, we were able to gain access to their computers and thereby gain access to the railway control systems.

This assessment allowed the agency to discover potential weaknesses in their systems and implement measures to combat those weaknesses.