3 KEY LEARNINGS: Cyber Attack Against A German Steel Mill


Author: Teemu M.
Date: 26.08.2015
Read Time: 3 Minutes

Among all the daily news about various cyber attacks, there was one troubling case that was likely lost in the noise.

In 2014, an attack against a German steel mill disrupted the manufacturing process to such an extent that the blast furnace could not be properly shut down, resulting in serious damage to the furnace.

While we do not know the specific damages incurred, we do know that industrial blast furnaces are massive, up to 30 meters tall and 10 meters wide. They can cost millions of dollars to build, and produce hundreds of thousands of dollars in value per day. Downtime and refurbishment would exact a heavy price.

It is rare to have confirmed cases where digital cyber attacks have caused physical damages or changes. Mainly because there is rarely direct financial gain to be made, making it an unlikely act for criminals.  And more advanced attackers rarely leave traces.



Targeting industrial or business processes is nothing new.

Last year, IBM Trusteer researchers found a variant of the Citadel malware attacking Middle Eastern petrochemical companies. Earlier in 2014, we here at F-Secure were closely following a version of the Havex remote access Trojan (RAT), which was used to attack the websites of industrial control system manufacturers and poison their software downloads. The goal was to trick unsuspecting clients into downloading malicious (now with 100% more Havex!) supervisory control and data acquisition (SCADA) software updates, which would let the attackers access the network once in use.

The most famous one is Stuxnet (discovered in 2010), a sophisticated cyber weapon used by US and Israel to sabotage the centrifuges of a uranium enrichment plant. After its discovery in 2010, many experts (us included) warned that it’s simply a matter of time before similar destructive attacks could occur.

Various manufacturing and industrial control systems are known to be full of vulnerabilities, despite the fact that they are present in various critical business and infrastructure systems. Examples of these critical assets include public utilities, financial networks, and well, steel mills.

In the case of the German steel mill, the attacker managed to access the company’s office network using a targeted spear-phishing attack, which tricked the reader into accessing malicious content. From there, the attackers were able to make a jump to the industrial control systems, and compromise its components in a way that prevented the blast furnace from being shut down in a regulated manner, causing the damage.



  1. Get the basics right: Spear-phishing attacks through email are a common tool in the pockets of attackers. Keep your email security and spam filtering up-to-date, and train your employees in proper email hygiene.
  2. Keep that software up-to-date: Generally speaking, malicious emails have to exploit some vulnerability in order to truly infect a system. Most of these attacks are against well know vulnerabilities, so by simply keeping all your software up-to-date, you can prevent the majority of attacks.
  3. Get that production system off the grid: Due to the jump from the office network to the production systems, it is safe to assume that the mill’s office network had a connection to the industrial control system. If it is not absolutely necessary to have your production systems connected to the web, even through the office network, it is better to just air gap it.



This blog post is the first of a series of posts [Part 2], [Part 3], [Part 4],where we look at the real-life attacks against businesses. It is inspired by our upcoming eBook (also part of an ongoing series), called: CYBER SECURITY DEMYSTIFIED: Securing Business Operations. You can get the ebook from here: Read eBook

Post Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s