Exfiltration: the architectural fact that ties it together¶
Neither the enterprise zone nor the operational zone can reach the internet zone directly. The firewall rules are explicit: inbound from the internet is restricted, outbound is restricted, nothing flows between the interior zones and the street.
But wizzards-retreat is triple-homed. Its internet NIC is at 10.10.0.10; its operational NIC is at 10.10.2.3. That single architectural fact — a machine reachable from the internet, holding a password that survives wordlists, sitting directly on the operational zone network — is why two completely separate attack chains collapse into the same exfiltration path. The stunnel certificate set from the SCADA server. The historian database from the operational zone. The 2019 backup archive from the engineering workstation. None of them can be sent directly to unseen-gate. All of them flow through 10.10.2.3 first.
The staging process is straightforward. From inside the operational zone, material is written to a temporary directory on wizzards-retreat’s operational NIC using whatever protocol the source allows: HTTP PUT, SCP, SMB, or a simple ad-hoc HTTP receiver. From unseen-gate, the same material is pulled from wizzards-retreat’s internet NIC using SCP. The machine is the bottleneck and the relay simultaneously.
The stunnel certificates enable direct Modbus access to the PLC from any machine with a network path to the gateway. Possession of them means the SCADA application is bypassed entirely. A Python script or an interactive terminal speaking Modbus directly to the gateway is sufficient.
The historian database contains not just credentials but the operational envelope: the trip thresholds, the normal spread of readings, the baseline from which anomalies would be detected. Knowledge of what normal looks like is knowledge of what can be injected without appearing abnormal.
The 2019 backup archive adds the pre-rotation credential snapshot and a complete device inventory. On a lab instance where no rotation has been simulated, those credentials are still valid.
The architectural fact that makes exfiltration necessary also makes it inevitable. A crossing point between the internet and the interior, reachable from outside, sitting on the network where the goods are stored. Remove it and the interior zones become isolate from the internet. Leave it and material flows out through it as a matter of course.