At a glance.
- Siemens patches a vulnerability endemic to the energy sector.
- Disruptions of Ukrainian supply chains.
- An update on the Vulkan Papers.
- Ukraine argues that cyberattacks against civilian infrastructure should be classified as war crimes.
- Eurocontrol under attack.
- Ransomware at Fincantieri Marinette Marine.
- Bitter APT may be targeting Asia-Pacific energy companies.
- ETHOS: a new private-sector OT risk information-sharing platform.
- CISA requests comment on software self-attestation form.
- A look back at the Colonial Pipeline ransomware attack.
Siemens patches a vulnerability endemic to the energy sector.
Siemens last week addressed a flaw in systems widely deployed though the electrical power sector. SecurityWeek reports, "The vulnerability, tracked as CVE-2023-28489, impacts the CPCI85 firmware of Sicam A8000 CP-8031 and CP-8050 products, and it can be exploited by an unauthenticated attacker for remote code execution. These products are remote terminal units (RTUs) designed for telecontrol and automation in the energy supply sector, particularly for substations."
Most implementations of these systems are believed to be "heavily firewalled," as observers put it, because their criticality is widely recognized. Thus the risk seems largely driven by the possibility of error and misconfiguration.
Russian ransomware operations aim to disrupt supply chains into Ukraine.
The US Intelligence Community sees Russian cyber operators devoting more effort toward disruption of supply chains supporting Ukraine. CyberScoop quotes NSA's Rob Joyce, the agency's director of cybersecurity, as saying that NSA is observing “a significant amount of intelligence gathering into the Western countries, to include the U.S., in that logistics supply chain.” A large fraction of that supply chain carries humanitarian aid.
And it’s worth noting that the supply chains at risk here are physical supply chains that move material goods, not the software supply chains that have been much talked about.
This sort of threat has been seen before. To place some of the potential effects in context, recall the way NotPetya, a pseudoransomware campaign from 2017, encrypted systems at the shipping giant Maersk. The attackers continued their imposture enough to demand payment, but as it turned out there was no way to decrypt the files–they were modified in ways that made them unrecoverable. Loss of these administrative systems resulted in loss of visibility into Maerk’s containers, and the shipper had to revert to manual checking and manual management of the cargo it carried. This caused supply chain delays, particularly serious in time-sensitive shipments.
An update on Russia’s NTC Vulkan: SIGINT, EW, and cyber ops.
We've been following another development in Russia's war against Ukraine: the revelations contained in the so-called Vulkan Papers. To recap briefly, NTC Vulkan is a Moscow-based IT consultancy that does contract work for all three of the major Russian intelligence services: the GRU, the SVR, and the FSB. Der Spiegel, one of a group of media outlets that broke the story, sourced it to a major leak of some thousand sensitive documents running to more than five thousand pages.
The leaked papers reveal that Vulkan is engaged in supporting a full range of offensive cyber operations: espionage, disinformation, and disruptive attacks intended to sabotage infrastructure. Dragos has released a study of what the Vulkan Papers mean for that last class of activity: infrastructure disruption. The company's report took as its point of departure the coverage in the Washington Post, and it focused in particular on one of Vulkan’s tools, a malware suite known as Amesit-B. The researchers offered four key takeaways:
- First, the papers represent genuine leaks from a "Russian contracting repository."
- Second, the tools represent an operational as opposed to a training or research capability.
- Third, Amesit-B represents a clear potential threat to the rail transportation and petrochemical sectors, and it works from a familiar Russian military intelligence playbook.
- And finally, the Amesit-B platform shows an interesting convergence of cyber operations with traditional signals intelligence and electronic warfare operations. And it’s very much a combat support system, intended for battlefield use by a combatant commander.
Dragos advises taking Vulkan’s capabilities seriously, and understanding them in context.
Eurocontrol under attack.
The European air traffic control agency, Eurocontrol, reported a cyberattack by Russian actors. Eurocontrol's site has a terse account of the attack, which appears to be of the familiar distributed denial-of-service variety. "Since 19 April, the EUROCONTROL website has been under attack by pro-Russian hackers. The attack is causing interruptions to the website and web availability. There has been no impact on European aviation." The Wall Street Journal reports that KillNet has claimed responsibility.
Ukraine argues that cyberattacks against civilian infrastructure should be classified as war crimes.
Speaking at RSAC this week, Illia Vitiuk, Ukraine's head of the Department of Cyber Information Security in the Security Service of Ukraine, urged that cyberattacks against civilian infrastructure should be treated as war crimes. “I do believe that military commanders that are in charge of special forces and special services like the [Russian] GRU or SVR who are responsible for cyber-attacks on civilian infrastructure should also be convicted as war criminals,” Infosecurity Magazine quotes him as saying. Such attacks would presumably violate one or more of the principles that underlie the laws of armed conflict: proportionality, discrimination, and military necessity.
Iranian threat actor exploits N-day vulnerabilities, turns its attention to infrastructure.
Microsoft has reported that the group it's hitherto tracked as Phosphorus (and will henceforth refer to as "Mint Sandstorm") has developed a specialty in weaponizing N-day vulnerabilities, that is, vulnerabilities for which a fix or mitigation is available, but which some organizations have failed to patch. It's also been known mostly for reconnaissance and cyberespionage, but that may be changing, as there are signs the group is turning its attention to critical infrastructure. Mint Sandstorm has been known to conduct cyberespionage against both military and civilian targets (including political dissidents), but over the past two years the group has been observed to carry out attacks against infrastructure, and Microsoft thinks that its future activities may show a continued and growing disinhibition and loss of restraint.
Bitter APT may be targeting Asia-Pacific energy companies.
Intezer concludes that a new string of energy sector targeted phishing attacks are using tactics that resemble those previously used by Bitter APT. "Bitter APT is a South Asian threat group that commonly targets energy and government sectors; they have been known to target Pakistan, China, Bangladesh, and Saudi Arabia." The group makes its approach through phishing.
Although Bitter APT's involvement in the attacks is not fully confirmed, there are circumstantial grounds that point in its direction. The researchers have found that the threat actors are using the same tactics previously observed by the Bitter APT group such as “the use of Microsoft Office exploits through Excel files, and the use of CHM and Windows Installer (MSI) files.” The exploits have been initiated with an email to personnel in the energy sector being invited to a conference or round table. The phishbait is intended to induce the target to download and open a RAR file that contains a malicious payload.
Ransomware at Fincantieri Marinette Marine.
On April 12th the Wisconsin shipyard of Fincantieri Marinette Marine, builders of the US Navy’s Freedom class of Littoral Combat Ships and the Constellation class guided missile frigates, sustained a ransomware attack that disrupted shipyard operations. The US Naval Institute News reported that the attack targeted servers that held data used to deliver instructions to the shipyard’s numerical control manufacturing machines. Those devices translate design specifications and into instructions for "welders, cutters, bending machines and other computer-controlled tools.”
Operations had begun restoration within a day of the attack, but the episode was disturbing, and was closely monitored by the US Navy. It wasn’t immediately clear whether any data were stolen, but if temporary disruption of construction at a shipyard was the attackers’ goal, that was accomplished.
ETHOS: a new private-sector OT risk information-sharing platform.
This month at the RSA Conference in San Francisco, a community of private-sector companies announced the formation of ETHOS, an acronym for, “Emerging Threat Open Sharing.” ETHOS is intended to be “an open-source, vendor-agnostic technology platform for sharing anonymous early warning threat information across industries with peers and governments.” It’s intended to function as a hotline across which early indications of threat activity can be shared.
The eleven founding members of the ETHOS community are 1898 & Co., ABS Group, Claroty, Dragos, Forescout, NetRise, Network Perception, Nozomi Networks, Schneider Electric, Tenable, and Waterfall Security.
The initiative also has the support of CISA, the US Cybersecuritiy and Infrastructure Security Agency. Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA said, “The scale of threats facing critical infrastructure operators, and in particular Operational Technology networks, requires an approach to information sharing grounded in collaboration and interoperability. CISA is eager to continue support for community-driven efforts to reduce silos that impede timely and effective information sharing. We look forward to collaborating with such communities, including the ETHOS community, to improve early warning and response to potential cyber threats, while appropriately protecting sensitive information about our nation’s critical infrastructure community.”
ETHOS is structured as a not-for-profit entity run by an independent mutual benefit corporation. At present, its technology resources may be found on GitHub.
CISA requests comment on software self-attestation form.
The US Cybersecurity and Infrastructure Security Agency (CISA) released a request for comment on a drafted self-attestation form for federal government software providers. The Secure Software Development Attestation Common Form was a combined effort between CISA and the Office of Management and Budget (OMB) and is based on the National Institute of Standards and Technology’s (NIST) Secure Software Development Framework (SSDF). FCW wrote that the form is intended for software vendors to prove their products are secure to the standards of federal government customers, with the government’s ultimate goal to work toward securing the supply chain. This follows a 2021 executive order on improving cybersecurity throughout the United States, and a later memo that same year from OMB requiring federal agencies to acquire self-attestation forms from vendors, with a looming September deadline. Public comment on the form will be accepted through June 26, 2023 via a comment box on the Regulations.gov website.
The Colonial Pipeline ransomware attack, two years later.
Sunday marked the second anniversary of the Colonial Pipeline ransomware attack, and the US Cybersecurity and Infrastructure Security Agency (CISA) issued a short statement on lessons learned from the ransomware attack. The general problem the attack exposed, as CISA frames it, is ransomware, and countering it requires effective, centralized information-sharing, interagency cooperation, and a robust public-private partnership.
Russia’s war against Ukraine brought urgency to the US Government’s preparations for cyberattacks against critical infrastructure. That indeed is the threat that CISA’s Shield Up campaign has been designed to counter. CISA and its sister Homeland Security agency TSA (the Transportation Security Administration) also established close working relationships with over twenty-five major pipeline and industrial control systems organizations to strengthen the common defense. And CISA also received authority from Congress to expand the visibility and threat detection program it operates as CyberSentry.
Obviously, the statement says, work remains to be done, not only improving information-sharing and threat detection, but in assigning cybersecurity an appropriately high priority and aligning incentives in ways that promote security.