At a glance.
- China's Volt Typhoon snoops into US infrastructure, with special attention to Guam.
- CosmicEnergy: red-teaming or Red Square?
- A cyberattack leads Suzuki to shut down Indian production line.
- BlackBasta conducts ransomware attack against Swiss technology company ABB.
- BlackBasta claims responsibility for Rheinmetall attack.
- Food and Agriculture Information Sharing and Analysis Center stands up.
- Five Eyes take down Turla and its Snake malware.
- CISA releases five ICS security advisories.
China's Volt Typhoon snoops into US infrastructure, with special attention to Guam.
A joint advisory from all Five Eyes reports a major Chinese cyberespionage operation that has succeeded in penetrating a wide range of US critical infrastructure sectors. Microsoft, in its own report on Volt Typhoon, as the threat activity is being called, says the group has been active since at least the middle of 2021. The targets of the spying have included a slew of sectors, including communications, manufacturing, transportation, government, IT, and education, among others. Microsoft writes that the threat actor intends to lie low and conduct cyberespionage for as long as they can. It does this, the Five Eyes stress, by carefully living off the land, exploiting existing legitimate administrative tools and privileges in its targets.
Microsoft’s report explains that internet facing Fortinet and FortiGuard devices were penetrated by unknown means. Microsoft writes “The threat actor attempts to leverage any privileges afforded by the Fortinet device, extracts credentials to an Active Directory account used by the device, and then attempts to authenticate to other devices on the network with those credentials.”, adding “Volt Typhoon proxies all its network traffic to its targets through compromised SOHO network edge devices (including routers). Microsoft has confirmed that many of the devices, which include those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the internet. Owners of network edge devices should ensure that management interfaces are not exposed to the public internet in order to reduce their attack surface. By proxying through these devices, Volt Typhoon enhances the stealth of their operations and lowers overhead costs for acquiring infrastructure.”
Both Microsoft and the government’s reports explain that Volt Typhoon is using living-off-the-land techniques to avoid detection. This technique utilizes tools that are already installed on the host network, which means that the security systems may not detect the activities, as the actor can blend in with regular Windows traffic.. “Some of the built-in tools this actor uses are: wmic, ntdsutil, netsh, and PowerShell.” writes the joint report.
Much of Volt Typhoon's activity has been directed against Guam, a US territory in the Western Pacific that plays host to important US military bases. Those bases would be important to any US intervention on behalf of Taiwan, should China decide to take a page from Russia's geopolitical playbook and invade what it regards as a renegade province. For its part China dismisses the reports as American disinformation, and denies its involvement in any activity the Five Eyes and Microsoft associate with Volt Typhoon.
There are a few aspects to this story that are of concern to those whose business it is to secure industrial control systems. The quiet establishment of persistence in any critical infrastructure network is a matter of concern. Whether Volt Typhoon is in fact engaged in preparing the battlespace for an operation against Taiwan, or whether it’s simply conducting a trial, in any hybrid war the target lists will surely include control systems. Operators should be on their guard.
CosmicEnergy: red-teaming or Red Square?
Operators also are hearing about CosmicEnergy. That’s not a natural phenomenon, of course, but rather a malware strain that appears designed to train operators in the case of an electrical disruption. Researchers at Mandiant late last week described CosmicEnergy, and they say it specializes in affecting operational technology and industrial control systems by “interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia.”
CosmicEnergy was uploaded to the public malware scanning utility VirusTotal in 2021 by a user in Russia. The version Mandiant obtained lacks a built-in discovery capability, which means that significant manual management would be necessary in an attack. Attribution has remained inconclusive, but researchers suggest that this malware could have been a Russian red-teaming tool used in exercises to simulate an electric infrastructure attack, perhaps
The researchers explain that it is possible the malware was developed as a red-teaming tool for Rostelecom-solar, a Russian cyber security firm. Mandiant has not been able to attribute this malware to any nation state, but they explain that this could have been used for an exercise in Russia to simulate an attack on power stations. Of course, even legitimate red-teaming tools can be put to malign purposes.
If those legitimate red-teaming tools actually work, that is. Based on analysis from Dragos, in its current form, CosmicEnergy doesn’t pose high risk to OT environments in the same way PIPEDREAM or INDUSTROYER2 do. Dragos states that though COSMICENERGY is not presently a threat, it does highlight the care defenders should take toward restricting access to critical devices, such as IEC104 devices and the components connected to them, such as MSSQL.
A cyberattack leads Suzuki to shut down Indian production line.
On May 10th a cyberattack of an unspecified nature induced Suzuki Motorcycle India to shut down its production line. The Hindustan Times reported that the stoppage reduced production of “two-wheelers” by tens of thousands over a matter of days. Suzuki has been tight-lipped in its disclosures, saying only, “We are aware of the incident and have promptly reported to the concerned Government department. The matter is currently under investigation, and for security purposes we are unable to provide further details at this point in time.”
So no one knows what kind of cyberattack it was, except perhaps for Suzuki and the responsible law enforcement authorities, and of course except for the attackers themselves. But signs do seem to many experts to point to a ransomware incident. Writing for Bitdefender, Graham Cluley offers this assessment:
“Suzuki may not wish to share any more information while it gathers more information about what has occurred, and determines its next steps, but I don't think it would be a surprise to anyone if it was later revealed that the company had suffered a ransomware attack.
“A ransomware attack might have not just caused disruption to the company's network infrastructure and communications through the encryption of data and lockdown of systems, but it could also mean that a hacking group has managed to exfiltrate sensitive information from the compromised company.
“In many instances, a company will decline to acknowledge that a cybersecurity attack was ransomware-related until it has determined whether it is prepared to pay a ransom or not to its extortionists.”
BlackBasta conducts ransomware attack against Swiss technology company ABB.
ABB, a technology company based in Switzerland, confirmed Friday that they are experiencing technical issues relating to a cyber attack. BleepingComputer reports that the BlackBasta ransomware gang was behind the attack, but ABB has yet to confirm this. “BleepingComputer has learned from multiple employees that the ransomware attack has affected the company’s Windows Active Directory, affecting hundreds of devices. In response to the attack, ABB terminated VPN connections with its customers to prevent the spread of the ransomware to other networks.”, writes BleepingComputer. ABB seems to remain mostly operational. Eike Christian Mueter, group spokesperson at ABB, told ET CISO, “The vast majority of its systems and factories are up and running and ABB continues to serve its customers in a secure manner.”
BlackBasta also claims responsibility for Rheinmetall attack.
BlackBasta has been active elsewhere as well, continuing to show a predilection for attacks against industrial firms.
BlackBasta, a recently prominent double-extortion ransomware gang, published data stolen from Rheinmetall on BlackBasta's extortion site. According to BleepingComputer, samples on the site included "non-disclosure agreements, technical schematics, passport scans, and purchase orders." Rheinmetall confirmed that it had indeed come under attack by the Russian criminal organization: "Rheinmetall is continuing to work on resolving an IT attack by the ransomware group Black Basta. This was detected on 14 April 2023. It affects the Group's civilian business. Due to the strictly separated IT infrastructure within the Group, Rheinmetall's military business is not affected by the attack."
Rheinmetall is a well-known German manufacturer of steel, defense systems (one of its products is the widely used NATO 120mm smooth-bore tank main gun), automotive systems, and engines.
Food and Agriculture Information Sharing and Analysis Center stands up.
There’s a new ISAC in town. What had once been the food and agriculture special interest group of the Information Technology-Information Sharing and Analysis Center (IT-ISAC) will now become its own analytical center. The Food and Agriculture-Information Sharing and Analysis Center (Food and Ag-ISAC) will serve the particular interests of the sector, enabling food and agriculture companies to share threat intelligence, alerts, analyses, and mitigation tactics. The Washington Post wrote about the motivation for the new ISAC. “Cyber experts have repeatedly cited the sector’s lack of its own ISAC as a dangerous security gap in the industry’s ability to get a full picture of the tremendous risks it faces. Backers of the ISAC, which includes major industry players like PepsiCo to Tyson Foods, expect it to fortify the defenses of its members.”
The most notorious cyberattacks against the food and agriculture sector have been ransomware incidents–the most significant of which is generally held to be the ransomware infestation at meat-processing firm JBS in 2021–but the industry as a whole is susceptible to attacks on any number of industrial control systems. And even if the threat doesn’t progress beyond ransomware targeted against business systems, that’s serious enough.
Five Eyes take down Turla and its Snake malware.
With all the stories of Russian cyber activity, it’s worth noting that Moscow’s intelligence and security services aren’t ten feet tall.
Last month the Five Eyes took down the Snake infrastructure Russia's FSB has used for espionage and disruptive activity for almost twenty years. We note that the FSB unit responsible, generally known as Turla, has been implicated in espionage more than it has in sabotage, but the cooperation and the methods used in the takedown have broader application.
Operation MEDUSA involved not only technical disruption of Snake malware deployments but lawfare as well. Operation MEDUSA was the work of an international partnership whose principal members were, in the US, the NSA, Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Cyber National Mission Force (CNMF), and in the other Four Eyes the Canadian Cyber Security Centre (CCCS), the United Kingdom National Cyber Security Centre (NCSC-UK), the Australian Cyber Security Centre (ACSC), and the New Zealand National Cyber Security Centre (NCSC-NZ). The Joint Cybersecurity Advisory these agencies issued describes Snake as "the most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive targets." The malware is stealthy, readily tailored to specific missions, and well-engineered.
Strings within Snake's early coding (such as “Ur0bUr()sGoTyOu#”) gave the malware its early name, "Uroboros," after an ancient symbol of eternity, a snake clutching its tail in its jaws. The FSB coders had an esoteric streak: they embedded a drawing of an Uroboros by the early modern Lutheran mystical theologian Jakob Böhme in their code.
The Justice Department describes Operation MEDUSA as "a court-authorized operation...to disrupt a global peer-to-peer network of computers compromised by sophisticated malware, called “Snake”, that the United States Government attributes to a unit within Center 16 of the Federal Security Service of the Russian Federation (FSB)." That unit, which has been commonly known as "Turla" (and is called that in court documents, but which has also been known as Venomous Bear), has been actively collecting against targets in some fifty countries for nearly two decades.
The FBI obtained a Rule 41 warrant to remove Snake from eight infested systems. The application for the warrant summarizes the authority sought. "Federal Rule of Criminal Procedure 41(b)(6)(B) provides that 'a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if . . . (B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.'” Such warrants are uncommon. The Department of Justice has used them twice in the past, the Record reports, once to disrupt China's Hafnium espionage campaign and once to dismantle Cyclops Blink, a Russian intelligence service botnet.
The FBI-developed tool used against Snake is also interesting:
"Operation MEDUSA disabled Turla’s Snake malware on compromised computers through the use of an FBI-created tool named PERSEUS, which issued commands that caused the Snake malware to overwrite its own vital components.” The US Magistrate Judge authorized the Bureau to remotely access compromised computers. Internationally, where the US writ doesn’t run, the FBI is cooperating with the responsible national authorities and supporting their remediation efforts.
So security and law enforcement services are able to go into affected systems and neutralize the malware they find there.
And a final note on naming. If the FSB is given to esoteric Lutheran allusions, the FBI apparently has a classicist streak—Perseus, after whom their remediation tool was named, was the slayer of the Gorgon Medusa, the sight of whom could turn victims to stone.
CISA issues ICS security alerts.
On May 11th the US Cybersecurity and Infrastructure Security Agency (CISA) issued fifteen industrial control system (ICS) security alerts:
- ICSA-23-131-01 Siemens Solid Edge
- ICSA-23-131-02 Siemens SCALANCE W1750D
- ICSA-23-131-03 Siemens Siveillance
- ICSA-23-131-04 Siemens SIMATIC Cloud Connect 7
- ICSA-23-131-05 Siemens SINEC NMS Third-Party
- ICSA-23-131-06 Siemens SCALANCE LPE9403
- ICSA-23-131-07 Sierra Wireless AirVantage
- ICSA-23-131-08 Teltonika Remote Management System and RUT Model Routers
- ICSA-23-131-09 Rockwell Automation Kinetix 5500 EtherNetIP Servo Drive
- ICSA-23-131-10 Rockwell Automation Arena Simulation Software
- ICSA-23-131-11 BirdDog Cameras & Encoders
- ICSA-23-131-12 SDG PnPSCADA
- ICSA-23-131-13 PTC Vuforia Studio
- ICSA-23-131-14 Rockwell PanelView 800
- ICSA-23-131-15 Rockwell ThinManager
CISA added three more advisories on May 16th:
- ICSA-23-136-01 Snap One OvrC Cloud
- ICSA-23-136-02 Rockwell ArmorStart
- ICSA-23-136-03 Rockwell Automation FactoryTalk Vantagepoint
On May 18th five ICS security advisories were issued:
- ICSA-23-138-01 Carlo Gavazzi Powersoft
- ICSA-23-138-02 Mitsubishi Electric MELSEC WS
- ICSA-23-138-03 Hitachi Energy MicroSCADA Pro/X SYS600
- ICSA-23-138-04 Johnson Controls OpenBlue Enterprise Manager Data Collector
- ICSA-20-051-02 Rockwell Automation FactoryTalk Diagnostics Update B
Four more advisories appeared on May 23rd:
- ICSA-23-143-01 Hitachi Energy AFS65x, AFS67x, AFR67x and AFF66x Products
- ICSA-23-143-02 Hitachi Energy RTU500
- ICSA-23-143-03 Mitsubishi Electric MELSEC Series CPU module
- ICSA-23-143-04 Horner Automation Cscape
A single advisory was issued on May 26th: ICSA-23-145-01 Moxa MXsecurity Series
On June 1st CISA released five further ICS alerts:
- ICSA-23-152-01 Advantech WebAccess-SCADA
- ICSA-23-152-02 HID Global SAFE
- ICSA-22-256-03 Delta Electronics DIAEnergie (Update A)
- ICSA-22-333-05 Mitsubishi Electric FA Engineering Software (Update A)
- ICSA-21-096-01 Hitachi Energy Relion 670 650 SAM600IO (Update B)
And, finally, on June 6th CISA released two more ICS advisories:
- ICSA-23-157-01 Delta Electronics CNCSoft-B DOPSoft
- ICSA-23-157-02 Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series