At a glance.
- Ransomware attack closes the Port of Nagoya.
- US Department of Energy affected by Cl0p exploitation of MOVEit Transfer.
- Cl0p breaches Schneider Electric and Siemens Energy.
- Ransomware in the manufacturing and production sectors.
- Canada’s oil-and-gas sector a likely target for Russian cyberattacks.
- Nuclear weapons cybersecurity is lacking.
- Access to a US satellite is being hawked in a Russophone cybercrime forum.
- Some lessons for the electrical power sector.
- An update on COSMICENERGY: it’s not an immediate threat.
- Obstacles to public-private collaboration in the industrial sector.
- Malware in the industrial sector increases.
- Cybersecurity spending in the energy industry.
- CISA and partners release Joint Guide to Securing Remote Access Software.
- US DoD holds Cyber Yankee exercise.
- ICS patches.
Port of Nagoya closes over ransomware attack.
The Port of Nagoya, Japan's busiest ocean terminal, sustained a ransomware attack against the Nagoya Port Unified Terminal System on July 4th, BleepingComputer reports. Nikkei Asia says the issue came to light when a port employee noticed anomalies in his system. Investigation revealed the cause to be a ransomware infestation. The port authority is working to restore service and expects to have done so by the morning of July 6th. In the meantime most container operations at the port have been suspended. No group has claimed responsibility for the attack, which remains under investigation.
US Department of Energy affected by Cl0p exploitation of MOVEit Transfer.
CISA director Jen Easterly disclosed in a press briefing on June 15th that several US government agencies were compromised by the Cl0p ransomware gang via the recently disclosed MOVEit file-transfer vulnerability, the Register reports. The US Department of Energy is among the compromised agencies. A Department spokesperson told the Register, “Upon learning that records from two DOE entities were compromised in the global cyberattack on the file-sharing software MOVEit Transfer, DOE took immediate steps to prevent further exposure to the vulnerability and notified CISA.” Federal News Network says the two compromised DOE entities are Oak Ridge Associated Universities and the Waste Isolation Pilot Plant in New Mexico.
Easterly stated in the press briefing, “Since the vulnerability was disclosed, we have been working closely with Progress Software, with the FBI, and with our federal partners to understand prevalence within federal agencies. We are now providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications.” Easterly added, “We are not aware of Clop actors threatening to extort, or release any data stolen from government agencies. Although we are very concerned about this, we're working on it with urgency. This is not a campaign like SolarWinds that presents a systemic risk to our national security or our nation's network.” She noted that the threat actors are “only stealing information that is specifically stored on your file transfer application at the precise time that the intrusion occurred.”
Cl0p breaches Schneider Electric and Siemens Energy.
Cl0p has also used the MOVEit vulnerability to compromise Schneider Electric and Siemens Energy, SecurityWeek reports. Siemens said in a statement to BleepingComputer, "Regarding the global data security incident, Siemens Energy is among the targets. Based on the current analysis no critical data has been compromised and our operations have not been affected. We took immediate action when we learned about the incident."
Schneider told BleepingComputer, "On May 30th, 2023, Schneider Electric became aware of vulnerabilities impacting Progress MOVEit Transfer software. We promptly deployed available mitigations to secure data and infrastructure and have continued to monitor the situation closely. Subsequently, on June 26th, 2023, Schneider Electric was made aware of a claim mentioning that we have been the victim of a cyber-attack relative to MOVEit vulnerabilities. Our cybersecurity team is currently investigating this claim as well."
Ransomware in the manufacturing and production sectors.
Sophos has published a report on the State of Ransomware in Manufacturing and Production 2023, finding that compromised credentials and exploited vulnerabilities were the top two most common cause of attacks against manufacturing organizations. The report also offers the following findings:
"Manufacturing reported a low propensity to pay the ransom (34%) to get their data back, with almost double the number that paid the ransom using backups for data recovery (73%). Encouragingly, the use of backups for data recovery increased by 15 percentage points from the 58% reported a year before.
"While this is a welcome improvement, manufacturing has the lowest rate of data recovery (88% got back encrypted data vs. the 97% cross-sector average), suggesting that the sector should continue to focus on strengthening backup use.
"The proportion of manufacturing organizations paying higher ransoms has increased from our 2022 study, with 40% paying a ransom between $100,000 and $999,999 vs. 29% who paid this amount the year before. In addition, 20% reported payments of $1 million or more compared to just 8% the year prior."
Canada’s oil-and-gas sector a likely target for Russian cyberattacks.
The Canadian Centre for Cyber Security (CSC) has released a threat assessment finding that Russia-aligned threat actors will “very likely” attempt to disrupt the nation’s oil-and-gas sector to weaken Canadian support for Ukraine. The agency stated, “We assess that the most likely targets for cyber threat actors intending to disrupt the supply of oil and gas in Canada are bottlenecks in the oil transmission and processing stages. Potential targets include the business and OT networks of large-diameter pipelines, transfer terminals, and major refining facilities.”
Nuclear weapons cybersecurity is lacking.
The US Government Accountability Office has published a report finding that the National Nuclear Security Administration (NNSA) is “still in the early stages of development” of mitigating cyber risks to weapons and manufacturing systems. The GAO stated, “NNSA and its contractors remain in the early stages of efforts—even after several years—to address cybersecurity at the system level in its operational technology (OT) and nuclear weapons IT environments.”
The report adds, “NNSA officials told us that cyber risks vary from one nuclear weapon type to another. NNSA officials said that they have conducted preliminary reviews and determined that current nuclear weapons generally contain little IT that is at risk due to their age and reliance on older technology. Newer and more modern weapons are slated to begin entering the stockpile after 2030 and may contain more IT, however. For these weapons, NNSA officials said that each program is still considering approaches to managing cybersecurity risks as part of the weapon design and development process.”
Access to a US satellite is being hawked in a Russophone cybercrime forum.
HackRead reports that a Russian-speaking hacker is offering access to a Maxar Technologies US military satellite for $15,000. The account posting the alleged access offers to receive funds through the trusted third-party payment service Escrow. It's difficult to know what to make of the claim, which seems a little excessive for credibility.
Some lessons for the electrical power sector.
The industrial security specialists at Dragos have published four top-level lessons they've learned about securing the electrical power grid. Dragos has addressed these before, in their annual report, but a repetition never hurts.
First, "you can't defend what you can't see." Visibility is the indispensable starting point in securing anything--the military calls it "situational awareness"--but unfortunately we see that most electrical utilities can't really see what's in their OT environment.
Second, "network segmentation improves slightly." So people are doing a bit better, but don't get cocky, kids: a seven percent improvement is good, but there's plenty of room to do better.
Third, "secure remote access is critical." There's been some positive change here, too, with uncontrolled external connections dropping by 22 percent. The subsector with the most room left to improve? Renewables.
And, fourth and finally, "shared credentials help adversaries." Sharing may seem like caring, but in this case it's a poor practice. The adversary likes nothing more than shared credentials.
An update on COSMICENERGY: it’s not an immediate threat.
Researchers at Mandiant last May announced their discovery of new malware that appeared it may have been designed to disrupt electrical distribution and associated critical infrastructure. Mandiant, which called the malware “COSMICENERGY,” was cautious in its assessment. The version the researchers obtained, for one thing, lacked a built-in discovery capability. Mandiant said that CosmicEnergy may in fact have been a Russian red teaming tool used in exercises to simulate an electric infrastructure attack, but the discovery was significant enough to place operators on alert for a possible campaign against vulnerable OT networks.
On Monday, however, Dragos released its own research into and assessment of CosmicEnergy. Their conclusion is far less alarmist than some earlier evaluations of the malware had been. CosmicEnergy is not, they’ve determined, related to either Industroyer or CrashOverride. The researchers say, “After analyzing COSMICENERGY, Dragos concluded that it is not an immediate risk to OT environments. The primary purpose of COSMICENERGY appears to have been for training scenarios rather than for deployment in real-world environments. There is currently no evidence to suggest that an adversary is actively deploying COSMICENERGY.”
So in this case, at least, caution was prudent, but the initial concerns the discovery aroused seem to have been overblown.
Obstacles to public-private collaboration in the industrial sector.
A Cyberspace Solarium Commission 2.0 (CSC 2.0) report has found that the North American Electric Reliability Corporation's (NERC’s) role in the Electricity-Information Sharing and Analysis Center (E-ISAC) can discourage organizations from sharing information with the E-ISAC, Utility Dive reports.
The CSC states, “[O]ur interviewees relayed that, because the E-ISAC is located within NERC, which, in turn, is subject to oversight by FERC, in-house counsels on occasion advise electricity companies not to share certain information with the ISAC for liability reasons. This is an obstacle without an obvious solution: removing the E-ISAC from NERC would likely strip it of key funding and relationships central to the services it provides to the sector.”
The CSC concludes that the Biden administration should make the following updates to the Presidential Policy Directive 21 (PPD-21):
- Clearly identify strategic changes
- Assign responsibilities and ensure accountability for routine updates of key strategic documents
- Clarify CISA’s roles and responsibilities as national risk management agency (NRMA)
- Resolve questions around the organization and designation of critical infrastructure sectors and assigned SRMAs
- Provide guidance on SRMA organization and operation
- Facilitate accountability
These measures apply particularly to the protection of critical infrastructure, and that class includes, of course those that use OT. Twelve of the sixteen sectors identified as critical infrastructure fall into that category.
Malware in the industrial sector increases.
Palo Alto Networks’s Unit 42 has published a study finding that between 2021 and 2022 “the average number of attacks experienced per customer in the manufacturing, utilities, and energy industry increased by 238%.” The researchers state, “These industries face a wide range of security threats, including malware, ransomware, physical attacks, supply chain attacks, and vulnerability exploits.”
Cybersecurity spending in the energy industry.
A report from DNV has found that the energy industry is increasing its investment in cybersecurity. 59% of energy professionals told DNV that their organization had increased spending on cybersecurity in 2023 compared to last year. 64% of respondents agreed that “their organization’s infrastructure is now more vulnerable to cyber threats than ever, and say that their focus on cyber security has intensified as a result of geopolitical tensions.”
Despite this increased investment, only 42% of respondents believe their organization is spending enough on cybersecurity, and only 36% “are confident their organization has made sufficient investments in securing their operational technology.” Just under half (49%) of energy professionals believe that regulation is the most likely factor that will lead to increased spending on cybersecurity.
A separate survey by OTORIO found similar results, with 78% of respondents saying their organizations plan to increase their OT cybersecurity budgets this year. The researchers state that organizations “that plan to increase their OT security budget will increase it by an average of 29%.” Additionally, 85% of organizations “actively and automatically track compliance with industry regulations and standards.”
CISA and partners release Joint Guide to Securing Remote Access Software.
The Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Israel National Cyber Directorate (INCD) have released a Joint Guide to Securing Remote Access Software. The guide centers around detecting and preventing the use of legitimate remote access software and common exploits that could be used against an organization.
One of the particular concerns about this software is that it is used in normal IT tasks. This allows the remote access tools to be exploited by threat actors who typically remain undetected by antivirus tools, or by endpoint detection and response (EDR) defenses. Abusing remote access software doesn’t require a threat actor to create a new capability. CISA explained in the guide, “Remote access software enables cyber threat actors to avoid using or developing custom malware, such as remote access trojans (RATs). The way remote access products are legitimately used by network administrators is similar to how malicious RATs are used by threat actors.”
The guide recommends, among other things, that organizations create a baseline of their normal activity and begin monitoring for unusual spikes that could indicate a compromise. For prevention and mitigation of this threat, the guide strongly encourages organizations to implement zero-trust solutions whenever and wherever possible. Adding safeguards that prevent users from accessing a large number of machines in a short amount of time can also mitigate risk. “Use safeguards for mass scripting and a script approval process. For example, if an account attempts to push commands to 10 or more devices within an hour, retrigger security protocols, such as multifactor authentication (MFA), to ensure the source is legitimate.”
Some of the more consequential attacks against OT systems have originated in pivots from business systems, and so industrial operators would do well to attend to potential risks in remote access software.
US DoD holds Cyber Yankee exercise.
The US Department of Defense last month held its Cyber Yankee exercise. The training event simulated a cyberattack against public utilities. A press release from the Marines explains that “[t]he goal of Cyber Yankee is to train military cyber operators, local, state, and federal level government officials, and private companies how to defend themselves from a cyber-attack.”
US Army Lt. Col. Tim Hunt, deputy director of Cyber Yankee and full-time Guardsman with the Massachusetts National Guard, stated, “The fact we exercise [with cyber professionals from the private sector and utility companies], we practice like we fight. So, if there were something where we need to get activated already knowing those people, already having relationships, it goes a long way getting Soldiers and Airmen into action and helping provide and support a response to take care of something that’s affecting the citizens of the region.”
Over the past month CISA, the US Cybersecurity and Infrastructure Agency, has issued a large number of industrial control system (ICS) advisories. See the selected reading for a complete list.