At a glance.
- Radiation sensor reports from Chernobyl may have been manipulated.
- Cyberattack on rail control systems stops Polish trains.
- Energy One discloses cyberattack against its corporate systems.
- CISA Director warns of Chinese infrastructure attack staging.
- CODESYS vulnerabilities.
- Power generator in the south of Africa hit with malware.
- Environmental regulation and increased maritime cyber risk.
- Threats to the power grid.
- APT31 linked to attacks on industrial systems in Eastern Europe.
- Five Eyes outlines top exploited vulnerabilities.
- Brunswick Corporation loses millions to cyberattack.
- Ransomware in the industrial space.
- CISA ICS advisories.
Radiation sensor reports from Chernobyl may have been manipulated.
Citing research by Ruben Santamarta, WIRED reports that radiation sensor data from the Chernobyl exclusion area may have been manipulated during the Russian Army's brief occupation of Chernobyl during February and March of 2022. The sensors showed troubling but inexplicable spikes in radiation levels. Those reports appear to have been bogus, the data possibly manipulated by a cyberattack.
The published abstract of Santamarta's talk says, "Evidence confirms that the radiation levels depicted by a very specific set of real-time radiation maps, which during those days were consulted by millions of people and also consumed as a single source of information by media outlets and official entities, did not correspond to the actual physical conditions of the Chernobyl Exclusion Zone." If the data were indeed manipulated in a cyberattack, then that's troubling: corruption of sensor data in industrial systems would represent a major safety issue for many sectors, and for the public at large.
Interference with rail control systems stops Polish trains.
Over Friday night and into early Saturday morning, a cyberattack halted trains near the Polish city of Szczecin. An emergency radio signal was compromised and used to stop about twenty trains. Service was restored within a matter of hours. Both freight and passenger trains were affected. The BBC reports that Poland's internal security service ABW is investigating the incident. There's widespread speculation that the incident was the work of Russian hacktivist auxiliaries. Evidence for that attribution is circumstantial but compelling, at least as a first take.
Stanislaw Zaryn, a senior security official, said , "For the moment, we are ruling nothing out. We know that for some months there have been attempts to destabilise the Polish state," Mr Zaryn added. "Such attempts have been undertaken by the Russian Federation in conjunction with Belarus." According to WIRED, the emergency stop signal was transmitted over a legacy radio-frequency system that lacks either authentication or encryption. Anyone with the right equipment--and such equipment is both cheap and readily available--can trigger an emergency stop by sending a "series of three acoustic tones at a 150.100 megahertz frequency." The biggest difficulty such a hacker might face is getting physically close enough for their signal to be within range.
Energy One discloses cyberattack against its corporate systems.
Energy One, an Australian company that develops software for energy firms, disclosed last week that its IT systems in Australia and the UK sustained a cyber attack on Friday, August 18th, SecurityWeek reports. The company said in a statement, "In response, Energy One took immediate steps to limit the impact of the incident, engaged cyber security specialists, CyberCX, and alerted the Australian Cyber Security Centre and certain UK authorities. Energy One’s top priorities are the safety and security of its people, its customers, and its systems. Analysis is underway to identify which, if any, additional systems may have been affected by the cyber-attack. As part of its work to ensure customer security, Energy One has disabled some links between its corporate and customer-facing systems. Energy One’s response to this incident, and its investigation, is continuing. Key lines of the ongoing inquiry and response include securing Energy One’s systems, establishing whether or what personal information and/or customer-facing systems have been affected, and the initial point of entry." The incident affected business systems and their software supply chain, but attacks on business systems have been used before as a springboard to move into industrial systems proper.
CISA Director warns of Chinese infrastructure attack staging.
NBC News reports that CISA director Jen Easterly warned at DEF CON last week that Chinese threat actors have been conducting battlespace preparation against US critical infrastructure. Easterly stated, “I hope that people are taking seriously a pretty stark warning about the potential for China to use their very formidable capabilities in the event of a conflict in the Taiwan straits to go after our critical infrastructure.”
Chinese authorities of course deny any such activity, and say this sort of thing is just disinformation from the Americans, whom the Chinese call “the champions of hacking.”
Director Easterly’s remarks are based on a sound old military custom of planning based on adversary capabilities as opposed to necessarily speculative conclusions about adversary intentions.
Those capabilities were on display as recently as this past May. A joint advisory from all Five Eyes (Australia, Canada, New Zealand, the United Kingdom, and the United States) reported a major Chinese cyberespionage operation that succeeded in penetrating a range of US critical infrastructure sectors. Microsoft, in its own report on that activity (which Redmond calls “Volt Typhoon”) says the group responsible has been active since at least the middle of 2021.
The targets of the spying–which amounts to battlespace preparation–have extended to the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Microsoft writes that, "Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible." It does this, the Five Eyes stress, by carefully living off the land, exploiting existing legitimate administrative tools and privileges in its targets.
Much of Volt Typhoon's activity has been directed against Guam, the US Territory in the Western Pacific that hosts important US military bases. Those bases would be important to any US intervention on behalf of Taiwan, should China decide to take a page from Russia's geopolitical playbook and invade what it regards as a renegade province. For its part, China dismisses the reports as a coordinated American disinformation campaign, and denies that it's engaged in any of the activities the Five Eyes and Microsoft associate with Volt Typhoon.
Microsoft assesses that this attack could be an effort to enable a disruption of communications between the US military and its Asian allies. “Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States. In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.”
Security researchers at Microsoft discovered several high-severity vulnerabilities affecting the CODESYS industrial automation software, the Record reports. Microsoft worked with CODESYS to develop patches for the vulnerabilities, and organizations are urged to apply the fixes promptly.
The flaws could be exploited to carry out denial-of-service attacks or remote code execution. Microsoft notes that exploitation of the vulnerabilities “requires user authentication, as well as deep knowledge of the proprietary protocol of CODESYS V3 and the structure of the different services that the protocol uses.”
The vulnerabilities aren’t trivial, but they don’t seem likely to be open to devastating exploitation, either. Ars Technica quotes experts who think it unlikely, for example, that such exploitation might shut down significant fractions of a power grid. Jimmy Wylie and Sam Hanson, researchers at Dragos, point out that CODESYS isn’t as widely used in power generation and distribution as it is in other industrial applications. This renders it unlikely that an attack on the software would affect the electrical power sector.
Turning to the requirement for authentication a hypothetical attacker might face, Wylie and Hanson observed that “if an adversary is authenticated (has the username and password) to your PLC, you've got bigger problems than these CVEs, and they can do all kinds of things that make the CVEs unnecessary.”
They also point out that industrial systems are designed with a degree of resilience built into them. So keep calm and keep patching.
Power generator in the south of Africa hit with malware.
Kaspersky warns that a new version of the SystemBC malware was used in an attack against a critical infrastructure power generator in an unnamed south African nation: “[A]n unknown actor targeted an electric utility in southern Africa with Cobalt Strike beacons and DroxiDat, a new variant of the SystemBC payload. We speculate that this incident was in the initial stages of a ransomware attack. This attack occurred in the third and fourth week of March 2023, as a part of a small wave of attacks involving both DroxiDat and CobaltStrike beacons across the world. DroxiDat, a lean ~8kb variant of SystemBC serving as a system profiler and simple SOCKS5-capable bot, was detected in the electric utility.”
Kaspersky offered tentative attribution of the incident to a Russian-speaking cybercriminal gang, specifically to FIN12 (which has also been called “Pistachio Tempest”). FIN12 has hitherto been known for attacks against the healthcare sector. In May of 2022 it was one of the gangs prominently featured in the US Department of Health and Human Services report, Ransomware Trends in the HPH Sector. FIN12 has changed its target selection but not its playbook. The group's motivation is financial.
Some news reports have said the incident occurred in South Africa, but that hasn’t been confirmed. As we noted above, Kaspersky has said only that it took place in an unidentified country in the southern part of the African continent.
Environmental regulation and increased maritime cyber risk.
In an article for Dark Reading, Jeffrey Wells from Sigma7 outlines the cybersecurity implications that the European Commission’s Fit for 55 environmental regulation will have on the maritime industry. Wells notes, “Vessels must now significantly reduce their carbon intensity by making substantial investments in advanced technologies and sophisticated equipment to enhance vessel efficiency. Integrating technologies with existing OT systems and real-time cloud-based monitoring presents a unique challenge to maritime cybersecurity, a field marked by inherent vulnerabilities.”
Wells concludes that as a result, “The urgent call is to act boldly and decisively. Immediate investments in cutting-edge technologies, system upgrades, stringent access controls, network segmentation, and rigorous vendor vetting are paramount.”
Threats to the power grid.
The Daily Dot reports that a suspected white supremacist in the US threatened to attack power grid infrastructure unless two other alleged neo-Nazis were released from prison. The two imprisoned men were arrested earlier this year for allegedly planning a bank robbery. The individual who made the threat posted four diagrams of power grid equipment on Telegram. The US Department of Homeland Security is monitoring the threat.
It’s not merely a threat arrived at as a matter of a priori possibility. Destroying or damaging power distribution substations–important and usually unattended–has for some time figured as a common topic of fantasy and discussion within this particular extremist subculture.
APT31 linked to attacks on industrial systems in Eastern Europe.
Earlier this month a report from Kaspersky found that APT31 (also known as “Judgment Panda” or “Zirconium”) is targeting industrial systems in Eastern Europe. The researchers state, “The attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems. In total we have identified over 15 implants and their variants planted by the threat actor(s) in various combinations.”
Kaspersky notes that the attack’s architecture “allows the threat actor to change the execution flow by replacing a single module in the chain.”
APT31 is generally regarded as an intelligence operation of the Chinese government. Much of its activity has involved industrial espionage, but the group has also been implicated in collection of political intelligence.
Five Eyes outlines top exploited vulnerabilities.
Intelligence services in the Five Eyes last week issued a joint Cybersecurity Advisory outlining the top twelve most commonly exploited vulnerabilities in 2022. First on the list is CVE-2018-13379, a path traversal vulnerability affecting Fortinet SSL VPNs. Next are the three Microsoft Exchange vulnerabilities collectively known as “ProxyShell.”
Another noteworthy entry was the Zoho ManageEngine ADSelfService Plus Vulnerability , enabling unauthenticated remote code execution. The advisory highlighted its connection to an outdated third-party dependency, emphasizing the importance of up-to-date software practices.
The widely-used Atlassian Confluence Server and Data Center also made the list due to its susceptibility to unauthenticated arbitrary code execution. Governments and private companies relying on this web-based collaboration tool became potential targets.
One of the most infamous entries was the Log4Shell Vulnerability, which impacted Apache's Log4j library used in numerous products worldwide. The ability to execute arbitrary code and gain full system control made this vulnerability particularly enticing to malicious actors.
The US Cybersecurity and Infrastructure Security Agency (CISA) notes that this advisory includes common weakness enumerators, or CWEs, which “reflect the underlying root causes that led to the exploited vulnerability.” CISA states, “In order to reduce the prevalence of common classes of vulnerabilities, this advisory urges technology vendors to implement specific secure by design principles and to ensure that all published CVEs include the proper CWE identifying the root cause of the vulnerability.”
It’s worth noting how many of the vulnerabilities continued to be exploited after patches were available. It suggests the effect that slow patching can have on an organization. As CISA so often says, “Apply updates per vendor instructions,” and, we might add, sooner rather than later.
Brunswick Corporation loses millions to cyberattack.
The Record by Recorded Future reports that boating manufacturing giant Brunswick Corporation lost $85 million due to a cybersecurity incident. The company didn’t specify the nature of the incident, but said production was impacted for nine days.
The company’s CEO Dave Foulkes said in an earnings call, “The disruption associated with the IT security incident was the most significant in our Propulsion and Engine Parts & Accessories segments. And because of the proximity to the end of the quarter, there was limited opportunity to recover fully within the same period.” He added that “lost production days on high horsepower outboard engines will be challenging to recover because the production schedule was already full for the balance of the year.”
Ransomware in the industrial space.
Dragos has published its Industrial Ransomware Attack Analysis for the second quarter of 2023, finding that 70% of ransomware attacks in the space were against manufacturing companies. The manufacturing sector saw one-hundred and seventy-seven ransomware incidents in Q2 2023.
Dragos predicts “with moderate confidence that the third quarter of 2023 will witness increased business-impacting ransomware attacks against industrial organizations for two reasons. Firstly, the prevailing political tension between NATO countries and Russia motivates Russian-aligned ransomware groups to continue targeting and disrupting critical infrastructure in NATO countries. Secondly, as the number of victims willing to pay ransoms diminishes, RaaS groups have shifted their focus towards larger organizations, resorting to widespread ransomware distribution attacks to sustain their revenues.”
Several companies commented on Dragos's findings. Carol Volk, EVP at BullWall, thinks that it shows the necessity for industrial organizations to prioritize cybersecurity. A mix of advanced tools, effective employee security training, and collaboration with other companies and the government should be in play.
Emily Phelps, Director at Cyware, agreed that ransomware in particular can "devastate" an industrial organization, and planning for continuity of operations under stress is vital. And so are such sound practices as regular back-up and testing, air-gapping whenever possible, and network segmentation. None of these are of course a panacea, but they're all solid practices.
And Horizon3ai's Principal Security SME, Stephen Gates, wrote that "attackers who gain access to any internal computing device are the primary threat industrial organizations face." He also advises planning for continuity of operations, preparing for cyber events just as one might plan for a fire, or a natural disaster.
CISA ICS advisories.
CISA has issued a multitude of ICS cybersecurity advisories over the past month, outlining vulnerabilities affecting Rockwell Automation Input/Output Modules, Rockwell Automation ThinManager ThinServer, SNAP PAC S1 industrial programmable automation controllers, KNX devices using KNX Connection Authorization, Trane Thermostats, Hitachi Energy AFF66x, Walchem Intuition 9 water treatment controller, Schneider Electric PowerLogic power meters, ICONICS and Mitsubishi Electric Products, Rockwell Automation Armor PowerFlex, Schneider Electric EcoStruxure and Modicon, network mirroring in Siemens RUGGEDCOM, Siemens Solid Edge SE2023, Siemens SICAM TOOLBOX II, Siemens OpenSSL RSA Decryption in SIMATIC, Siemens address processing in SIMATIC, Siemens Parasolid and Teamcenter Visualization, and Siemens RUGGEDCOM CROSSBOW.