Last week, two new ICS malware tools were unveiled to the world that have the potential to wreak havoc on North American industrial control systems.
Industroyer2 was a major component of a recent, unsuccessful attack on high-voltage electrical substations in Ukraine. This attack was linked to Sandworm, a threat group affiliated with Russia’s GRU military intelligence agency, and their apparent goal was to cause widespread power outages on April 8.
Researchers believe Industroyer2 was built using source code from Industroyer (also known as CRASHOVERRIDE), which Russian-backed threat groups used in December 2016 to attack a single electrical substation in Ukraine, causing a power outage. While the original Industroyer was a fully modular program with payloads for several ICS protocols, analysts at ESET have found that Industroyer2 has a narrower focus, implementing only the IEC-104 protocol commonly used in the electric sector and other industrial settings. Industroyer2 also stores its configuration data in its body instead of using a separate file like the original Industroyer, so it must be customized to its target environment every time.
As with previous cyber-attacks on the Ukraine, the attackers also used several wipers in concert with Industroyer2. CaddyWiper was deployed with the apparent goal of removing traces of the ICS malware from the compromised target systems, while SOLOSHRED and AWFULSHRED were used on target Solaris and Linux systems to apparently make it more difficult for the operator to regain control of the compromised systems.
CERT-UA has made indicators of compromise for this attack publicly available at https://cert.gov.ua/article/39518.
On April 13, the US Department of Energy, CISA, the NSA, and the FBI released a joint advisory warning unidentified threat groups have created a modular ICS attack framework. Dubbed Pipedream, it’s designed primarily to disrupt or damage Programmable Logic Controllers (PLCs) from Schneider Electric and OMRON Corporation, as well as servers from the open-source OPC Foundation. Pipedream exploits underlying software in those PLCs called Codesys, which is used by a wide range of PLCs, making it easily adaptable to function in many other industrial environments.
The interesting fact about Pipedream is that it has never actually been deployed by an Advanced Persistent Threat (APT) group in the real world, as US intelligence services apparently acquired this piece of malware before it could be used in an attack.
Pipedream serves as a tool kit that enables attackers’ core activity, which is to infiltrate a target OT environment and become fluent in how all the industrial control systems in that target environment communicate with one another. From there, the attackers figure out how to shut down or change the settings of those systems to bring about disruptive/destructive ends. While the Pipedream platform enables attackers to gain access to IT systems (exploiting a vulnerability in ASRock motherboards of Windows-based workstations), it includes more tools for wreaking havoc in OT networks, where it can scan for, compromise, and control OT devices.
Why should you care?
US Deputy Attorney General Lisa Monaco, who oversees the FBI’s cyber division, has made it clear that Russian-backed threat groups have been actively probing US critical infrastructure targets for years. Three weeks ago, her department unsealed two previously secret indictments that revealed Russian intelligence agents and accomplices had infiltrated “hundreds of energy companies around the world,” including a nuclear power plant in Kansas. Considering the likelihood that the stiff economic sanctions leveled at Russia by Western countries will remain in place for years to come, disruptive cyber-attacks on the critical infrastructure of NATO member states, including Canada, are a logical retaliatory move to expect.
What can you do about it?
For the longest time, OT network administrators have relied on complexity and inaccessibility as their best defenses against infiltration or attack. As we have made clear in previous blog posts, however, the era of IT/OT convergence has thoroughly rendered this approach obsolete. For-profit threat activity was bad enough, but carefully orchestrated attacks by nation state-backed APT groups pose a vastly greater, and very real, threat to North America’s critical infrastructure systems.
Our friends at the SANS Institute have an excellent visual aid depicting both the typical stages of an ICS cyber-attack and the sliding scale of cybersecurity defenses for thwarting them. Unfortunately, the OT environments in far too many critical infrastructure organizations, both public and private, have not yet attained the essential levels of architecture and passive defense, much less the target level of active defense. If your organization is among them, it’s important to take some basic steps to protect your ICS as soon as possible, even if it means pushing ahead your maintenance windows (or opening a new one). Here are some first-step countermeasures we recommend:
- Bolster Security at the Perimeter – The first, most obvious step to protecting OT systems that have no intrinsic security measures is to do everything possible to ensure that only authorized personnel can access those systems. This happens at the DMZ between the IT and OT environments. Generic accounts for specific contractors are frequently a necessity, but use centrally managed accounts where possible, make sure those accounts have access only to the devices the contractors need to work on, and monitor their use. At the IT/OT boundary, permit only the minimum access required and avoid wherever possible granting ICS access to large groups of users or computers. In other words, avoid implementing firewall rules at the perimeter that permit access “any” user, group, or system..
- Have a Plan – Put together some incident response protocols, establish who must do what, and practice those steps by conducting some TTXes with the personnel who will carry it out. This doesn’t require taking any OT systems offline and helps ensure that you have a team in place that can respond to an incident with members that know their responsibilities. If you don’t know where to begin, consider bringing in an experienced ICS cybersecurity consultant on retainer to help with this process.
- Establish your Minimum Viable State (MVS) – To determine yours, just start with the basic question: What are all the things we can turn off while still keeping our OT minimally operational? The MVS is roughly the equivalent of the safe mode bootup of an operating system in which the extra “bells and whistles” (i.e. drivers for non-essential apps) are disabled, but in which your OT environment can still carry out the bulk of its core functions. Ideally, you want to test out your process for disconnecting or isolating these systems during a maintenance window, with the goal of making sure that the process accomplishes the desired outcomes. This helps your OT network defenders quickly and safely isolate a set of compromised systems during an attack.
As an ICS cybersecurity consultancy, we can safely say that there is always “low-hanging fruit” that can give organizations with immature security practices some momentum to improve their situation. For organizations in this state, we stress the importance of establishing as much visibility as possible into their OT environment and maintaining some ability to act in the event of an incident. Know the answers to basic questions, like:
- Can I take an action, such as running a script, on all my machines?
- If provided with indicators of compromise, could I spot them on our OT systems?
- How can I rapidly isolate the OT network from the IT network, or each OT site from the others to which it is linked?
If even these steps present significant challenges, iON is here to help. We have helped organizations move several notches up the scale of ICS cybersecurity, from those with centralized environments to those with highly distributed OT environments spread across multiple sites. Please reach out Contact us if you need help getting your ICS cybersecurity practice on track.