At a glance.
- Cl0p ransomware gang attempts to extort the wrong water company.
- DOE invests in securing the US power grid.
- What the ransomware gangs want, and where they’re getting it.
- Industroyer2 analysis.
- Montenegro works to recover from Russian cyber offensive.
- DDoS attack against Energoatom’s website.
- NSTAC recommends cataloging Federal OT assets.
- Chemical sector cybersecurity.
- CISA's recent ICS vulnerability advisories.
Ransomware gang attempts to extort the wrong water company.
UK water supplier South Staffordshire Water has sustained an apparent ransomware attack that disrupted its IT systems, though the company says the attack hasn’t affected its ability to supply safe water to its customers. The company stated, “We are experiencing disruption to our corporate IT network and our teams are working to resolve this as quickly as possible. It is important to stress that our customer service teams are operating as usual. We are working closely with the relevant government and regulatory authorities and will keep them, as well as our customers, updated as our investigations continue.”
After the attack, however, the Cl0p ransomware gang claimed that it had gained access to SCADA systems at Thames Water, the UK’s largest water supplier. Thames Water called these claims a hoax, and it seems Cl0p was confused. Once the Cl0p gang began publishing stolen information, it became apparent that the data had actually been taken from South Staffordshire Water. Cl0p has since corrected their error, and is now attempting to extort South Staffordshire Water.
There have been some recent developments in this story, provided by Dragos. Dragos assesses with moderate confidence that the leaked data from South Staffordshire Water was indeed obtained by the Cl0p ransomware group. Two separate images serve as evidence of Cl0p’s claim of access to SSW’s operational technology (OT) and appear to be genuine screenshots of an Opus SCADA Master station Human Machine Interface (HMI) taken two days after the start of Cl0p’s data exfiltration. Dragos says, "We can't verify the Cl0p ransomware group's intent to specifically gain access to an OT environment, but they appear to have had sufficient access in the environment to conduct further operations in the environment, if desired." The assessment is significant, as ransomware gangs can't always be taken at their word when they claim to have succeeded in hitting a target. Cl0p in this case misfired in that they misidentified the specific utility they hit. But Cl0p does appear to have been behind the incident at South Staffordshire Water.
Cl0p struck a high moral tone in their extortion notes. The English may be broken, but the message is clear, if not fully convincing. “Clop is not political organization and we do not attack critical infrastructure or health organizations. We decide that we do not encrypt this company,” that is, Thames Water, or South Staffordshire Water, “but we show them that we have access to more of 5Tb of data. Every system including SCADA and these system which control chemicals in water. If you are shocked it is good.”
Why water, and why now? There’s a drought, the Wall Street Journal notes. Johan Claessens, security officer at Belgian water supplier Water-link, told the Journal, "We don’t have the luxury to have suboptimal production for an extended period of time. We really need every drop of water." Ilia Kolochenko, founder of ImmuniWeb, commented, “[While] Europe and other regions are suffering from the unprecedented wildfires and catastrophic drought, nefarious cybercriminals may purposely target critical national infrastructure in sophisticated cyber-attacks. In the case of financially motivated attacks designed to obtain a ransom, wrongdoers have significantly more chances of getting paid, by cruelly exploiting people in extreme need.” The greater the need, the higher the likelihood that people in extremis will be willing to pay up.
There are some well-established best practices that water utilities and other industrial operations can adopt to protect themselves from attacks of this kind. Dragos recommends that, for data involving key weaknesses, critical operational details, resiliency, physical security, and cybersecurity, organizations should consider implementing additional safeguards. Such safeguards might include encrypted archives with credentials that are separate from user active directory account credentials, or storage media located in protected network enclaves that are both hardened and monitored. Organizations should determine whether they have effective data cleanup policies and execution practices. Are sensitive files shared for legitimate business purposes such as maintenance and upgrade projects removed from data shares in a timely manner, or do they remain in directory structures in perpetuity? Are critical file types or shared files tagged and monitored for access and exfiltration?
DOE invests in securing the US power grid.
On August 18th the US Department of Energy (DOE) announced it’s putting $45 million toward cyber technology aimed at safeguarding the nation’s power infrastructure from cyber aggression, providing funding for up to fifteen research endeavors that focused on reducing cyber risks. These research projects are also intended to bolster relationships between energy sector utilities, vendors, and universities. Energy Secretary Jennifer Granholm issued a statement explaining, “As DOE builds out America’s clean energy infrastructure, this funding will provide the tools for a strong, resilient, and secure electricity grid that can withstand modern cyberthreats and deliver energy to every pocket of America.”
The Hill notes that this is just the latest move signaling the DOE’s efforts to improve the cybersecurity of the energy grid. In April, the agency announced a $12 million investment in six research projects focused on using anomaly detection, artificial intelligence, and machine learning to secure critical infrastructure including the power sector, and in July House legislators passed a bill establishing a DOE grant program for graduate students and postdoctoral researchers studying cybersecurity and energy infrastructure.
Kinetic attacks affect Ukrainian nuclear power plant.
A kinetic incident at a Ukrainian nuclear plant offers a reminder of the risk of potential cyberattacks. Reuters reports that fires caused by shelling near the Zaporizhzhia nuclear power plant cut power lines to the reactor complex, although backup generators prevented a disaster. Ukrainian president Zelenskiy stated, "If our station staff had not reacted after the blackout, then we would have already been forced to overcome the consequences of a radiation accident. Russia has put Ukraine and all Europeans in a situation one step away from a radiation disaster." While this incident was caused by kinetic activity, it highlights the potential consequences of cyberattacks that target power grids.
What the ransomware gangs want, and where they’re getting it.
Ransomware continues to present a threat to industrial operations. What are the gangs interested in, these days? On Tuesday, August 9th, Dragos released its Industrial Ransomware Analysis for the second quarter of 2022. While the threat actors’ interests and targeting can shift, the report includes a quick rundown of what the opposition’s interests look like now.
Some of the threat actors target by sector. Dragos describes three of these:
- “Karakurt has been targeting mainly transportation entities.”
- “VICE SOCIETY has been targeting only automotive manufacturing entities.”
- “Lockbit 2.0 is the only group that targeted the pharmaceutical, mining, and water treatment sectors.”
Others show a geographical focus:
- “Moses Staff has only targeted Israel.”
- “Black Basta, Ransomhouse, and Everest have only targeted entities in the US and Europe.”
- “Quantum and Lorenzo have only targeted North American-based entities.”
And, finally, the threat actors shift. Old ones grow quiescent and new ones start making noise. LAPSUS$, CLOP LEAKS, and Rook were active in the first quarter, but not now. Black Basta, Midas Leaks, Pandora, and Ransomhouse have been busy in the second quarter, but were nowhere to be seen in the first.
In general, ransomware attacks were fewer in the second quarter than they had been in the first, but on the other hand the more recent attacks were more consequential.
Dragos closes its report with a prediction:
“Due to the changes in ransomware groups themselves, Dragos assesses with moderate confidence that new ransomware groups will appear in the next quarter, whether as new or reformed ones. Dragos assesses with moderate confidence that ransomware with destructive capability will continue to target OT operations, given the continuous political tension between Russia and western countries.”
The key aspect of the rising ransomware threat to OT systems is the destructive capability that’s been on display elsewhere in Russia’s hybrid war against Ukraine. Wiper attacks began on February 24th, shortly before Russian troops crossed the line of departure in their invasion of Ukraine. They enjoyed some success against telecommunications targets, but these attacks seem to have peaked in February and March. By April they seem largely to have ceased to have much effect, and have been largely displaced by denial nuisance-level attacks by hacktivist front organizations and by familiar cyber espionage campaigns run by the usual intelligence services: the SVR, the FSB, and the GRU. But it would be unwise to be complacent. Russia has demonstrated a capability to wage destructive cyber war, and assuming that Moscow has given up would be folly.
One of the mysteries of Russia’s war against Ukraine has been the failure of the Russian cyber operators to live up to the high expectations they set back in 2016 when they used a cyber attack to shut down significant portions of the Ukrainian power grid. Apparently it wasn’t for want of trying.
At Black Hat 2022 earlier this month, ESET researchers Robert Lipovsky and Anton Cherepanov gave a presentation on Industroyer2, a successor to the Industroyer malware used to cause a power blackout in Kyiv in December 2016. Industroyer2 was deployed by the Russian threat actor Sandworm against a Ukrainian energy company in April 2022. While Industroyer2 was technically more sophisticated than the original malware, it failed to trigger a blackout.
“The attack was thwarted thanks to a quick response by the defenders at the targeted company, the work of CERT-UA, and our assistance,” Lipovsky said. “But although no blackout took place, it was still a big deal, because had the attack been successful, theoretically, more than two million people could have been left in the dark.” He continued, “So, in our opinion, this was the most significant cyberattack—even if unsuccessful—during the war thus far.”
Anton Cherepanov added that the attackers also made a mistake in the timing of the wiper stage of their attack, which they launched just before 6 PM on a Friday.
Cherepanov stated, “These attackers missed one very important thing: That Friday is a very short working day, and most people end their work at 5 PM or even 4 PM, so at 5:58 PM, 95% of workstations were switched off, so they weren’t wiped.”
This should serve, by the way, as a useful reminder that offensive cyber operations are harder for the attacker than the defender often imagines. Your well-thought through technical attack might fizzle because you’ve forgotten something simple, like maybe when it is that the people you’re messing with actually knock off work. After all, you, the attacker, may be pulling all-nighters fueled on whatever the GRU’s equivalent of pizza and Mountain Dew might be, and you’ve forgotten that the factory whistle blows early in Kyiv on Friday afternoon. What? Isn’t everyone working 24 and 7? Well, no, and so your elegant wiper winds up wiping very little.
Give some credit, too, to the defenders and the people who’ve rendered them assistance. Reuters reports remarks delivered at the Black Hat conference in Las Vegas on August 10th by Victor Zhora, deputy head of Ukraine's State Special Communications Service. Zhora, whose appearance was little heralded and was widely reported as a “surprise” to those in attendance, said that detection of cyberattacks had more than tripled since the war began in February, and that they became particularly intense in late March and early April.
Reuters summarizes Zhora as saying, "Ukraine faced a number of 'huge incidents' in cyberspace from the end of March to the beginning of April, Zhora said, including the discovery of the 'Industroyer2' malware which could manipulate equipment in electrical utilities to control the flow of power." Zhora also acknowledged the pro bono cloud services provided by Microsoft, Amazon and Google, which have helped the Ukrainian government back data up in physically safe servers abroad.
Montenegro works to recover from Russian cyber offensive.
A cyberattack against Montenegrin infrastructure, which the government has attributed to Russia, appears to have been both extensive and consequential. "Targets include electricity and water supply systems, transportation services, online portals that citizens use to access various state services, and more," BleepingComputer writes. Power plants have switched to manual operations, and many government IT services have been taken offline to contain the effects of the attack. The country's Minister of Public Administration was at pains to reassure citizens that their data were safe: “Although certain services are currently temporarily disabled for security reasons, the security of the accounts of citizens and business entities and their data is not in any way endangered.” Given the kinetic action on the ground, Russian cyberattacks have recently seemed more aimed at punishing nations sympathetic to Ukraine than directed against Ukrainian networks proper.
DDoS attack against Energoatom’s website.
Ukraine’s state-owned nuclear power company Energoatom sustained a distributed denial-of-service (DDoS) attack against its website for about three hours on Monday, August 15th. The corporation said the attack had little effect on visitors to the website, and no effect on its power plants. According to the Record, the attack was launched by the Russian hacktivist group People’s Cyber Army. It was a nuisance-level attack that had only limited impact, but such DDoS attacks can serve as misdirection for more serious and damaging campaigns.
NSTAC recommends cataloging Federal OT assets.
The US President's National Security Telecommunications Advisory Committee (NSTAC) has recommended that the Cybersecurity and Infrastructure Security Agency (CISA) require all Federal civilian agencies inventory all of their OT assets, Meritalk reports. The Committee stated:
"CISA should issue a Binding Operational Directive (BOD), similar to what Section 1505 of the Fiscal Year 2022 National Defense Authorization Act requires for the DoD, that requires executive civilian branch departments and agencies to maintain a real-time, continuous inventory of all OT devices, software, systems, and assets within their area of responsibility, including an understanding of any interconnectivity to other systems. An up-to-date inventory should be required as part of each department or agency’s annual budget process. Once federal agencies clearly understand the vast and interconnected nature of their OT devices and infrastructure, they can then make risk-informed decisions about how to prioritize their cybersecurity budgets to best protect the most consequential of those assets. The White House should mandate periodic reports from CISA on department and agency implementation of this BOD to ensure progress is made."
Chemical sector cybersecurity.
Nextgov reports that CISA is turning its attention to cybersecurity in the chemical sector with a 100-day sprint focused on improving the sector's resilience. CISA director Jen Easterly said at a conference last week that she was already impressed with the chemical sector's approach to this issue. Easterly said, "It was really telling to me that even back in 2009, how robust the standards were, laid out for both physical security but also cyber security. It was before cyber was really a thing that this community really understood the importance of a collective approach."
CISA's recent ICS vulnerability advisories.
The Cybersecurity and Infrastructure Security Agency (CISA) on August 4th, 2022, released two Industrial Control System (ICS) advisories, Digi ConnectPort X2D ("mitigations for an Execution with Unnecessary Privileges vulnerability in Digi ConnectPort X2D, a connection gateway") and Inductive Automation Ignition (Update A) ("mitigations for an Improper Restriction of XML External Entity Reference vulnerability in versions of Inductive Automation Ignition software").
On August 9th, 2022, CISA released three Industrial Control Systems Advisories, for Mitsubishi Electric GT SoftGOT2000 ("mitigations for Infinite Loop and OS Command Injection vulnerabilities"), Emerson ControlWave ("mitigations for an Insufficient Verification of Data Authenticity vulnerabilities"), and Emerson OpenBSI ("mitigations for Use of Broken or Risky Cryptographic Algorithm and Use of Hard-coded Cryptographic Key vulnerabilities").
A very large tranche of advisories was issued on August 11th, 2022, when CISA released an unusually large number of ICS security advisories, twenty eight in all. The affected systems include:
- Siemens Simcenter STAR-CCM ("mitigations for an Exposure of Sensitive Information to an Unauthorized Actor vulnerability")
- Siemens Teamcenter ("mitigations for Command Injection and Infinite Loop vulnerabilities")
- Schneider Electric EcoStruxure EcoStruxure Process Expert SCADAPack RemoteConnect for x70 ("mitigations for Heap-based Buffer Overflow, Wrap or Wraparound, Classic Buffer Overflow, and Out-of-bounds Write vulnerabilities")
- Emerson ROC800, ROC800L and DL8000 ("mitigations for an Insufficient Verification of Data Authenticity vulnerability"), Siemens SICAM A8000 Web Server Module ("mitigations for an Improper Access Control vulnerability")
- Siemens SICAM TOOLBOX II ("mitigations for a Use of Hard-coded Credentials vulnerability")
- Siemens SCALANCE ("mitigations for Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’), Allocation of Resources Without Limits or Throttling, and Basic Cross Site Scripting vulnerabilities")
- Siemens SIMATIC S7-400 (Update A) ("mitigations for an Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability")
- Siemens Industrial Products Intel CPUs (Update E) ("mitigations for a Missing Encryption of Sensitive Data vulnerability")
- ICSA-21-194-07 Siemens Industrial Products LLDP (Update C) ("mitigations for Classic Buffer Overflow and Uncontrolled Resource Consumption vulnerabilities")
- Siemens Linux-based Products (Update I) ("mitigations for a Use of Insufficiently Random Values vulnerability")
- Siemens Datalogics File Parsing Vulnerability (Update A) ("mitigations for a Heap-based buffer Overflow vulnerability")
- Siemens S7-400 CPUs (Update B) ("mitigations for an Improper Input Validation vulnerability")
- Siemens SIMATIC Software Products (Update B) ("mitigations for an Incorrect Permission Assignment for Critical Resource vulnerability")
- Siemens SIMATIC S7-1200 and S7-1500 CPU Families (Update B) ("mitigations for Use of a Broken or Risky Cryptographic Algorithm and Missing Support for Integrity Check vulnerabilities")
- Baxter Sigma Spectrum Infusion Pumps (Update B) ("mitigations for Use of Hard-coded Password, Cleartext Transmission of Sensitive Data, Incorrect Permission Assignment for Critical Resource, and Operation on a Resource After Expiration or Release vulnerabilities")
- Siemens Industrial Products with OPC UA (Update H) ("mitigations for an Uncaught Exception vulnerability")
- Siemens PROFINET Stack Integrated on Interniche Stack (Update C) ("mitigations for an Uncontrolled Resource Consumption vulnerability")
- Siemens TIA Portal (Update F) ("mitigations for a Path Traversal vulnerability")
- Siemens Teamcenter (Update A) ("mitigations for a Use of Hard-coded Credentials vulnerability")
- Siemens Industrial Devices using libcurl (Update B), ("mitigations for a Use After Free vulnerability")
- Siemens SIMATIC WinCC and PCS (Update C), ("mitigations for Exposure of Sensitive Information to an Unauthorized Actor and Insertion of Sensitive Information into Externally Accessible File or Directory vulnerabilities")
- Siemens Teamcenter (Update B), ("mitigations for Stack-based Buffer Overflow and Improper Restriction of XML External Entity Reference vulnerabilities")
- Siemens Industrial Products (Update B) ("mitigations for an Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability")
- Siemens OpenSSL Vulnerabilities in Industrial Products (Update B) ("mitigations for a NULL Pointer Dereference vulnerability")
- Siemens RUGGEDCOM ROS (Update A) ("mitigations for an Improper Control of Generation of Code vulnerability")
- Siemens Simcenter Femap and Parasolid (Update A) ("mitigations for an Out-of-bounds Read vulnerability")
- Siemens SRCS VPN Feature in SIMATIC CP Devices (Update A) ("mitigations for Heap-based Buffer Overflow, Command Injection, and Code Injection vulnerabilities").
Another large (but not that large) set of advisories was issued on August 16th. CISA issued eight industrial control system (ICS) security advisories, for Yokogawa CENTUM Controller FCS ("mitigations for a Denial of Service vulnerability"), LS ELEC PLC and XG5000 ("mitigations for an Inadequate Encryption Strength vulnerability"), Delta Industrial Automation DRAS ("mitigations for an Improper Restriction of XML External Entity Reference vulnerability"), Softing Secure Integration Server ("mitigations for Out-of-bounds Read, Uncontrolled Search Path Element, Improper Authentication, Relative Path Traversal, Cleartext Transmission of Sensitive Information, NULL Pointer Dereference, and Integer Underflow vulnerabilities"), BR Industrial Automation Automation Studio 4 ("mitigations for an Unrestricted Upload of File with Dangerous Type vulnerability"), Emerson Electric Proficy Machine Edition ("mitigations for Missing Support for Integrity Check, Improper Access Control, Unrestricted Upload of File with Dangerous Type, Improper Verification of Cryptographic Signature, Insufficient Verification of Data Authenticity, and Path Traversal: ‘\..\filename’ vulnerabilities"), Sequi PortBloque S ("mitigations for Improper Authentication and Improper Authorization vulnerabilities"), and Siemens Industrial Products with OPC UA (Update B) ("mitigations for various Siemens Industrial Products with OPC UA products").
On August 23rd, 2022, CISA released seven additional ICS advisories, for ARC Informatique PcVue ("mitigations for a Cleartext Storage of Sensitive Information vulnerability"), Delta Industrial Automation DIALink ("mitigations for an Use of Hard-coded Cryptographic Key vulnerability"), myScada Pro ("mitigations for a Command Injection vulnerability"), Measuresoft ScadaPro Server ("mitigations for an Out-of-bounds Write vulnerability"), Measuresoft ScadaPro Server and Client ("mitigations for Untrusted Pointer Dereference, Stack-based Buffer Overflow, Use After Free, and Link Following vulnerabilities"), Hitachi Energy RTU500 ("mitigations for a Stack-based Buffer Overflow vulnerability"), and Illumina Local Run Manager (Update A) ("mitigations for Path Traversal, Unrestricted Upload of File with Dangerous Type, Improper Access Control, and Cleartext Transmission of Sensitive Information vulnerabilities").
A single advisory was issued on August 25th, for a remote code vulnerability in FATEK Automation FvDesigner. And on August 30th, CISA released twelve 12 Industrial Control Systems Advisories, for Hitachi Energy FACTS Control Platform (FCP) Product ("mitigations for Inconsistent Interpretation of HTTP Requests, Use After Free, Classic Buffer Overflow, Integer Underflow, Improper Certificate Validation, [and] Observable Discrepancy vulnerabilities"), Hitachi Energy GWS ("mitigations for HTTP Requests, Use After Free, Classic Buffer Overflow, Integer Underflow, Improper Certificate Validation, [and] Observable Discrepancy vulnerabilities"), Hitachi Energy MSM ("mitigations for a Reliance on Uncontrolled Component vulnerability"), Hitachi Energy RTU500 series ("mitigations for an Improper Input Validation vulnerability"), Fuji Electric D300win ( "mitigations for Out-of-bounds Read and Write-what-where Condition vulnerabilities "), Honeywell ControlEdge ("mitigations for a Missing Authentication for Critical Function vulnerability"), Honeywell Experion LX ("mitigations for a Missing Authentication for Critical Function vulnerability"), Honeywell Trend Controls ("mitigations for a Cleartext Transmission of Sensitive Information vulnerability"), Omron CX-Programmer ("mitigations for a Use After Free vulnerability"), PTC Kepware KEPServerEX ("mitigations for Heap-Based Buffer Overflow and Stack-Based Buffer Overflow vulnerabilities"), Sensormatic Electronics iSTAR ("mitigations for a Command Injection vulnerability"), and Mitsubishi Electric Multiple Factory Automation Products (Update B) ("mitigations for Infinite Loop and OS Command Injection vulnerabilities").