At a glance.
- Australian ports recovering from cyberattack.
- Sandworm and Ukraine's power grid: 2022 attacks.
- GRU's Sandworm implicated in campaign against Danish electrical power providers.
- Four cyber phases of a hybrid war.
- Rockwell Stratix routers vulnerable to Cisco zero-day.
- ISA, FEMA, and Shields Ready.
- Cyber and electronic threats to space systems.
- Nuclear power plant operator cited over cybersecurity strategy.
- Bletchley Declaration represents a consensus starting point for AI governance.
- The US Executive Order on artificial intelligence is out.
- Department of Energy hosts simulated cyberattack competition.
- Malware attacks against IoT devices increase by 400%.
- CISA’s ICS advisories.
Australian ports recovering from cyberattack.
Australia's National Cyber Security Coordinator announced on Saturday, November 11th that the government was investigating a cyberattack that disrupted several Australian ports. "DP World Australia has advised it has restricted access to its Australian port operations in Sydney, Melbourne, Brisbane and Fremantle while it investigates the incident" the Coordinator tweeted. "This interruption is likely to continue for a number of days and will impact the movement of goods into and out of the country. DP World Australia is working with its stakeholders to consider the impacts on its operations at specific ports." DP World began restoring operations at the affected ports Monday, according to the BBC.
The unspecified cyber incident at the container operator shut down operations at Sydney, Melbourne, Brisbane, and Fremantle. It is, the Coordinator said, "a nationally significant cyber incident." The shutdown at the ports was preventive, according to the Guardian. All that was publicly known Sunday was that "unauthorized activity" had been detected in DP World Australia's systems. The ABC reports that land operations were affected by the incident, which remains under investigation.
DP World Australia has said, Bloomberg reports, that it has not received a ransom demand. The Conversation recounts informed speculation to the effect that the incident represents sabotage "by a foreign state actor."
There is so far no public disclosure of the precise nature of the incident, and no known criminal group appears to have claimed responsibility. DP World did issue a statement to its various stakeholders in which it said, "A key line of inquiry in this ongoing investigation is the nature of data access and data theft.” BleepingComputer points out that data theft is typically a concern in extortion attacks, but there's been no public acknowledgement that the incident involved ransomware. (In any case, a concern about data loss would be prudent in any victim of a cyberattack.)
Sandworm and Ukraine's power grid: 2022 attacks.
Mandiant has released a study of Sandworm's cyberattacks against Ukraine's electrical power grid last year. Sandworm, also known as Voodoo Bear, is a threat actor operated by the GRU's Unit 74455.
"While we were unable to identify the initial access vector into the IT environment," Mandiant wrote, "Sandworm gained access to the OT environment through a hypervisor that hosted a supervisory control and data acquisition (SCADA) management instance for the victim’s substation environment. Based on evidence of lateral movement, the attacker potentially had access to the SCADA system for up to three months." Those three months of preparation culminated in the exploitation, on October 10th, 2022, in the exploitation of end-of-life Hitachi Energy MicroSCADA control systems that brought the affected systems under Sandworm control, and which enabled the attackers to issue commands that tripped breakers in electrical power distribution substations. Two days later Sandworm deployed a new variant of CaddyWiper (discovered in Ukraine the previous March by ESET) which served both to damage the associated IT networks and to obscure its own operations. The attack was marked by living-off-the-land techniques, significant because they "decreased the time and resources required to conduct a cyber physical attack," and because they reduced the likelihood of detection.
The Russian campaign stands out for several reasons. First, it was a successful attack against a widely deployed OT system. Such attacks have been rare, and have proven difficult to execute. Second, the cyberattacks coincided with a kinetic Russian missile campaign designed to cripple Ukrainian infrastructure as winter approached. Such coordination of cyberattack into a combined arms operation has also been rare, and difficult for Russian forces to achieve. Third, the attack showed both careful preparation and an ability to develop offensive tools quickly. And, finally, the attack showed what Russia is likely to attempt in its infrastructure disruption campaign during the winter of 2023 and 2024.
GRU's Sandworm implicated in campaign against Danish electrical power providers.
SektorCERT, Denmark's "cyber security centre for the critical sectors," last week described what it characterized as the largest cyberattack on record against that country's critical infrastructure. In May of this year an APT group, which SektorCERT associates with the Sandworm, simultaneously hit twenty-two companies in Denmark's highly decentralized electrical power sector. The attacks, which began on May 11th and continued into the last week of that month, exploited CVE-2023-28771, a critical command injection flaw affecting Zyxel firewalls. That vulnerability had been disclosed and addressed in late April, but the attackers were able to find enough unpatched systems to gain access.
The attack was ultimately detected and stopped without disruption to power distribution, but it seems to have been aimed at gaining comprehensive access to Denmark's grid. The attacks proper were preceded by a reconnaissance phase that began in January. A simultaneous attack against so many targets suggests both careful planning and determined execution. SektorCERT properly notes the difficulties of attribution, and itself stops short of saying the incident was the work of Russia's GRU, but on form it certainly looks like a Sandworm operation. Similar attacks have been mounted against Ukraine's power grid, and the incident in Denmark strongly suggests that infrastructure in what Moscow tends to call the "collective West" can be expected to figure in Russian target lists.
Four cyber phases of a hybrid war.
Forcepoint analysts, looking at both Russia's war against Ukraine and the war unleashed by Hamas's assault on Israel, concluded that cyber operations in any hybrid war are likely to fall into four conceptually distinct, albeit temporally overlapping, phases:
- "Phase 1: Increase in Scale and Impact of Attacks. In this initial phase, attacks increase in scope, evolving from hashtags to defacements and distributed denial-of-service (DDoS) attacks."
- "Phase 2: Expanded Targeting and More Sophisticated Attacks. The emergence of state-linked proxy cyber threat actors typically bring about more sophisticated targeting strategies, including cyberterrorism."
- "Phase 3: Ransomware Operations and False Flags. Ransomware groups and deceptive tactics become part of the cyber landscape, impacting virtual and physical infrastructures, as well as public perception."
- "Phase 4: Coordination with Kinetic Operations. Cyberattacks are closely coordinated with kinetic operations, impacting not only virtual but also physical aspects of the armed conflict."
Of these four phases, the fourth has been least in evidence in both of the present wars. Wiper attacks have represented the closest approach to effective targeting coordinated with operations on the ground. Among these only the Russian attacks on Viasat networks in the opening hours of the invasion have had tactical effect, and even that effect was short-lived. Far more prominent have been the other three phases, and it's noteworthy that all of these involved deniable auxiliaries, false-flag operations, privateering, and co-opted criminal activity. None of these lend themselves to the sort of combined arms coordination historically seen with traditional electronic warfare.
Rockwell Stratix routers vulnerable to Cisco zero-day.
Rockwell Automation has warned that its Stratix 5800 and 5200 routers are vulnerable to the recently disclosed vulnerability in Cisco IOS XE Software’s web UI feature. The company notes, “While Rockwell Automation has no evidence of active exploitation against the Stratix® product line, this vulnerability was discovered by Cisco Talos during an incident response for a Cisco customer.” Rockwell adds that it “strongly encourages customers to follow guidance disabling Stratix® HTTP servers on all internet-facing systems.”
ISA, FEMA, and Shields Ready.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA) last week launched Shields Ready, “a sustained national campaign to increase the security and resilience of America’s critical infrastructure.” Shields Ready complements CISA’s “Shields Up” campaign; according to FEMA, “Shields Ready focuses more broadly and strategically on how to prepare critical infrastructure for a potential disruption and how to build more resilience into systems, facilities, and processes by taking action before a crisis or incident even occurs.”
The approach encourages critical infrastructure operators to focus on the following steps:
- “Identify Critical Assets and Map Dependencies: Determine the systems that are critical for ongoing business operations and map out their key dependencies on technology, vendors, and supply chains.
- “Assess Risks: Consider the full range of threats that could disrupt these critical systems and the specific impacts such threats could pose to continuity of operations.
- “Plan and Exercise: Develop incident response and recovery plans to reduce the impact of these threats to critical systems and conduct regular exercises under realistic conditions to ensure the ability to rapidly restore operations with minimal downtime.
- “Adapt and Improve: Periodically evaluate and update response and recovery plans based on the results of exercises real-world incidents and an ongoing assessment of the threat environment.”
Cyber and electronic threats to space systems.
The US Space Force sees the cybersecurity of space systems as crucial to mission capability. Via Satellite quotes Colonel Richard Kniseley, senior material leader of the Space Force’s Commercial Space Office, as saying, “The U.S. and our allied forces must now contend with growing threats from satellite link interceptions.” It's interesting that he sees the threat as representing a convergence of both electronic and cyber attack. “This results from advanced jamming techniques and illegal satellite uplinks. Our operations are hindered by compromised communication integrity and potential data breaches.”
Via Satellite also reports that Darren Turner, chief of Critical Networks Defense for the US National Security Agency’s Cybersecurity Directorate, said in his keynote at CyberSatGov that space operators need to begin implementing quantum-resistant cryptography. Turner stated, “When it comes to space cybersecurity, stopping rampant cyber intrusions is this generation’s counterterrorism mission. It will require an infusion of talent and maximum effort across the United States government, our allies, and industry, to adapt, innovate, and sharpen our competitive edge in order to dominate in this evolving space.”
As satellites become increasingly integrated into a range of networked IoT and ICS systems, Space Force’s concerns will grow increasingly relevant to the industrial cybersecurity community.
Nuclear power plant operator cited over cybersecurity strategy.
The UK’s Office for Nuclear Regulation (ONR) has cited EDF, a French power utility that runs five nuclear plants in the UK, for the company’s failure to provide the ONR with a “comprehensive and fully resourced cyber security improvement plan” in a timely manner, Silicon UK reports. The ONR stated, “EDF’s corporate centre has been moved to significantly. enhanced regulatory attention for cyber security. EDF has made two new appointments to specifically address cyber security. We have subsequently met with EDF senior team to ensure regulatory expectations are understood.”
Bletchley Declaration represents a consensus starting point for AI governance.
This week British Prime Minister Rishi Sunak hosted an AI Safety Summit, convening about a hundred government leaders, tech executives, and scholars. The Summit is British-led but with broad international participation. The BBC explains that Prime Minister Sunak’s plan is to make the UK a global leader in AI safety, but the Summit reached consensus on a draft agreement, the Bletchley Declaration, which outlined two general directions for further work:
- "[I]dentifying AI safety risks of shared concern, building a shared scientific and evidence-based understanding of these risks, and sustaining that understanding as capabilities continue to increase, in the context of a wider global approach to understanding the impact of AI in our societies."
- [B]uilding respective risk-based policies across our countries to ensure safety in light of such risks, collaborating as appropriate while recognising our approaches may differ based on national circumstances and applicable legal frameworks. This includes, alongside increased transparency by private actors developing frontier AI capabilities, appropriate evaluation metrics, tools for safety testing, and developing relevant public sector capability and scientific research.
The signatories represent the world's major cyber powers, with the exception of Russia, Iran, and North Korea. The full list includes: Australia, Brazil, Canada, Chile, China, the European Union, France, Germany, India, Indonesia, Ireland, Israel, Italy, Japan, Kenya, the Kingdom of Saudi Arabia, Netherlands, Nigeria, the Philippines, the Republic of Korea, Rwanda, Singapore, Spain, Switzerland, Türkiye, Ukraine, United Arab Emirates, the United Kingdom, and the United States of America
The US Executive Order on artificial intelligence is out.
US President Biden this morning issued an executive order (EO) on artificial intelligence (AI). Initially available to the public in the form of a White House Fact Sheet, the EO "establishes new standards for AI safety and security, protects Americans’ privacy, advances equity and civil rights, stands up for consumers and workers, promotes innovation and competition, advances American leadership around the world, and more." The closing "and more" is seriously intended. The EO is complex and far-ranging, touching on both the risks and opportunities the family of emerging technologies presents.
Many of the provisions of the EO have little to do directly with cybersecurity proper, but those that do include:
- "New Standards for AI Safety and Security." The EO will apply the Defense Protection Act to require that development and subsequent training of "any foundation model that poses a serious risk to national security, national economic security, or national public health and safety" must be reported to the federal government. Such reporting must include "the results of all red-team safety tests." These measures will ensure AI systems are safe, secure, and trustworthy before companies make them public. The National Institute of Standards and Technology (NIST) will establish "rigorous standards for extensive red-team testing to ensure safety before public release." The Department of Homeland Security (DHS) will establish an AI Safety and Security Board to ensure compliance. DHS will also work with the Department of Energy to address AI-based threats to critical infrastructure. The Department of Commerce will develop guidance for content authentication (the EO specifically mentions "watermarking") to ensure the AI-generated content is clearly recognizable as such. The National Security Council will lead preparation of a National Security Memorandum to "ensure that the United States military and intelligence community use AI safely, ethically, and effectively in their missions, and will direct actions to counter adversaries’ military use of AI." Some of the aspirations in this section are positive rather than preventive. The EO promises a cybersecurity program to develop AI tools that can find and fix software vulnerabilities
- "Protecting Americans’ Privacy." The EO promises a range of measures designed to develop technologies that can protect individuals' privacy. New cryptographic tools are specifically mentioned. Here too the provisions are both positive and preventive, seeking not only to protect data from AI-enabled snooping, but to use AI in ways that would enhance privacy.
- "Ensuring Responsible and Effective Government Use of AI." The EO promises "guidance for agencies’ use of AI, including clear standards to protect rights and safety, improve AI procurement, and strengthen AI deployment."
Other sections of the EO focus on ensuring competition, preserving and creating jobs, avoiding certain civil rights risks (particularly in employment and housing), and supporting AI research and development. The White House Fact Sheet emphasizes the degree to which international consultation shaped the EO, and the list of partners is long and instructive: Australia, Brazil, Canada, Chile, the European Union, France, Germany, India, Israel, Italy, Japan, Kenya, Mexico, the Netherlands, New Zealand, Nigeria, the Philippines, Singapore, South Korea, the UAE, and the UK. (Notably absent are China and Russia.) The UK is hosting a much-anticipated AI summit this week, and the United Nations has announced the formation of an AI governance advisory committee.
Department of Energy hosts simulated cyberattack competition.
The US Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) and the Argonne National Laboratory hosted its ninth CyberForce Competition on November 4th, CyberScoop reports. The competition gave more than one-hundred teams of students the opportunity to deal with a simulated cyberattack against a company in the distributed energy resources market.
Mara Winn, deputy director of preparedness, policy, and risk analysis at CESER, told CyberScoop, “The student teams must integrate, maintain and secure their internal management systems and industrial control systems for their customers while providing seamless energy buyback and credit systems for the local grid company…This is exactly what we need people doing on a day-to-day basis.”
Malware attacks against IoT devices increase by 400%.
A report from Zscaler’s ThreatLabZ has identified a 400% year-over-year increase in malware attacks against IoT devices in the first six months of 2023. Activity from the Mirai and Gafgyt botnet malware families accounted for 66% of attack payloads against these devices. Additionally, the researchers found that “34 of the 39 most popular IoT exploits specifically directed at vulnerabilities that have existed for more than three years.” The most commonly targeted devices were routers.
More than half (54.5%) of malware attacks against IoT targeted devices in the manufacturing industry. The report notes, “On an average week, the manufacturing sector receives more than triple the number of attacks as any other sector....With a low tolerance for operational disruptions, manufacturing is high stakes for malware attacks....High attack volumes not only jeopardize IoT systems but also pose a serious threat to OT processes.”
CISA’s ICS advisories.
On October 17th, CISA issued two advisories for vulnerabilities affecting Schneider Electric EcoStruxure Power Monitoring Expert and Power Operation products and Rockwell Automation FactoryTalk Linx.
On October 19th, the agency published an advisory for a set of critical vulnerabilities affecting Hitachi Energy's RTU500 Series.
And on October 26th, the agency released advisories for vulnerabilities affecting Dingtian DT-R002, Centralite’s Pearl Thermostat, and products from Ashlar-Vellum, Rockwell Automation, Sielco, and BD.