At a glance.
- The Vulkan Papers.
- Maritime cybersecurity.
- Dragos CEO on critical infrastructure cybersecurity.
- JCDC and pre-ransomware notification.
- Cyberattacks against Canada’s agriculture industry.
- Hitachi ransomware incident.
- African industrial sector targeted with malware.
- TSA issues new cybersecurity requirements for the aviation industry.
- Ransomware Vulnerability Warning Pilot supports critical infrastructure operators.
The Vulkan Papers.
NTC Vulkan, a Moscow-based IT consultancy, has been exposed as a major contractor to all three of the principal Russian intelligence services, the GRU, the SVR, and the FSB. Vulkan's specialty is the development of tools for cyberattack. Der Spiegel, one of a group of media outlets that broke the story, sources it to a major leak. "This is all chronicled in 1,000 secret documents that include 5,299 pages full of project plans, instructions and internal emails from Vulkan from the years 2016 to 2021," Spiegel writes. "Despite being all in Russian and extremely technical in nature, they provide unique insight into the depths of Russian cyberwarfare plans. In a militarized country that doesn’t just fight with warplanes, tanks and artillery, but with hackers and software."
The media consortium that received and shared the leaks includes German, French, British, and American papers: Der Spiegel, iStories, Paper Trail Media, Süddeutsche Zeitung, Le Monde, the Guardian, and the Washington Post. Süddeutsche Zeitung was the first to break the story, as "an exclusive look inside the war room of Putin's cyber army."
The Vulkan papers reveal that the company is engaged in supporting a full range of offensive cyber operations. Its services and products extend to espionage, disinformation, and disruptive attacks intended to sabotage infrastructure, and the company also provides training to its customers in the security and intelligence organs.
Maritime cybersecurity.
The US Cyberspace Solarium Commission 2.0 has published a report calling for the Cybersecurity and Infrastructure Security Agency (CISA) to set up a maritime equipment test bed to enhance maritime cybersecurity, FedScoop reports. The report states, “The program can begin by testing for cybersecurity vulnerabilities in foreign-manufactured cranes used in U.S. ports — as mandated by the National Defense Authorization Act (NDAA) of the fiscal year 2023 — and then expand into broader, systemically important maritime OT.”
CISA and the US Army Corps of Engineers, Engineer Research and Development Center, last month released the Marine Transportation System Resilience Assessment Guide. The guide focuses on physical, cyber, geographic, and logical resilience. CISA’s Dr. David Mussington, Executive Assistant Director for Infrastructure Security, stated that the guide “is integral to the development of a unified approach to address resilience indicators for port infrastructure systems, and functions that assess the key dimensions of critical infrastructure in the maritime domain.”
Dragos CEO on critical infrastructure cybersecurity.
Dragos CEO Robert Lee on March 23rd testified before the Senate Committee on Energy and Natural Resources to discuss cybersecurity vulnerabilities in the United States’ energy infrastructure.
Lee first pointed out that the ICS threat landscape shifted “irreversibly” last year due to the emergence of PIPEDREAM, a malware framework capable of launching repeatable attacks across the OT/ICS industry. Lee stated that PIPEDREAM “initially targeted energy assets, but can work in almost all OT environments, including military weapons systems.”
Lee then discussed how the government should focus on efforts that have been successful and avoid duplicating resources or guidance: “We need to regulate towards outcomes, not prescriptive requirements, using the expertise of the private sector, and be sure they’re not counterproductive to what we’re trying to accomplish, such as overlapping reporting requirements that cause confusion.”
Finally, Lee said the government should identify its critical assets, decide which risks to defend against, and allocate the necessary resources to address these risks. Lee stated, “The government must be resourced appropriately to protect its own networks. DOE and CISA both require authorities and resourcing to hold the DOE and government agencies accountable for cybersecurity requirements on new projects, such as distributed energy resources. It is difficult for the government to talk credibly on the topic of cybersecurity when its institutions sometimes have less security than most energy sites.”
JCDC and pre-ransomware notification.
The US Cybersecurity and Infrastructure Security Agency’s (CISA’s) Joint Cyber Defense Collaborative (JCDC) is cultivating its pre-ransomware notification capability. JCDC stated, “With pre-ransomware notifications, organizations can receive early warning and potentially evict threat actors before they can encrypt and hold critical data and systems for ransom.” The JCDC is a public-private sector information-sharing organization established by CISA in 2021.
JCDC Associate Director Clayton Romans explained in a blog post that pre-ransomware notifications are possible due to “tips from the cybersecurity research community, infrastructure providers, and cyber threat intelligence companies about potential early-stage ransomware activity.” Romans added that “since the start of 2023, we’ve notified over 60 entities across the energy, healthcare, water/wastewater, education, and other sectors about potential pre-ransomware intrusions, and we’ve confirmed that many of them identified and remediated the intrusion before encryption or exfiltration occurred.”
Cyberattacks against Canada’s agriculture industry.
The Financial Post reports that the Canadian agriculture industry is increasingly being targeted by ransomware gangs and espionage-focused nation-state actors. The Post cites Dr. Ali Dehghantanha, head of the University of Guelph’s Cyber Science Lab, as saying that these attacks have been escalating over the past four years. Dehghantanha said, “Every week, I would say, we are getting contacted by farmers or food companies. It’s one of the soft bellies of our critical infrastructure.” Many of these cases are typical ransomware attacks, but Dehghantanha says he’s seen two instances in which attackers managed to access farm control systems and threatened to modify settings in order to kill livestock.
Evan Fraser, director of the Arrell Food Institute at the University of Guelph, told the Financial Post, “These are all systems that we explicitly depend on every single day, and they have become extremely vulnerable to manipulation of all sorts. They’re vulnerable because we haven’t thought carefully about the security of how we set these systems up.”
Hitachi ransomware incident.
Hitachi Energy, a subsidiary of the Japanese technology giant Hitachi, has confirmed that it sustained a data breach after falling victim to a Clop ransomware attack, BleepingComputer reports. The threat actor carried out the attack via a vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere MFT (Managed File Transfer). Hitachi Energy said in a press release that the threat actor accessed employee data in some countries, but there’s no evidence that any customer data were breached, nor that any control systems were compromised. But ransomware remains a threat to industrial systems, and a pivot from business to control networks is always a possibility.
African industrial sector targeted with malware.
Kaspersky has seen an increase in cyberattacks targeting industrial organizations in Africa. The majority of these attacks targeted the energy, engineering, and oil & gas industries. The security firm stated, “In different regions of the world, the percentage of ICS computers on which malicious activity was prevented ranged from 40.1% in Africa and Central Asia, which led the ranking, to 14.2% and 14.3%, respectively, in Western and Northern Europe, which were the most secure regions.”
In an unrelated report, Sophos is tracking a new version of the PlugX USB Trojan that’s currently spreading in African countries, with infections observed in Ghana, Zimbabwe, and Nigeria. It’s not clear which types of organizations have been targeted or infected, however.
Sophos says the “novel aspects of this variant are a new payload and callbacks to a C2 server previously thought to be only tenuously related to this worm.” PlugX is a known malware variant that can spread via USB sticks, which can sometimes allow it to access air-gapped systems. Sophos believes this campaign is linked to the Chinese APT Mustang Panda, which has been known to use the malware in the past.
Gabor Szappanos, threat research director at Sophos, noted, “We don’t typically think of removable media as being particularly ‘mobile,’ especially when compared to internet-based attacks, but this method of dispersion has proved to be highly effective in this part of the world.”
TSA issues new cybersecurity requirements for the aviation industry.
The US Transportation Security Administration (TSA) on March 7th issued an emergency cybersecurity amendment for the security programs of airport and aircraft operators. The TSA says the measures are urgent due to “persistent cybersecurity threats against U.S. critical infrastructure, including the aviation sector.”
The amendment “requires that impacted TSA-regulated entities develop an approved implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure.” This includes developing “network segmentation policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised, and vice versa.”
Ransomware Vulnerability Warning Pilot supports critical infrastructure operators.
CISA has announced the launch of the Ransomware Vulnerability Warning Pilot (RVWP), a support program designed to help critical infrastructure operators protect themselves against ransomware attacks. Authorized by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, the RVWP will help CISA detect vulnerabilities susceptible to exploitation by ransomware and alert critical infrastructure operators so that the flaws can be mitigated before attacks occur. As Bleeping Computer notes, the RVWP is part of the US’s wider initiative to defend against the rising threat of ransomware that began after a wave of cyberattacks on critical infrastructure operators and government agencies. Interested organizations can email CISA to enroll.