OT patch notes. Infrastructure threats in Russia's hybrid war. Ransomware as industrial threat. Bitter APT targets Asia-Pacific energy companies. ETHOS OT risk information-sharing platform.

News Roundup

At a glance.

Siemens patches a vulnerability endemic to the energy sector.
Disruptions of Ukrainian supply chains.
An update on the Vulkan Papers.
Ukraine argues that cyberattacks against civilian infrastructure should be classified as war crimes.
Eurocontrol under attack.
Ransomware at Fincantieri Marinette Marine.
Bitter APT may be targeting Asia-Pacific energy companies.
ETHOS: a new private-sector OT risk information-sharing platform.
CISA requests comment on software self-attestation form.
A look back at the Colonial Pipeline ransomware attack.

Siemens patches a vulnerability endemic to the energy sector.

Siemens last week addressed a flaw in systems widely deployed though the electrical power sector. SecurityWeek reports, "The vulnerability, tracked as CVE-2023-28489, impacts the CPCI85 firmware of Sicam A8000 CP-8031 and CP-8050 products, and it can be exploited by an unauthenticated attacker for remote code execution. These products are remote terminal units (RTUs) designed for telecontrol and automation in the energy supply sector, particularly for substations."

Most implementations of these systems are believed to be "heavily firewalled," as observers put it, because their criticality is widely recognized. Thus the risk seems largely driven by the possibility of error and misconfiguration.

Russian ransomware operations aim to disrupt supply chains into Ukraine.

The US Intelligence Community sees Russian cyber operators devoting more effort toward disruption of supply chains supporting Ukraine. CyberScoop quotes NSA's Rob Joyce, the agency's director of cybersecurity, as saying that NSA is observing “a significant amount of intelligence gathering into the Western countries, to include the U.S., in that logistics supply chain.” A large fraction of that supply chain carries humanitarian aid.

And it’s worth noting that the supply chains at risk here are physical supply chains that move material goods, not the software supply chains that have been much talked about.

This sort of threat has been seen before. To place some of the potential effects in context, recall the way NotPetya, a pseudoransomware campaign from 2017, encrypted systems at the shipping giant Maersk. The attackers continued their imposture enough to demand payment, but as it turned out there was no way to decrypt the files–they were modified in ways that made them unrecoverable. Loss of these administrative systems resulted in loss of visibility into Maerk’s containers, and the shipper had to revert to manual checking and manual management of the cargo it carried. This caused supply chain delays, particularly serious in time-sensitive shipments.

An update on Russia’s NTC Vulkan: SIGINT, EW, and cyber ops.

We've been following another development in Russia's war against Ukraine: the revelations contained in the so-called Vulkan Papers. To recap briefly, NTC Vulkan is a Moscow-based IT consultancy that does contract work for all three of the major Russian intelligence services: the GRU, the SVR, and the FSB. Der Spiegel, one of a group of media outlets that broke the story, sourced it to a major leak of some thousand sensitive documents running to more than five thousand pages.

The leaked papers reveal that Vulkan is engaged in supporting a full range of offensive cyber operations: espionage, disinformation, and disruptive attacks intended to sabotage infrastructure. Dragos has released a study of what the Vulkan Papers mean for that last class of activity: infrastructure disruption. The company's report took as its point of departure the coverage in the Washington Post, and it focused in particular on one of Vulkan’s tools, a malware suite known as Amesit-B. The researchers offered four key takeaways:

First, the papers represent genuine leaks from a "Russian contracting repository."
Second, the tools represent an operational as opposed to a training or research capability.
Third, Amesit-B represents a clear potential threat to the rail transportation and petrochemical sectors, and it works from a familiar Russian military intelligence playbook.
And finally, the Amesit-B platform shows an interesting convergence of cyber operations with traditional signals intelligence and electronic warfare operations. And it’s very much a combat support system, intended for battlefield use by a combatant commander.

Dragos advises taking Vulkan’s capabilities seriously, and understanding them in context.

Eurocontrol under attack.

The European air traffic control agency, Eurocontrol, reported a cyberattack by Russian actors. Eurocontrol's site has a terse account of the attack, which appears to be of the familiar distributed denial-of-service variety. "Since 19 April, the EUROCONTROL website has been under attack by pro-Russian hackers. The attack is causing interruptions to the website and web availability. There has been no impact on European aviation." The Wall Street Journal reports that KillNet has claimed responsibility.

Ukraine argues that cyberattacks against civilian infrastructure should be classified as war crimes.

Speaking at RSAC this week, Illia Vitiuk, Ukraine's head of the Department of Cyber Information Security in the Security Service of Ukraine, urged that cyberattacks against civilian infrastructure should be treated as war crimes. “I do believe that military commanders that are in charge of special forces and special services like the [Russian] GRU or SVR who are responsible for cyber-attacks on civilian infrastructure should also be convicted as war criminals,” Infosecurity Magazine quotes him as saying. Such attacks would presumably violate one or more of the principles that underlie the laws of armed conflict: proportionality, discrimination, and military necessity.

Iranian threat actor exploits N-day vulnerabilities, turns its attention to infrastructure.

Microsoft has reported that the group it's hitherto tracked as Phosphorus (and will henceforth refer to as "Mint Sandstorm") has developed a specialty in weaponizing N-day vulnerabilities, that is, vulnerabilities for which a fix or mitigation is available, but which some organizations have failed to patch. It's also been known mostly for reconnaissance and cyberespionage, but that may be changing, as there are signs the group is turning its attention to critical infrastructure. Mint Sandstorm has been known to conduct cyberespionage against both military and civilian targets (including political dissidents), but over the past two years the group has been observed to carry out attacks against infrastructure, and Microsoft thinks that its future activities may show a continued and growing disinhibition and loss of restraint.

Bitter APT may be targeting Asia-Pacific energy companies.

Intezer concludes that a new string of energy sector targeted phishing attacks are using tactics that resemble those previously used by Bitter APT. "Bitter APT is a South Asian threat group that commonly targets energy and government sectors; they have been known to target Pakistan, China, Bangladesh, and Saudi Arabia." The group makes its approach through phishing.

Although Bitter APT's involvement in the attacks is not fully confirmed, there are circumstantial grounds that point in its direction. The researchers have found that the threat actors are using the same tactics previously observed by the Bitter APT group such as “the use of Microsoft Office exploits through Excel files, and the use of CHM and Windows Installer (MSI) files.” The exploits have been initiated with an email to personnel in the energy sector being invited to a conference or round table. The phishbait is intended to induce the target to download and open a RAR file that contains a malicious payload.

Ransomware at Fincantieri Marinette Marine.

On April 12th the Wisconsin shipyard of Fincantieri Marinette Marine, builders of the US Navy’s Freedom class of Littoral Combat Ships and the Constellation class guided missile frigates, sustained a ransomware attack that disrupted shipyard operations. The US Naval Institute News reported that the attack targeted servers that held data used to deliver instructions to the shipyard’s numerical control manufacturing machines. Those devices translate design specifications and into instructions for "welders, cutters, bending machines and other computer-controlled tools.”

Operations had begun restoration within a day of the attack, but the episode was disturbing, and was closely monitored by the US Navy. It wasn’t immediately clear whether any data were stolen, but if temporary disruption of construction at a shipyard was the attackers’ goal, that was accomplished.

ETHOS: a new private-sector OT risk information-sharing platform.

This month at the RSA Conference in San Francisco, a community of private-sector companies announced the formation of ETHOS, an acronym for, “Emerging Threat Open Sharing.” ETHOS is intended to be “an open-source, vendor-agnostic technology platform for sharing anonymous early warning threat information across industries with peers and governments.” It’s intended to function as a hotline across which early indications of threat activity can be shared.

The eleven founding members of the ETHOS community are 1898 & Co., ABS Group, Claroty, Dragos, Forescout, NetRise, Network Perception, Nozomi Networks, Schneider Electric, Tenable, and Waterfall Security.

The initiative also has the support of CISA, the US Cybersecuritiy and Infrastructure Security Agency. Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA said, “The scale of threats facing critical infrastructure operators, and in particular Operational Technology networks, requires an approach to information sharing grounded in collaboration and interoperability. CISA is eager to continue support for community-driven efforts to reduce silos that impede timely and effective information sharing. We look forward to collaborating with such communities, including the ETHOS community, to improve early warning and response to potential cyber threats, while appropriately protecting sensitive information about our nation’s critical infrastructure community.”

ETHOS is structured as a not-for-profit entity run by an independent mutual benefit corporation. At present, its technology resources may be found on GitHub.

CISA requests comment on software self-attestation form.

The US Cybersecurity and Infrastructure Security Agency (CISA) released a request for comment on a drafted self-attestation form for federal government software providers. The Secure Software Development Attestation Common Form was a combined effort between CISA and the Office of Management and Budget (OMB) and is based on the National Institute of Standards and Technology’s (NIST) Secure Software Development Framework (SSDF). FCW wrote that the form is intended for software vendors to prove their products are secure to the standards of federal government customers, with the government’s ultimate goal to work toward securing the supply chain. This follows a 2021 executive order on improving cybersecurity throughout the United States, and a later memo that same year from OMB requiring federal agencies to acquire self-attestation forms from vendors, with a looming September deadline. Public comment on the form will be accepted through June 26, 2023 via a comment box on the Regulations.gov website.

The Colonial Pipeline ransomware attack, two years later.

Sunday marked the second anniversary of the Colonial Pipeline ransomware attack, and the US Cybersecurity and Infrastructure Security Agency (CISA) issued a short statement on lessons learned from the ransomware attack. The general problem the attack exposed, as CISA frames it, is ransomware, and countering it requires effective, centralized information-sharing, interagency cooperation, and a robust public-private partnership.

Russia’s war against Ukraine brought urgency to the US Government’s preparations for cyberattacks against critical infrastructure. That indeed is the threat that CISA’s Shield Up campaign has been designed to counter. CISA and its sister Homeland Security agency TSA (the Transportation Security Administration) also established close working relationships with over twenty-five major pipeline and industrial control systems organizations to strengthen the common defense. And CISA also received authority from Congress to expand the visibility and threat detection program it operates as CyberSentry.

Obviously, the statement says, work remains to be done, not only improving information-sharing and threat detection, but in assigning cybersecurity an appropriately high priority and aligning incentives in ways that promote security.

Attacks, Threats, and Vulnerabilities

WSJ News Exclusive | Europe’s Air-Traffic Agency Under Attack From Pro-Russian Hackers (Wall Street Journal) Air traffic isn’t at risk but the attack is ongoing, Eurocontrol said, amid fears about the safety of Europe’s critical infrastructure.

Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets (Microsoft Security) Over the past several months, Microsoft has observed a mature subgroup of Mint Sandstorm, an Iranian nation-state actor previously tracked as PHOSPHORUS, refining its tactics, techniques, and procedures (TTPs).

NSA sees 'significant' Russian intel gathering on European, U.S. supply chain entities (CyberScoop) Russian hackers are targeting Ukrainian and European supply chains to disrupt the flow of humanitarian goods and lethal aid into Ukraine.

A Look Inside Putin's Secret Plans for Cyber-Warfare (Spiegel) Elite hackers from Russia have their sights set on airports and power plants around the world, along with the internet. Confidential data from Moscow, obtained by DER SPIEGEL and its partners, now provide a look inside their arsenal of cyber-weapons and reveal their strategy.

Threat Intel Brief: Russian Software Programs Targeting Industrial Infrastructure (Dragos) Read our intelligence brief for expert-analysis of emerging threats to ICS/OT environments and get actionable defensive recommendations. Download now →

7 takeaways from the Vulkan Files investigation (Washington Post) Thousands of pages of leaked documents offer rare glimpses of Russian military cyberwar strategy, the notorious Sandworm hacking group and a cheeky office party invitation hidden in a piece of malware

Secret trove offers rare look into Russian cyberwar ambitions (Washington Post) More than 5,000 pages of documents from a Moscow-based contractor offer unusual glimpses into planning and training for security services, including the notorious hacking group Sandworm

Ransomware Attack Hits Marinette Marine Shipyard, Results in Short-Term Delay of Frigate, Freedom LCS Construction (USNI News) This post has been updated with a statement from Lockheed Martin. The Wisconsin shipyard that builds the U.S. Navy’s Freedom-class Littoral Combat Ship and the Constellation-class guided-missile frigate suffered a ransomware attack last week that delayed production across the shipyard, USNI News has learned. Fincantieri Marinette Marine experienced the attack in the early morning hours …

Phishing Campaign Targets Chinese Nuclear Energy Industry (Intezer) A phishing campaign with malicious payloads targeted the Chinese nuclear energy industry, using tactics that align with Bitter APT.

Looming Threats Face California’s Water Infrastructure (GovTech) The challenges of defending water infrastructure are numerous. Many of the systems in California – and nationwide – are still operating with outdated software, poor passwords and other weaknesses that could leave them at risk.

Patches, Mitigations, and Updates

Critical Siemens RTU Vulnerability Could Allow Hackers to Destabilize Power Grid (SecurityWeek) Siemens patched a critical vulnerability affecting some of its energy ICS devices that could allow hackers to destabilize a power grid.

CISA Releases Sixteen Industrial Control Systems Advisories | CISA (Cybersecurity and Infrastructure Security Agency CISA) CISA released sixteen Industrial Control Systems (ICS) advisories on April 13, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

CISA Releases One Industrial Control Systems Advisory (Cybersecurity and Infrastructure Security Agency CISA) CISA released one Industrial Control Systems (ICS) advisory on April 20, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations: ICSA- 23-110-01 INEA ME RTU

CISA Releases Two Industrial Control Systems Advisories (CyberSecurity & Infrastructure Security Agency (CISA)) CISA Releases Two Industrial Control Systems Advisories for Scada-LTS versions 2.7.4 and prior, and N8844A Data Analytics Web Service.

CISA Releases One Industrial Control Systems Medical Advisory | CISA (Cybersecurity and Infrastructure Security Agency CISA) CISA released one Industrial Control Systems Medical (ICS) medical advisory on April 27, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

Technologies, Techniques, and Standards

Defense sector ISAC releases supply chain security handbook for small business with manufacturing focus (Inside Cybersecurity) The National Defense Information Sharing and Analysis Center has published a supply chain handbook for small business manufacturing designed to help companies address “specific and common challenges” by offering use cases and ideas to address them.

OT Security: Know What You've Got and Where Your Risks Are (Bank Info Security) Threat intelligence is an important component of OT security because it maps the techniques and tactics of threat actors to what they are likely to attack, and it

OT Cybersecurity Leaders to Deliver First Open-Source Information Sharing for Collective Early Warning in Critical Infrastructure (GlobeNewswire News Room) Collaborative information sharing developed by ETHOS to help entire Operational Technology (OT) community rapidly identify, assess and respond to potential...

Policy, Legislation, and Regulation

The Attack on Colonial Pipeline: What We’ve Learned & What We’ve Done Over the Past Two Years (Cybersecurity and Infrastructure Security Agency CISA) Today marks two years since a watershed moment in the short but turbulent history of cybersecurity.

FACT SHEET: Biden-Harris Administration Announces New Actions to Promote Responsible AI Innovation that Protects Americans’ Rights and Safety (The White House) Today, the Biden-Harris Administration is announcing new actions that will further promote responsible American innovation in artificial intelligence (AI) and protect people’s rights and safety. These steps build on the Administration’s strong record of leadership to ensure technology improves the lives of the American people, and break new ground in the federal government’s ongoing effort…

Request for Comment on Secure Software Self-Attestation Common Form | CISA (Cybersecurity and Infrastructure Security Agency CISA) On April 27, 2023, CISA in accordance with EO14028 and the Office of Management and Budget’s (OMB) guide in OMB M-22-18, released through regulations.gov a 60-day Request for Comment to solicit public feedback on a self-attestation form to be used by software producers.