Control Loop Audience Survey.
Please take a moment to fill out our super quick survey. Thanks!
At a glance.
- Volt Typhoon targets US critical infrastructure.
- Ransomware attacks in the OT sector.
- Ransomware attack against Johnson Controls cost $27 million.
- Schneider Electric confirms ransomware attack.
- US sanctions Iranian officials for attacks on critical infrastructure.
- US House Energy Subcommittee holds hearing on cyberattacks against water infrastructure.
- OIG says CISA needs to improve collaboration with the water sector.
- Cyberattacks against Israeli ports.
- An analysis of cyberattacks against Danish energy infrastructure.
- US government outlines threats posed by Chinese-manufactured drones.
Volt Typhoon targets US critical infrastructure.
Reuters reports that the US Justice Department and FBI disabled portions of a network of compromised devices that was being used by the China-linked threat actor Volt Typhoon to target US critical infrastructure. Volt Typhoon had been forming a botnet by compromising vulnerable devices, including routers, modems, and IoT devices, in order to hide later intrusions into sensitive targets.
FBI Director Christopher Wray told Congress last week that Volt Typhoon’s activity is part of a wider strategy by the Chinese government to target US critical infrastructure, including the power grid, water treatment facilities, and pipelines, in order to stage future destructive attacks, NPR reports. Wray stated, “China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if and when China decides the time has come to strike. They're not focused just on political and military targets. We can see from where they position themselves across civilian infrastructure that low blows are just a possibility in the event of a conflict; low blows against civilians are part of China's plan.”
Dragos CEO Robert M. Lee said in a media briefing last Tuesday that Volt Typhoon is also targeting US satellite and telecommunication networks. Lee said the threat actor “consistently chooses industrial targets, goes after those targets, and plays this low and slow game.”
Lee also predicts that if criminals are able to obtain off-the-shelf malware that targets industrial environments, physically destructive cyberattacks will become much more common.
Ransomware attacks in the OT sector.
Dragos has published a report on ransomware in the industrial sector during the fourth quarter of 2023, finding that the Lockbit 3.0 gang was responsible for 25 percent of attacks against industrial organizations last quarter. Manufacturing was the most targeted sector, accounting for 66% of ransomware attacks, with 135 reported incidents. The researchers note that business-impacting ransomware attacks in Q4 2023 “[exhibited] more severe impacts when compared to earlier quarters.”
A separate report from TXOne Networks on OT/ICS security warns that “the recent accessibility of OT testbeds and protocols has aided malicious actors in the development of ready-made malware, opening the floodgates for cyber criminals who no longer need specialized training to conduct deadly attacks.”
The researchers found that 47% of organizations in the OT sector reported suffering ransomware attacks last year. While most of these incidents were against IT systems, 97% of the victims said OT environments were indirectly affected by downtime.
The researchers note, “The inherent focus of the OT sector on automation, compared to IT, makes it more vulnerable to significant operational and financial losses, even from brief downtimes. This vulnerability has made OT industries particularly attractive to cybercriminals, as the high cost of operational disruption increases the likelihood of ransom payment.”
Ransomware attack against Johnson Controls cost $27 million.
Johnson Controls International disclosed in an SEC filing that a ransomware attack the company sustained in September 2023 has cost the company $27 million in expenses so far, BleepingComputer reports. Johnson Controls stated, "The cybersecurity incident consisted of unauthorized access, data exfiltration, and deployment of ransomware by a third party to a portion of the Company's internal IT infrastructure."
The company adds that it "expects to incur additional expenses associated with the response to, and remediation of, the incident throughout fiscal 2024, most of which the Company expects to incur in the first half of the year. These expenses include third-party expenditures, including IT recovery and forensic experts and others performing professional services to investigate and remediate the incident, as well as incremental operating expenses incurred from the resulting disruption to the Company’s business operations."
Schneider Electric confirms ransomware attack.
Schneider Electric has confirmed that its sustainability business division was disrupted by a ransomware attack, Silicon Republic reports. The company stated, "From an impact assessment standpoint, the ongoing investigation shows that data have been accessed. As more information becomes available, the sustainability business division of Schneider Electric will continue the dialogue directly with its impacted customers and will continue to provide information and assistance as relevant."
BleepingComputer says the attack occurred on January 17th, and involved the Cactus strain of ransomware.
US sanctions Iranian officials for attacks on critical infrastructure.
The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned six officials in the Iranian Islamic Revolutionary Guard Corps for their alleged involvement in targeting programmable logic controllers used by US critical infrastructure facilities. Treasury stated, "The United States is taking action against these individuals in response to IRGC-affiliated cyber actors’ recent cyber operations in which they hacked and posted images on the screens of programmable logic controllers manufactured by Unitronics, an Israeli company. Industrial control devices, such as programmable logic controllers, used in water and other critical infrastructure systems, are sensitive targets. Although this particular operation did not disrupt any critical services, unauthorized access to critical infrastructure systems can enable actions that harm the public and cause devastating humanitarian consequences."
US House Energy Subcommittee holds hearing on cyberattacks against water infrastructure.
The US House Energy and Commerce Environment, Manufacturing, and Critical Materials Subcommittee held a hearing last week on cyberattacks against water treatment facilities, Industrial Cyber reports. Subcommittee Chair Buddy Carter (Republican from Georgia) stated, “Rather than responding to these cybersecurity threats with one-size-fits-all regulatory standards that are costly and require and assume a level of technological sophistication to operate and maintain. We must focus on ways to increase cybersecurity collaboration within the water sector and opportunities for the Environmental Protection Agency and Department of Homeland Security to work jointly with these systems to achieve higher levels of cybersecurity. Cyber threats are not disappearing, and no amount of regulation, resources, or technical expertise can fully remove the threat.”
OIG says CISA needs to improve collaboration with the water sector.
A report from the US Department of Homeland Security’s Office of Inspector General asserts that the US Cybersecurity and Infrastructure Security Agency (CISA) needs to improve its collaboration with entities in the water sector, Nextgov reports. The OIG states that although CISA “had extensive products and services to manage risks and mitigate cybersecurity threats to critical water and wastewater infrastructure and increase its resiliency,” the agency “did not consistently collaborate with the Environmental Protection Agency and the Water and Wastewater Systems Sector to leverage and integrate its cybersecurity expertise with stakeholders’ water expertise.”
The report adds, “This occurred because CISA did not have a Memorandum of Understanding with the Environmental Protection Agency documenting roles, responsibilities, and collaboration mechanisms. CISA also lacked policies and procedures regarding collaboration with the Environmental Protection Agency and other external stakeholders.”
CISA agreed with the OIG’s recommendations and has provided a timeline for its plans to improve collaboration with the water industry, the Record reports. Last week the agency issued a joint report with the Environmental Protection Agency (EPA) and the FBI outlining best practices for cyber incident response in the water and wastewater sector.
Cyberattacks against Israeli ports.
The Cyber Express reports that the Anonymous Sudan hacker gang has claimed credit for cyberattacks against two Israeli ports. The group says it hit the ports’ “network devices, network administration devices, routers, SNMP & email servers, VPN, internal servers, and critical client-side endpoints.” The gang’s claims are unverified, but the Cyber Express observed that one of the port’s websites was offline at the time of publication.
While Anonymous Sudan claims to be a hacktivist group based in Sudan, Cloudflare notes that this may be an attempt at misdirection. There are some indications that the group is based in or is operating on behalf of Russia.
An analysis of cyberattacks against Danish energy infrastructure.
Forescout has published an analysis of two waves of cyberattacks that hit Denmark's energy sector in May 2023. While the Danish CERT for critical infrastructure, SektorCERT, attributes the incidents to Russia's Sandworm threat actor, Forescout thinks the evidence for this is lacking.
The researchers write, “Evidence suggests that the two waves of attacks on Danish infrastructure reported by SektorCERT were unrelated. It also suggests that the second wave was simply part of a mass exploitation campaign against unpatched firewalls, not part of a targeted attack by Sandworm or another state-sponsored actor. Our data reveals that the campaign described as the 'second wave' of attacks on Denmark, started before, and continued after, the period reported by SektorCERT, targeting firewalls indiscriminately in a very similar manner, only changing staging servers periodically. We see a prevalence of exploitation attempts in Europe, where nearly 80% of publicly identifiable and potentially vulnerable firewalls are located.”
US government outlines threats posed by Chinese-manufactured drones.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have published a joint report outlining the threats Chinese-manufactured drones pose to US critical infrastructure. The report warns that giving network access to such drones may result in:
- “Exposing intellectual property to Chinese companies and jeopardizing an organization’s competitive advantage.
- “Providing enhanced details of critical infrastructure operations and vulnerabilities increasing the PRC’s capability to disrupt critical services.
- “Compromising cybersecurity and physical security controls leading to potential physical effects such as theft or sabotage of critical assets.
- “Exposing network access details that enhance the PRC’s capability to conduct cyber-attacks on critical infrastructure.”
Vulnerability in Bosch thermostats.
Bitdefender has identified a high-severity vulnerability in Bosch smart thermostats that can allow attackers to send commands to the thermostat and replace its firmware. The flaw is in the unit’s Wi-Fi microcontroller, which acts as a network gateway for the thermostat’s logic microcontroller. The vulnerability enables malicious commands to be sent to the thermostat, indistinguishable from legitimate cloud server commands.
Bill would add ICS security to President’s Cup Cybersecurity Competition.
The US Senate Homeland Security and Governmental Affairs Committee (HSGAC) has approved the Industrial Control Systems Cybersecurity Competition Act, a bill that would expand the President’s Cup Cybersecurity Competition to include OT and ICS security, Meritalk reports. The bill will now be voted on in the full Senate.
The annual President’s Cup Cybersecurity Competition, held by CISA, aims to “identify, recognize, and reward the best cybersecurity talent in the federal executive workforce.”