At a glance.
- Sellafield nuclear waste site to be prosecuted for alleged cybersecurity failings.
- CISA issues draft proposal for cyber incident reporting by critical infrastructure entities.
- Threat actor targets Indian government and energy entities.
- Suspicious NuGet package appears to target developers in the industrial sector.
- Researchers discover a way to hijack web-based PLCs.
- Threat actor targets manufacturing entities in North America.
- US Department of Defense launches CORA program.
- CISA issues ICS advisories.
Sellafield nuclear waste site to be prosecuted for alleged cybersecurity failings.
The UK’s Office for Nuclear Regulation (ONR) announced last month that the Sellafield nuclear waste site in Cumbria will be prosecuted over its alleged cybersecurity failings, the Guardian reports. The ONR stated, "These charges relate to alleged information technology security offences during a four-year period between 2019 and early 2023. There is no suggestion that public safety has been compromised as a result of these issues. The decision to begin legal proceedings follows an investigation by ONR, the UK’s independent nuclear regulator."
The Guardian reported late last year that the nuclear waste site had been hacked by multiple threat actors, including groups linked to Russia and China. Sellafield is the biggest nuclear site in Europe and has the largest store of plutonium in the world. The Guardian cites sources as saying it’s likely that "foreign hackers have accessed the highest echelons of confidential material at the site."
CISA issues draft proposal for cyber incident reporting by critical infrastructure entities.
The US Cybersecurity and Infrastructure Security Agency (CISA) has released a 447-page draft of its proposed rules governing how critical infrastructure entities will need to report cyberattacks to the federal government. According to CyberScoop, the proposed rules would require critical infrastructure entities to report incidents within 72 hours "after the covered entity reasonably believes the covered cyber incident has occurred." Additionally, if a company pays a ransom after being hit by ransomware, they'll need to report the payment to CISA within 24 hours.
Comments on the proposal are due by June 3rd, and the rule is expected to be finalized in about eighteen months.
Threat actor targets Indian government and energy entities.
Researchers at EclecticIQ are tracking a malware campaign that's targeting Indian government organizations and the energy sector: "Analysts identified that multiple government entities in India have been targeted, including agencies responsible for electronic communications, IT governance, and national defense. Moreover, the actor targeted private Indian energy companies, exfiltrated financial documents, personal details of employees, [and] details about drilling activities in oil and gas. In total, the actor exfiltrated 8,81 GB of data, leading analysts to assess with medium confidence that the data could aid further intrusions into the Indian government's infrastructure."
The researchers don't attribute the campaign to any known threat actor, but they believe the goal of the operation is cyberespionage. The threat actor gained initial access via phishing lures that delivered a modified variant of the open-source information stealer HackBrowserData.
Suspicious NuGet package appears to target developers in the industrial sector.
Researchers at ReversingLabs have identified a suspicious package hosted by the open source package manager NuGet that may be tied to "a malicious software supply chain campaign with the goal of conducting industrial espionage on systems equipped with cameras, machine vision, and robotic arms." The package is designed to take screenshots and send them to a remote server.
The package appears to be targeting "developers working with technology made by BOZHON Precision Industry Technology Co., Ltd., a China-based firm that does industrial- and digital equipment manufacturing."
The researchers note that it’s possible that the package is a benign tool leaked by someone working for Bozhon, but it’s more likely that it’s being used as part of an industrial espionage campaign.
Researchers discover a way to hijack web-based PLCs.
Researchers at the Georgia Institute of Technology have published a report outlining a method to exploit browser-based control systems used in industrial facilities.
The researchers state, "Depending on the industrial process being controlled by the PLC, our attack can potentially cause catastrophic incidents or even loss of life. We verified these claims by performing a Stuxnet-style attack using a prototype implementation of this malware on a widely-used PLC model by exploiting zero-day vulnerabilities that we discovered during our research. Our investigation reveals that every major PLC vendor (80% of global market share) produces a PLC that is vulnerable to our proposed attack vector."
The researchers developed proof-of-concept malware that "resides in PLC memory, but ultimately gets executed client-side by various browser-equipped devices throughout the ICS environment. From there, the malware uses ambient browser-based credentials to interact with the PLC’s legitimate web APIs to attack the underlying realworld machinery."
The researchers emphasize that web-based PLCs have expanded the ICS attack surface, and organizations need to understand the risks that accompany increased accessibility.
Threat actor targets manufacturing entities in North America.
Researchers at eSentire are tracking a malware campaign by a threat actor tracked as "Blind Eagle" that’s targeting Spanish-speaking users at manufacturing organizations in North America. Trend Micro, which has been monitoring this threat actor for several years, believes the group is based in Colombia and is probably financially motivated. The group has previously targeted users in South America and Spain, sending phishing emails that distribute a variety of remote access Trojans. In this case, Blind Eagle is sending phishing emails that deliver Remcos RAT and NjRAT.
US Department of Defense launches CORA program.
The US Department of Defense Information Network, part of the Joint Force Headquarters, on March 1st launched its Cyber Operational Readiness Assessment (CORA) program following a successful nine-month pilot phase. Air Force Lieutenant General Robert Skinner, commander of the Joint Force Headquarters DoD Information Network, stated, "CORA is a vital aspect of continually understanding our cyber readiness through fusing many risk factors including access control, detecting anomalies, adjusting to adversary threat information and executing cyber orders. Ultimately, the assessment provides commanders and directors a more precise understanding of their high-priority cyber terrain and their overall cyber security and defensive posture enabling greater command and control and enhancing decision making."
CISA issues ICS advisories.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued fifteen ICS advisories affecting products from Siemens, Delta Electronics, Softing, and Mitsubishi. Three of the vulnerabilities received CVSS scores of 9.8, affecting Siemens’s SINEMA Remote Connect Server, SIMATIC, and certain RUGGEDCOM devices that use unpatched Fortinet Next-Generation Firewalls. One flaw received a CVSS score of 10, impacting Siemens' Sinteso EN and Cerberus PRO EN Fire Protection Systems.