At a glance.
- More OT attacks tied to Sandworm.
- Russia-linked hackers target Texas water utilities.
- Belarusian hacktivists hit fertilizer company.
- Chinese-manufactured devices in US networks see a 41% YoY increase.
- Ukraine-linked hackers deploy ICS malware against Russian infrastructure company.
- A look at cyberattacks that had physical consequences in 2023.
- Lessons from NERC’s GridEx exercise.
- Extension requested for comment period on CISA’s incident reporting rule.
- CISA issues eight ICS advisories.
More OT attacks tied to Sandworm.
Mandiant has published a report on the recent activities of Sandworm, a threat actor attributed to Russia's GRU. Mandiant now tracks the group as "APT44," and notes that "no other Russian government-backed cyber group has played a more central role in shaping and supporting Russia’s military campaign." The threat actor has a much broader focus than the war in Ukraine, however, and the researchers are tracking "operations from the group that are global in scope in key political, military, and economic hotspots for Russia."
Mandiant's report ties APT44 to several hacktivist groups that have claimed responsibility for attacks against OT systems in the United States and the European Union, including three water utilities in Texas, a wastewater treatment plant in Poland, and a hydroelectric dam in France. These attacks don't seem to have had any serious effects, but the researchers note that "[c]ontinued advancements and in-the-wild use of the group’s disruptive and destructive capabilities has likely lowered the barrier of entry for other state and non-state actors to replicate and develop their own cyber attack programs." Sandworm has been responsible for several damaging attacks in the past, including the 2017 NotPetya attack and the disruptions of Ukraine's energy grid in 2015 and 2016.
Russia-linked hackers target Texas water utilities.
SecurityWeek describes the January cyberattacks mentioned in Mandiant’s report that hit water facilities in three small Texas towns. Mike Cypert, the city manager of Hale Center, said their firewall received 37,000 login attempts over the course of four days, causing the city to unplug its SCADA system and switch to manual operations. In the town of Muleshoe, city manager Ramon Sanchez said the hackers managed to overflow the city’s water system for about forty-five minutes, but that the incident didn’t pose any danger to the public. Lockney, the third city targeted, managed to thwart the attackers before they gained access to the town’s water system. Mandiant analyst Dan Black told CNN, “The haphazardness is part of their pathological emphasis on psychological impact. They want to make it look like they’re doing more than they’re doing.”
On April 23rd, US Representatives Pat Fallon (Republican of Texas) and Ruben Gallego (Democrat of Arizona) sent a letter to Homeland Security Secretary Alejandro Mayorkas requesting a briefing on these incidents. The representatives wrote, “As you may know, much of the American West is experiencing a historic, long-term drought that makes fortifying water supplies from vulnerabilities like adversary disruption efforts all the more important. Should a hack similar to the Texas incident occur in Arizona or other states that may lack sufficient water supply, it could disrupt operations across the region with devastating effects.”
Belarusian hacktivists hit fertilizer company.
Belarusian hacktivists claim to have hacked Grodno Azot, Belarus’s state-run fertilizer manufacturer, in protest of President Lukashenko’s regime, the Record reports. [Pronounciation of “Grodno Azot” at 0:15] The hackers say they disrupted the company’s energy generation facility and wiped or encrypted hundreds of computers and servers. The group is demanding the release of political prisoners who were arrested for protesting Lukashenko’s contested reelection in 2020.
Grodno Azot confirmed that it was attacked, but said “[t]he situation has not affected, and will not affect, the production activities of the enterprise.”
Chinese-manufactured devices in US networks see a 41% YoY increase.
A report from Forescout found that the number of Chinese-manufactured devices in US networks has increased 41% year-over-year, despite official bans by the US government.
The report says, “Critical infrastructure organizations are among those that use the highest numbers of such devices and some of these industries more than doubled the number of Chinese-manufactured devices in their networks in one year. One vertical of interest is the government where Hikvision and Dahua cameras, despite being banned, remain connected to networks. Other devices, including Yealink VoIP phones, are also present in the thousands.”
The researchers note that vulnerable IP cameras often serve as initial access points to sensitive networks, and China-linked APTs have been known to exploit these devices in the past.
Ukraine-linked hackers deploy ICS malware against Russian infrastructure company.
Researchers at Claroty have published a report on “Fuxnet,” a strain of ICS malware deployed by Ukraine-linked hackers against Moscollector, a Moscow-based company that manages underground water and communications infrastructure. The hacking group, called “Blackjack,” posted online claiming to have damaged 87,000 remote sensors and IoT devices used by the Russian company. Claroty thinks this claim is exaggerated, but the malware does appear to have bricked at least 500 sensor gateways. The researchers note, “If the gateways were indeed damaged, the repairs could be extensive given that these devices are spread out geographically across Moscow and its suburbs, and must be either replaced or their firmware must be individually reflashed.”
A look at cyberattacks that had physical consequences in 2023.
Waterfall Security Solutions has published a report looking at cyberattacks on OT organizations in 2023, finding that 68 of these attacks had physical consequences. This represents a 19% increase compared to 2022. Most of these physical effects were consequences of IT-based attacks rather than direct exploitation of OT systems. 80 percent of these attacks involved ransomware, while 15 percent were launched by hacktivists. Half of the attacks impacted entities in the manufacturing sector, and the most expensive attacks caused hundreds of millions of dollars in damages.
The researchers also observed an increase in the use of GPS jammers, noting, “Many industrial systems rely on GPS signals for more than just location information, where microsecond-synchronized timing is crucial, such as the protective relaying critical to the reliability of the electrical grid and of equipment in that grid. Operators of such systems are advised to evaluate the extent of their dependence on such timing and positioning systems and establish robust fail-safe operation modes when these systems are jammed or falsified.”
Lessons from NERC’s GridEx exercise.
A report from NERC and the E-ISAC looks at lessons learned from the GridEx VII exercise, a simulated targeting of North America's electric grid with cyber and physical attacks. The exercise, which was conducted over two days in November 2023, involved participants from the electric sector and the government, and was followed by an in-person meeting between industry executives and government leaders from the United States and Canada.
Recommendations from the report include increasing resilience for communications systems essential for operating the grid, preparing for recovery from complex and prolonged power outages, and increased coordination efforts between non-federal government partners and electric utilities.
Extension requested for comment period on CISA’s incident reporting rule.
The US Chamber of Commerce and more than twenty industry groups have called for a month-long extension of the 60-day comment period for CISA’s proposed Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), the Record reports. The groups said in a letter to CISA, “The proposed rule is extensive and intricate, reflecting the complexities inherent in addressing cybersecurity within critical infrastructure sectors. The NPRM spans nearly 500 pages. Consequently, its length and depth necessitate a comprehensive review process to ensure that all stakeholders fully understand its implications.”
The letter adds, “[G]iven the potential impact of this rule, affecting every critical infrastructure sector, and possibly serving as a model and hub for other reporting requirements, this additional time is crucial. It will allow organizations to thoroughly evaluate the proposed requirements, identify potential challenges, and propose effective solutions that prioritize both security and operational continuity.”
CISA issues eight ICS advisories.
The US Cybersecurity and Infrastructure Security Agency (CISA) issued eight ICS advisories for vulnerabilities affecting products from Hitachi Energy, Siemens, Honeywell, Mitsubishi Electric, Rockwell Automation, and Chirp Systems. The most serious vulnerability affects Siemens RUGGEDCOM APE1808 devices that are configured with Palo Alto Networks Virtual Next-Generation Firewall. These products may be vulnerable to a command injection flaw that could allow an attacker to execute arbitrary code with root privileges.