The UK's Ministry of Defence situation report this morning describes reversion to the norm of reliance on indiscriminate firepower. The mayor of Mariupol says the civilian death toll in his city could exceed 20,000 as Russian forces continue their efforts to reduce the city. Ukrainian Neptune anti-ship missiles are said to have scored against the guided missile cruiser Moskva, flagship of Russia's Black Sea Fleet, which is said to be burning and, in some reports, abandoned.
Warning: threat actor targets industrial systems.
And circumstantial evidence points to Russia. The US Government hasn't made that attribution, but several security companies, notably Mandiant, have.
Late yesterday the US Cybersecurity and Infrastructure Security Agency (CISA) announced that, with its partners in "the Department of Energy (DOE), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI)" CISA had issued a joint Cybersecurity Advisory (CSA). It warns that "certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices using custom-made tools." The vulnerable systems include at least Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers. The advisory recommends familiar best practices for protecting ICS/SCADA systems, and explains the threat actor's tools as follows:
"The APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities. By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions."
The immediate actions CISA recommends are to implement multifactor authentication, change system passwords (especially any default passwords), and use "a properly installed continuous OT monitoring solution to log and alert on malicious indicators and behaviors."
The Washington Post reports expert consensus that the energy sector, especially liquefied natural gas facilities, are probably the tools' most likely targets.
Dragos calls the activity group "CHERNOVITE," the malware "PIPEDREAM." While CISA's advisory called out specific products and merely suggested that others might be vulnerable, Dragos is explicit in its assessment that other systems are at risk: "the tooling may be used to target and attack controllers from hundreds of additional vendors. PIPEDREAM can target a variety of PLCs in multiple verticals due to its versatility." That versatility has been observed elsewhere. Wired quotes sources at Dragos to the effect that PIPEDREAM is “like a Swiss Army knife with a huge number of pieces to it.” It's equally capable of collection, compromise, disruption, and destruction of industrial systems. Two of the points Dragos makes illustrate the versatility: "CHERNOVITE can manipulate the speed and torque of Omron servo motors used in many industrial applications and whose manipulation could cause disruption or destruction of industrial processes leading to potential loss-of-life scenarios. PIPEDREAM’s Windows related components facilitate host reconnaissance, command and control, lateral tool transfer, and the deployment of unsigned rootkits." The warnings about this threat to control systems are forward-looking, as the tools don't appear to have been used, yet.
Researchers at Mandiant have a different nomenclature--they call the toolkit "INCONTROLLER," which emphasizes its ability to seize control of industrial processes. Their report describes three scenarios in which INCONTROLLER might be used:
- Disruption of controllers to shut down industrial processes,
- Reprogramming controllers for the purpose of sabotage, and (most alarmingly)
- Shutting down safety systems to cause physical destruction.
Like others, Mandiant believes the tools were prepared by a nation-state for its own use. That nation-state is, they think, probably Russia. Their evidence is circumstantial, their reasoning suggestive but compelling. The tools required resources and expertise to develop, they don't have any obvious payoff, and there are similarities in style to earlier Russian efforts. And, of course, Russia is presently engaged in a large-scale hybrid war.
Comment on the GRU's earlier attempt against Ukraine's power grid.
Nozomi Networks has commented on Sandworm's attempt to disable portions of Ukraine's power grid. The company's advice is familiar but worth attending to, recommending as it does implementation of sound practices and good cyber hygiene. Chris Grove, Nozomi's Director of Cybersecurity Strategy, sees continuity between this attack and earlier, more successful takedowns of portions of the Ukrainian grid: "The nature of this attack is one that everyone in the international critical infrastructure community should note, as it's one of a handful of attacks that has directly hit OT systems. According to Nozomi Networks Labs, there have been reports of some hardcoded IPs in the malware sample, which is an indication that the threat actors had intimate knowledge of the environment they were deploying this in. Much like the similar malware that Sandworm deployed in Ukraine in 2016, ICS operators must monitor their networks for any strange activity, as Russian tactics prove to sit in environments for weeks to months before executing these attacks."
Another look at the privateers.
While attention has shifted to Russian intelligence and security services' cyber operations, the privateers, like Conti, are still out there. CNBC has joined those who've sifted through the internal chatter taken from the gang and dumped online. Conti's operations look a lot like those of a legitimate business. "The messages show that Conti operates much like a regular company, with salaried workers, bonuses, performance reviews and even 'employees of the month.'” Employee of the month is a nice touch. One difference between the gang and a legitimate business: a lot of Conti's associates (they should certainly be called "associates," shouldn't they?) are unaware that they're working for a criminal enterprise. Lots of them, CNBC says, think they're working for an advertising company.
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.