Industrial plant shut down by "Triton" (or "Trisis") malware attack.
Thursday FireEye reported a significant attack on an unnamed industrial plant. They call the malware "Triton," and say it was designed to interact with Schneider Triconex Safety Instrumented System (SIS) controllers, widely used in the energy sector. The attackers introduced it via remote access and attempted to use it to reprogram the SIS controllers. In the process they tripped, apparently inadvertently, some of the systems into fail-safe shutdown.
Given the absence of any evident financial motive, FireEye thinks the attack was probably a nation state's work, but declined to speculate about which nation state it might have been. The attackers succeeded in establishing themselves in the plant's Distributed Control System (DCS), whence they were able to access the SIS. FireEye assesses the incident as reconnaissance and preparation: the attackers seem to have been interested in gaining the ability to accomplish one of three results at some future point: "Attack Option 1: Use the SIS to shutdown the process," which could cause process downtime and require complex restarts at considerable expense to the plant operator. "Attack Option 2: Reprogram the SIS to allow an unsafe state," which would increase the risk of physical damage or injury. "Attack Option 3: Reprogram the SIS to allow an unsafe state – while using the DCS to create an unsafe state or hazard;" that is, directly cause serious injury or damage (FIreEye).
Industrial security experts at Dragos, which called the attack a "watershed" event (Reuters), released their analysis of the malware on Thursday as well. They're calling it "Trisis," and they properly note that, while it's a nasty, bold piece of work, "defense is doable." They also remind people that safety systems, if well-designed, degrade gracefully even if their security is compromised: "As long as the SIS performs its safety function the compromising of its security does not represent danger as long as it fails safe" (Dragos).
CyberX says the affected plant is in Saudi Arabia, and that Iran is, on form if not on direct evidence, the likely suspect. CyberX's Phil Neray told us:
"We have information that points to Saudi Arabia as the likely target of this attack, which would indicate Iran as the likely attacker. It's widely believed that Iran was responsible for destructive attacks on Saudi Arabian IT networks in 2012 and more recently in 2017 with Shamoon, which destroyed ordinary PCs. This would definitely be an escalation of that threat because now we're talking about critical infrastructure—but it's also a logical next step for the adversary. Stuxnet and more recently Industroyer showed that modern industrial malware can be used to reprogram and manipulate critical devices such as industrial controllers, and TRITON appears to be simply an evolution of those approaches."
Beijing goes catphishing (says Berlin).
Germany's security agency, the Bundesamt für Verfassungsschutz (BfV) revealed the results of a long (nine months in gestation) counterintelligence inquiry into how Chinese intelligence services use social media. LinkedIn in particular drew their attention, and BfV director Hans-Georg Maaßen said China is using the platform to target individuals: more than ten-thousand Germans have been prospected. Most of the fictitious profiles were swiftly taken down, but some journalists got a peek before the catphish spit the hook and vanished (CSO). The Chinese Foreign Ministry dismissed the German report as "groundless" and "hearsay," desiring Berlin to "speak and act more responsibly" (Straits Times).
The BfV details several phony profiles, East Asian Robin Sages. Here are some of the profiles described in the BfV's report: "Laeticia Chen," said to be a manager at something called the “China Center of International Politics and Economy.” She had a nice photo, which isn't surprising, since it was taken from an online fashion catalogue. A headhunter at "RiseHR," going by the name of "Rachel Li." "Alex Li," represented as a project manager at the "Center for "Sino-Europe Development Studies." All catphish, and representative of the species. They're online versions of the swallows, ravens, and sparrows long used in recruiting face-to-face (Naked Security).
If Beijing's Foreign Ministry isn't just engaged in diplomatic fibbing, and if their intelligence services really aren't engaged in doing anything that's "not beneficial to the development of bilateral relations," one wonders, well, why in the world aren't they? That is, after all, how foreign intelligence services sing for their supper.
Anatol left his heart в Сан-Франциско (but he burned his papers on the way out).
To mention a different set of foreign intelligence services, this account of the goings-on at the Russian consulate in San Francisco is well worth a look. The US ordered it shut down in August (tit-for-tat for Russian decisions reducing American diplomatic personnel), and this retrospective describes the ways in which San Francisco and its environs were a decades-long target for Soviet, then Russian, technical intelligence (Foreign Policy). Not news for anyone who's seen the 1985 Roger Moore 007 flick, A View to a Kill. (The one in which Bond gets the Order of Lenin. M: "I'd have thought the KGB would have celebrated if Silicon Valley had been destroyed." KGB General Anatol Gogol: "On the contrary, Admiral, where would Russian research be without it?") A good read nonetheless.
"Lurk" defendant says Putin made him do it.
That is, he's said he was directed by the FSB, itself acting under the orders of the Russian President, to hack the US Democratic National Committee's email (The Bell). But observers are skeptical (Times). Konstantin Kozlovsky is on trial for his alleged role in the Lurk cyber gang. He may be interested in drumming up public outcry in the hope of a better sentencing deal. He's also been talking about collaboration between the FSB and Kaspersky Lab. It appears that collaboration was in the nature of a law enforcement investigation, the sort of cooperation Kaspersky has always said it extended to Russian authorities (Washington Post).
21st century Tailgunner Joes, and other historical analogies.
Of course there's Russian hacking, and Russian influence operations. There have been for years. But some people are beginning to ask if there's not a bit of bipartisan McCarthyism in progress (Observer). The threat was real, but on the other hand Senator McCarthy didn't have the Venona intercepts. Add McCarthyism to the list of cyber historical analogies, with Pearl Harbor (a massive attack on infrastructure), Project Apollo (the cyber moonshot), and Sputnik (what China's about to do to shock America with artificial intelligence).
Cryptocurrency, ICOs, and things that quack like ducks (securities-ducks, we mean).
The SEC is getting more assertive in regulating the world of cryptocurrencies, shutting down a second ICO (of Munchee) this week (Bloomberg), but many legal and regulatory lines remain blurry (Forbes).
As the Deutsche Börse prepares to open cryptocurrency trading on its Frankfurt exchange, Germany's Finance Ministry watches closely, prepared to step in quickly should fraud arise (Reuters). Bitcoin futures would be offered on the Eurex derivatives exchange (Reuters).
Much interest in cryptocurrency investment seems to be located in Asia, and South Korean speculators are driving the market up, partially eclipsing Japanese and Chinese speculators (Wall Street Journal). Korean interest in "altcoins" is seen as cultural: a disposition to adopt technology early (Fortune).
Concerns about the security of cryptocurrency apps have circulated for weeks (High-Tech Bridge). While the blockchain itself may be resistant to direct manipulation, the same cannot be said for the tools used to trade and manipulate the cryptocurrencies, and attacks on these are expected to rise (Cryptovest).
More transparency required of British lenders.
Beginning August 18, 2018, the Financial Conduct Authority will require UK banks engaged in making loans to reveal how often they've had "major operational and security incidents" (Infosecurity Magazine). Given that GDPR will have been in force for almost three months by the deadline, this regulatory move seems at best an act of supererogation.
Guilty pleas in Mirai, Rutgers cases.
Three men have entered a guilty plea to conspiracy involving the creation and deployment of the Mirai botnet. Paras Jha, Josiah White, and Dalton Norman were caught by Federal investigators in New Jersey and Alaska (the epicenter of the botnet seems to have been the Garden State, but the Last Frontier was affected early). We also now know how the botnet came to be named: Jha, White, and Norman were all fans of the Mirai Nikki anime. Jha and Norman also entered a guilty plea to a charge involving click fraud (Financial Times).
Jha also copped a plea to New Jersey state charges of vandalizing Rutgers University networks. Jha’s attorney called Jha "a brilliant young man," but lamented that his intelligence "far exceeded his emotional maturity." He's now very sorry and accepts responsibility, and his attorney characterizes the guilty pleas as "the first step in his evolution into adulthood and responsibility," which is one way of looking at it (Fifth Domain).
Mirai is a useful cautionary tale about the risks of hasty attribution, no matter how plausible and indeed obvious such attribution may appear. When the botnet hit with such surprising effect in October 2016, it was widely interpreted as a Russian operation, a shot across the American bow, and a dress rehearsal for a crippling infrastructure attack (the CyberWire). Many of the the people who saw it as such were serious and well-informed. But the incident turns out to come down to a few twenty-somethings who liked coding, money, Minecraft, and anime.
Announcing the pleas, the US Department of Justice acknowledged domestic, international, and private-sector partners: "the FBI’s New Orleans and Pittsburgh Field Offices, the U.S. Attorney’s Office for the Eastern District of Louisiana, the United Kingdom’s National Crime Agency, the French General Directorate for Internal Security, the National Cyber-Forensics & Training Alliance, Palo Alto Networks Unit 42, Google, Cloudflare, Coinbase, Flashpoint, Yahoo and Akamai." Akamai has a brief account of its part in the investigation.
Mirai was of course an IoT botnet, and the very large attack surface the Internet-of-things presents is expected to continue its swift expansion (CSO).
US legislation affecting cybersecurity.
The National Defense Authorization Act, signed by President Trump this week, brings some clarity to long-evolving policies affecting cyber operations, including provisions affecting procurement, education, organization, and policy with respect to information operations and cyberwar (CyberScoop). Congress directed the President to come up with plans for waging cyber offensives; if he doesn't, they'll pull funding from the White House Communications Agency (TechRepublic). One sidelight: the Department of Defense is directed to study blockchain technology to assess its potential applications for cybersecurity, supply chain management, and so on (MeriTalk).
Anonymous calls for attacks on US, Israeli government sites.
Anonymous has revved up OpIsrael as an action against the US decision to move its embassy from Tel Aviv to Jerusalem. OpIsrael normally reaches a crescendo in the spring, deliberately timed to coincide with Holocaust Remembrance Day, but Anonymous is bringing it early to keep up with current events. No signs, yet, of any successful actions (International Business Times).
"Our patience is exhausted! No more words!" The hacktivist collective's rhetoric has a familiar quality: history is their hero, they speak with authority for the many, their slogans are self-evidently correct, and their promised deeds are significantly verbal (albeit enabled by someone's coding). They don't actually say their name is "Legion," but that would be so appropriately transgressive one wonders why not. A lingering Guy Fawkes piety behind the mask?
Patching news.
HP moved quickly this week to fix a keylogger inadvertently left behind in its Synaptics Touchpad drivers. It was a development tool that should have been removed before products shipped (SC Magazine).
Microsoft and Adobe issued their customary patches this Tuesday. Adobe's included another Flash Player fix (KrebsOnSecurity). Infosecurity Magazine called Microsoft's patches "a light dusting" of twenty critical and twelve important issues.
Apple, which has recently struggled with some of its fixes, notably the "root" vulnerability in macOS it finally succeeded in closing last week, patched HomeKit's shared remote users feature by disabling it. Functionality was restored with this week's iOS update (Naked Security).
Industry notes.
Menlo Security has closed a $40 million Series C round. Investors include JPMorganChase, American Express, and HSBC (TechCrunch). Their investment is interpreted as a bet on browser isolation technology (American Banker). Contrast Security has also announced a Series C funding round: an undisclosed amount from AXA Strategic Ventures and Microsoft Ventures (NewsCenter). Tempered Networks' "identity-defined networking" attracts $7 million in funding from Ignition Partners; Ridge Ventures; Rally Capital; and Fluid Capital. In its three-year history, Tempered has played mainly in industrial network security (GeekWire). ShieldX has secured $25 million in Series B funding; participants include FireEye, Symantec, Bain Capital Ventures, Aspect Ventures, and Dimension Data (Newscenter).
TomahawkX Technologies launched this week. The new, Northern Virginia company will broker security technology procurement and sales relationships (BusinessWire).
SailPoint's IPO emerged from its quiet period Tuesday with some positive sell-side sentiment (Benzinga).
Atos this week made an offer to buy Gemalto for €4.3 billion. A Gemalto acquisition would be for Atos largely an Internet-of-things play (Reuters) with particular emphasis on IoT security (GlobeNewswire). Gemalto turned the offer down, citing what they called Atos's inadequate consideration of the regulatory hoops an acquisition would have to clear. They also say the offer undervalued the company (Computing). Atos characterized its offer to buy its smaller (but still large) rival as "friendly." Gemalto didn't find it so, retorting that not only was the bid "not friendly and collaborative" but that it was "opportunistic" to boot (Financial Times).
Intertek announced its acquisition of Acumen, specialists in security certification and assurance services (BusinessWire).
Rumors that Cisco is on an acquisition hunt continue to circulate (Economic Times).
Synopsys has completed its acquisition of Black Duck, improving its capabilities in automated approaches to securing and managing open source software. The transaction was valued at $547 million (Business Insider). Xator has acquired Merlin's services unit, boosting its cybersecurity offerings (Washington Technology).
GCHQ is now in the accelerator business. The British SIGINT and cyber agency has selected nine startups whose technology it hopes will prove winners: "RazorSecure — Intrusion and anomaly detection for the transport sector, ExactTrak — Data and device protection through embedded technology, Elliptic — Detection and investigation of cryptocurrency cybercrime, Trust Elevate — Age verification and parental consent in online transactions, Warden — Real-time monitoring for businesses, Intruder — Security monitoring for internet-facing systems and businesses, Secure Code Warrior — A gamified SaaS learning platform for developers, Ioetec — A plug-and-play cloud solution to connect IoT devices with end-to-end security, Cybershield — Phishing and spear phishing detection" (Computing). The list provides an interesting look at the technology shopping list of one of the Five Eyes.
President Trump signed the 2018 National Defense Authorization Act this week. It contains what the Register calls a "no Eugenes clause," language barring use of Kaspersky software. This is now a matter of Congressional direction, no longer executive discretion. Kaspersky is "assessing its options" (Engadget). The company's partners think it's got a good product, but a US Government ban will have far-reaching effects, and commercial markets won't be immune (CRN).