Control Loop: The OT Cybersecurity Podcast 2.21.24
Ep 44 | 2.21.24

Volt Typhoon and the Year in Review.


Dave Bittner: It's February 21st, 2024, and you're listening to "Control Loop." In today's OT Cybersecurity Briefing, the Five Eyes publish a report on Volt Typhoon, while Volt Typhoon targets emergency management services in the US. Siemens and Schneider Electric issue patches. Our guest is Magpie Graham, Principal Adversary Hunter and Technical Director at Dragos, reviewing Dragos' just-released cybersecurity Year in Review report. The Learning Lab is taking a break, but we'll return on our next episode. The US Government and its Five Eyes partners continue their efforts to publicize the activities of the alleged Chinese state-sponsored threat actor, Volt Typhoon. Earlier this month, the US Cybersecurity and Infrastructure Security Agency, NSA, FBI, and the cybersecurity directorates of Australia, Canada, New Zealand, and the UK published a joint advisory outlining the threat actor's operations against US critical infrastructure. The advisory states, "The US authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations, primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors in the continental and non-continental United States and its territories, including Guam." The agencies observe "Volt Typhoon's choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations. And the US authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions. The US authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts." The US agencies note that the threat actor has been "maintaining access and footholds within some victim IT environments for at least five years. " The advisory adds, "The Canadian Centre for Cyber Security assesses that the direct threat to Canada's critical infrastructure from PRC state-sponsored actors is likely lower than that to US infrastructure, but should US infrastructure be disrupted, Canada would likely be affected as well, due to cross-border integration." "Australian and New Zealand critical infrastructure, respectively, could be vulnerable to similar activity from PRC state-sponsored actors." At the Munich Security Conference over the weekend, FBI Director Christopher Wray called out Volt Typhoon's targeting of US critical infrastructure, saying such activity from China is the tip of the iceberg. According to The Wall Street Journal, Wray said China is increasingly inserting offensive weapons within our critical infrastructure, poised to attack whenever Beijing decides the time is right. Dragos has published its own report on Volt Typhoon, tracked by Dragos as Voltize, noting that the threat actor has been targeting multiple US electric companies since early 2023. The group has also focused on emergency management services, telecommunications, satellite services, and the defense industrial base, as well as electric transmission and distribution entities in African countries. As recently as January 2024, the threat actor compromised a large US city's emergency services GIS network. Dragos CEO Robert M. Lee affirmed in a media briefing that Voltize is intentionally targeting critical infrastructure. Lee said, "It's hitting the specific electric and satellite communication providers that would be important for disrupting major portions of the US electric infrastructure." The report from Dragos explains Voltize compromises external network perimeter applications and assets such as SOHO routers and virtual private network gateways to gain access to targeted organizations' networks. Once within the victim's network, they leverage living-off-the-land techniques and stolen credentials to move through the network. The products targeted by Volt Typhoon include Fortinet FortiGuard, PRTG network monitor appliances, ManageEngine ADSelfServicePlus, FatPipe Warp, Ivanti Connect Secure VPN, and Cisco ASA. Siemens, last week, published 15 advisories addressing 270 vulnerabilities affecting the company's products, Security Week reports. Many of the flaws affected SCALANCE XCM-, XRM-300 switches, and the SINEC Industrial Network Management Solution. Most of the vulnerabilities have been assigned severity ratings of critical or high. Schneider Electric also released three advisories outlining five vulnerabilities affecting the company's Modicon controllers, EcoStruxure products, and Harmony Relay NFC. [ Music ] I recently got together with Magpie Graham, Principal Adversary Hunter and Technical Director at Dragos, to review the key findings of Dragos' Cybersecurity Year in Review report. [ Music ]

Magpie Graham: So this is something that we've been doing for, well, pretty much every year that Dragos has been around. It's an opportunity really to be able to kind of summarize what we've seen over the last 12 months, bring additional context to maybe some of the blog posts that we've put out during that time, and share other insights that maybe have been in our private reporting but really is a great channel to be able to talk about the things we've seen through service engagements and talk a little bit about maybe where we're going as, you know, OT security or cybersecurity, you know, in terms of maturity. It's not new OT, but security in OT, cybersecurity in particular, I think is something that's still very much a nascent thing for many organizations. And this is a great way for us to be able to kind of reinforce the messages of what does need to be done, but also highlight success stories as well.

Dave Bittner: Well, let's dig into some of the details here because there is a lot to cover. One of the things that caught my eye was this notion of assessing your external infrastructure and the importance of that. Can you flesh that out for us?

Magpie Graham: Yeah, so I think one of the things where we've seen a lot of change, it's partially due to the pandemic. But I think it comes from the moving forward to kind of that digital transformation, which happened with OT and IT, you know, a long time ago, but continues today, particularly with more cloud-connected devices, vendors baking in that ability to manage things more remotely through their own service offerings, but also the use of the kind of IoT devices there, particularly for monitoring, but not necessarily exclusively one way in terms of their communications, that provide that route into the OT environment. It used to be that you probably had to connect to your IT network and pivot through to manage the OT assets, if that was even possible. Certainly with folk working from home during the pandemic, we saw a rise of more remote administration of those OT networks. And many, in many cases, directly connecting to them. Now, the controlling infrastructure, I guess, the VPNs and firewalls that are there, often badge differently, but usually the same types of device that we see in the enterprise IT world. And that's something where we saw a huge rise in the development of exploits for vulnerabilities in these devices and then the subsequent exploitation of those kind of en masse. So it does pose a larger risk to be able to directly get into that environment now more so than ever before. And so that's why really being able to kind of take those hard-learned lessons from the enterprise IT side, penetration testing, good patching policy, you know, checking that those rules are really on the firewall, deleting, you know, users that perhaps are no longer with the organization, and also just maintaining that separation, not necessarily from a network perspective, but things like credentials. Do you have the same credentials being used in those two environments? Maybe that's something you can change additional layers of authentication that perhaps, you know, weren't originally thought to be required when accessing the OT environment internally. But now that the external route is the way forward, then that's something that, you know, maybe needs to be considered as well.

Dave Bittner: Well, you mentioned separation, and that reminds me of segmentation. That's something that the report highlights as well.

Magpie Graham: Yeah, I think one of the -- one of the things that we, you know, stress quite frequently really is the SANS five critical controls. And this is a great sort of way to really take stock of where you can make big impacts in the security of your network. And that does include things like secure remote access, as we've just discussed. But that whole notion of defensible architecture. Admittedly, a lot of OT environments have been around a long time. To change those is, you know, difficult and costly. But for any kind of new development or whether there's that opportunity to re-architect, thinking about, you know, different zones, the ability to have those kind of different layers of security built into the different logical layers of where the devices are, the notion of the zones and conduits to allow access to only certain devices from certain areas of that network, they can all be, you know, really, really useful tools in terms of creating a more difficult environment for an adversary to operate in. And alongside that, I think, you know, the monitoring piece is probably the piece that we're best known for, but also the piece that is just not as developed in OT SAP security as it needs to be. I think we estimate less than 5% of OT networks are actually monitored globally. You could never imagine that that would be the statistics for an enterprise IT network, that, you know, 5% is the only number or the only proportion that would have any form of, you know, monitoring appliances within it. So I think that's something that really needs to change.

Dave Bittner: What's the fundamental challenge that the operators are facing here? I mean is this the -- is the classic thing of resources, of money, and time? As you say, you know, it's not easy. If some of these networks and bits of infrastructure have been around for a long time, I guess that's an element as well.

Magpie Graham: That's definitely an element, I think. I mean, at a larger kind of organizational scale, I do think that OT security tends to be the, you know, the lesser-funded and lesser-acknowledged kind of cousin of that enterprise IT security, particularly in terms of budget, but in terms of the size of teams and investment of resources and visibility as well up to the sort of sea level and board, really. I think that has changed. There's definitely been some increases in visibility. I think we said a 350% increase at the board and executive level in terms of that kind of acknowledgment that testing and strengthening the OT security is, you know, required for an organization. But that's, you know, a triple, so you've seen a kind of a triple increase in the number of organizations conducting those tabletop exercises that allow you to walk through what happens if, you know, this adversary got into our network and play through that story of how far they might be able to go from maybe the IT network into the OT network. And then I guess it's essentially, you know, it's like conducting a red team, really, using the real-world kind of knowledge of how actors would operate, where they might escalate their real capabilities. But rather than doing this as a red team, this is a tabletop exercise. And I think that's actually where you can get more engagement from more senior management and the executive level than actually, you know, showing them the report of such a red teaming exercise.

Dave Bittner: One of the things that your report highlights is the importance of monitoring outbound communications. Can you go through that for us? What are some of the details here?

Magpie Graham: I think one of the things that always surprises me, even though I've been at Dragos for over two years now, is the fact that there are external connections from the ICS environment. Most people that seem to, you know, have worked in that area for a long time, and I'm not necessarily talking, you know, OT cybersecurity, that those professionals are still quite, you know, few in number. But I'm talking about the folk who are operating those devices day to day, responsible for the, you know, the configuration and the correct running of those systems. There is, I think, a misconception that there is air gaps or better segregation than there is and that there isn't those abilities or opportunities for external communications to leave that environment. And that's not really true. We still see not just the ability for, you know, PLCs and historians and all manner of ICS equipment to be able to talk out to the internet, generally not even just via, you know, a channel to maybe the vendor that created the device. But in about 20% of those engagements that we've had, we actually see directly externally facing ICS equipment. So that's the HMI is directly addressable on the internet. And this is something that I think we've seen, you know, is kind of low-hanging fruit when you think about it from an attacker's perspective. Particularly with kind of hacktivist activity, we've seen most recently, I guess, the Cyber Av3ngers compromising a number of devices, you know, in support of obviously a cause that they stand behind. But I think the impact was obviously far outside the Middle East in terms of the regions that were targeted. And this does, in some ways, you know, link to, I guess, where those devices are in the world. But particularly, I think, you know, the ability to scan for a common host that you have a working exploit against or some vulnerability that you know you can exploit, even if it is a baked-in password. This has a huge impact when it comes to being able to push that message, to be able to show that maybe not everything is as safe as you might think. So, in this case, it was the Unitronics Vision PLCs. But our investigation showed that other, you know, UniStream series PLCs were vulnerable as well. And that's not just that, you know, one particular vendor. I think this is something that is occasionally discovered but is more and more on the focus of that kind of research that threat actors are doing. And I think it's just something where, actually, it can have that global impact. It can hit the news cycle. And particularly in the terms of, I guess, the support of hacktivism, when there's more of a message and ideology, perhaps, to push, this is a great way to be able to do it, as we, you know, probably saw with website defacements in the kind of -- in the 90s and early 2000s. I think this is now, you feel like perhaps they're able to strike at something a little bit more sensitive. And here, you know, we didn't see them necessarily go for a disruptive attack or a destructive attack. But we would regard that as stage two, nevertheless. They're in the OT environment. They have the capability to operate there. So I think this is one of the cases where, if you're conducting that kind of external testing, you might be able to find those weaknesses. But it is also thinking about, you know, the placement of those devices. Sometimes, it's better in terms of, I guess, usability, particularly with remote connectivity. And a lot of sites, you know, don't necessarily have human staff working there. It might be that someone visits every six months or 12 months. But that's where you need to focus your efforts in terms of doing that additional monitoring, that additional locking down of those assets because it could be the weak link in the chain.

Dave Bittner: Yeah, I mean, it's really an interesting point you bring up here. I mean, I think it's, you know, it's those sophisticated state actors. And I guess I'll use air quotes around that. You know, they tend to gather all the attention and certainly the headlines. But you can't underestimate, as you say, the ability or the threat, I suppose, of the hacktivists as well.

Magpie Graham: Yeah, I think, in my background, you know, I've worked tracking sort of nation-state actors for 18 years now. And that was definitely where I thought the, you know, the interest lay. But I don't think it's necessarily where the threat lays or the highest proportion of, I guess, the likelihood and potential impact. When we talk about some of the nation-backed groups, and we've seen, obviously, examples of this during the Ukraine and Russia war, we've seen electron conducting operations there to be able to, you know, disrupt electricity within Ukraine. And I'm sure that, you know, their ambition is to go further afield than that. But when we see, I guess, the large-scale efforts of groups that don't have this kind of huge amount of funding, they haven't spent many, you know, months, years researching, but they're opportunistic in their attacks, or they show that they're capable, even if it is that low-hanging fruit, I think sometimes that is, you know, going to rock the community a little bit more. Ransomware, though, is probably by far the, you know, the greatest threat, not necessarily because they have the capabilities against the most devices or that they would orchestrate an attack that was destructive in nature, but it's more so that they realize that there is additional money to be made through extortion. Extortion of OT assets could be actually something where there's, you know, more reason for an organization to pay ransom than there would be for an IT enterprise network, which, to be honest, the restore of which is kind of the easy bit. It's more about data loss and prevention of that being entering the public domain, I think, is where people do tend to feel like they need to stump up the cash. But for me, these are actors that have the ability and the drive, maybe, you know, mostly financially motivated here, but they don't have the sign-off to conduct these operations. There isn't that chain of command that ensures that that's the right thing to do for a larger goal. This is something where it could easily happen by accident. As they explore these other environments, they don't quite understand with devices they're not used to. They don't necessarily know what the results of their actions might be. And I think we're more likely to see a destructive attack, either intentionally or unintentionally, from a ransomware actor exploring this OT environment that they've found themselves in than we are to see something which is, you know, outside of a wartime scenario, an attack from a nation-backed group.

Dave Bittner: For the folks out there who are working day-to-day, you know, those practitioners who are tasked with protecting the organization and also getting the support from their leadership, what are the take-homes from this report? What are the tips and words of wisdom for them?

Magpie Graham: Well, we chatted a little bit there about ransomware. And I think although this can feel like a, you know, a problem that plagues networks day in, day out, in terms of the focus on industrial organizations and those that have the potential to impact OT networks, we did see that a quarter of those hacks all came from LockBit. So, in terms of kind of putting the focus into particular areas, I would say if you can protect your network from the TTPs of the LockBit group, then you've already reduced the potential for, you know, that attack to affect your OT network considerably. Then looking at the kind of next levels down, we've got BlackCat or ALPHV and Black Basta, each accounting for 9% themselves. So those top three groups already mean that you, you know, you're fairly well protected from ransomware attacks if you can just, you know, essentially run through those TTPs, use the MITRE ATT&CK framework, ensure that you have safeguards in place for the way that they might operate. One other thing that I think really is, you know, something that we don't necessarily see very often in the more IT-centric threat intelligence reporting, but it's certainly something that Dragos, you know, really strives to try and, I guess, correct and put out there with our customers, is the notion of vulnerabilities and what you can do in terms of patching and how you can prioritize that patching or mitigation. So the statistics are all there in the Year in Review. But I think we're seeing, you know, continued trend that the bulletins that are released by vendors are full of incorrect information. So this tends to be the prioritization methodology. Is this a, you know, high severity, or is it low severity? We often find that those are completely wrong. We do find that there's missing versions that are also vulnerable to something. And this is something where we break down every bulletin that comes out, as well as doing our own research to find these vulnerabilities, but also release the information that says, well, this is maybe how you can mitigate if patching is something that you just can't do, which is very much the case for OT networks, you know, not necessarily so difficult in an IT network. But I think when you look at the prioritization process as well, we have a now, next, never methodology. And only 3% of those vulnerabilities in the last 12 months would we say that you need to, you know, you need to put a mitigation or a patch in place right now. Those are the ones that are likely being exploited in the wild, or they're so severe that the loss of visibility or the loss of control, you know, could have serious effects that could lead to, you know, dangerous conditions within a plant. Sixty-eight percent of those, they can wait until their next patch cycle. When you take that kit out of circulation and you're doing the other maintenance on it, that's the time when it would be reasonable to make those changes, whether it's a patch or another form of mitigation. But almost a third, they're probably never going to be exploited. They're so deep within the environment that it would be very difficult for an adversary to actually use them in a real-world context, or they pose no threat at all. Yes, it's a vulnerability, but to exploit it doesn't buy that threat actor anything. And I think that's something really where you can help sort through what might seem an insurmountable problem by having a way to prioritize exactly where you put your resources and your time because it's not a trivial process to go and apply these changes to your OT environment. So this is a real great way of making you feel like you can, you know, tick some boxes and feel like you've made a real impact in the security of your network.

Dave Bittner: Before I let you go, is there some good news coming out of this report as well?

Magpie Graham: So I touched briefly on the kind of increase in visibility at the board level. And I think tabletop exercises have really helped in that way. But what we are doing is, I guess, or what we have seen, is we've seen the kind of increase in authentication on some of these devices and protocols that exist within a network. That's one of the things where, I guess, folks talk about encryption, but, you know, encryption can hamper monitoring. Whereas authentication is really about being able to prove that you're who you say you are and that the commands and the controls and the configurations being applied downstream are coming from a trustworthy source. And so to see that, that really makes it a little bit more difficult for an attacker to be able to achieve those modifications through, you know, simple changes to a configuration that might be higher upstream but have a downstream impact. We're also seeing a lot more collaboration between the governments of the world, vendors, and the infosec community as well. A great example of that would be the Rockwell Automation Control Logics vulnerabilities that the US Government discovered, found that they were in the possession of an APT actor, and then basically reached out to Rockwell, had Dragos involved, and together, you know, we worked to see what could be done in terms of detecting these in those OT environments to be able to produce guidance and mitigation as well. But one of the real, I guess, you know, key winning pieces here was, was it something that we had actually got to before it was operationalized, or was it simply that visibility gap that's a problem? Now, 5% or less monitored networks, you can never say with, you know, 100% certainty that that's not in use. But one of the things that we have here at Dragos, it's called Neighborhood Keeper. And it's an opt-in ability for you to entirely anonymously share the telemetry that comes from the Dragos platform in your networks. And that lets any participant, you know, get quite a coarse-grained idea about what's going on based on industry and geography. But partners that we have can also use that proactively to hunt for things that might be, you know, at the moment a little bit sensitive, but they want to be able to produce some guidance on it. Do we already know if it's being used in the wild? Do we know if this would affect, you know, 90% of OT networks in a region or 5%? Which types of industry sector are they in? And you can target your kind of -- your messaging to have the maximum impact in those areas. So that was a great way of kind of, I guess, bringing together the folks who had made the find, the folks who controlled the ability to, you know, patch those vulnerabilities, and then Dragos and other folks in the InfoSec community to be able to kind of amplify that and perform those checks. But I think, yeah, if we continue to see that form of community collaboration, then, you know, we're only going to get stronger as a collective defensive team.

Dave Bittner: Our thanks to Magpie Graham from Dragos for joining us. You can find a link to the Dragos Cybersecurity Year in Review report in the show notes. [ Music ] And that's "Control Loop" brought to you by the CyberWire and powered by Dragos. For links to all of today's stories, check out our show notes at Sound design for this show is done by Elliott Peltzman with mixing by Tré Hester. Our senior producer is Jennifer Eiben. Our Dragos producers are Joanne Rasch, Mark Urban, and Monserrat Thomason. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]