A nation-state threat actor targets industrial systems. It’s hard to recover from a threat to industrial systems. Lazarus Group resumes Operation Dream Job. OldGremlin is back. Conti runs like a business.
Dave Bittner: A nation-state threat actor targets industrial systems. A quick look at the GRU's earlier attempt against Ukraine's power grid. The difficulty of recovering from a credible threat to industrial systems. Lazarus Group resumes Operation Dream Job. OldGremlin speaks Russian, and it holds Russian companies for ransom. Carole Theriault looks at research on lie detection. Josh Ray from Accenture drops some SBOMs. And another look at the privateers in the Conti gang.
Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 14, 2022.
Warning: threat actor targets industrial systems
Dave Bittner: Late yesterday, the U.S. Cybersecurity and Infrastructure Security Agency announced that, with its partners in the Department of Energy, the National Security Agency and the Federal Bureau of Investigation, CISA had issued a joint Cybersecurity Advisory (CSA). It warns that certain advanced persistent threat actors have exhibited the capability to gain full system access to multiple industrial control system, supervisory control and data acquisition devices using custom-made tools. The advisory recommends familiar best practices for protecting ICS and SCADA systems and explains the threat actors' tools as follows. The APT actors have developed custom-made tools for targeting ICS and SCADA devices. The tools enable them to scan for, compromise and control affected devices once they have established initial access to the operational technology network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities. By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment and disrupt critical devices or functions.
Dave Bittner: The immediate actions CISA recommends are to implement multifactor authentication, change system passwords, especially any default passwords, and use a properly installed continuous OT monitoring solution to log and alert on malicious indicators and behaviors. The Washington Post reports expert consensus that the energy sector, especially liquefied natural gas facilities, are probably the tool's most likely targets.
Dave Bittner: Dragos calls the activity group CHERNOVITE the malware PIPEDREAM. While CISA's advisory called out specific products and merely suggested that others might be vulnerable, Dragos is explicit in its assessment that other systems are at risk. They said the tooling may be used to target and attack controllers from hundreds of additional vendors. PIPEDREAM can target a variety of PLCS in multiple verticals due to its versatility. That versatility has been observed elsewhere. Wired quotes sources at Dragos to the effect that PIPEDREAM is like a Swiss army knife with a huge number of pieces to it. It's equally capable of collection, compromise, disruption and destruction of industrial systems.
Dave Bittner: Two of the points Dragos makes illustrate the versatility. They say CHERNOVITE can manipulate the speed and torque of Omron servo motors used in many industrial applications and whose manipulation could cause disruption or destruction of industrial processes leading to potential loss-of-life scenarios. PIPEDREAM's Windows-related components facilitate host reconnaissance, command and control, lateral tool transfer and the deployment of unsigned rootkits. The warnings about this threat to control systems are forward-looking, as the tools don't appear to have been used yet.
Dave Bittner: Researchers at Mandiant have a different nomenclature. They call the toolkit INCONTROLLER, which emphasizes its ability to seize control of industrial processes. Their report describes three scenarios in which INCONTROLLER might be used - first, disruption of controllers to shut down industrial processes; second, reprogramming controllers for the purpose of sabotage; and third, perhaps most alarmingly, shutting down safety systems to cause physical destruction. Like others, Mandiant believes the tools were prepared by a nation-state for its own use. That nation-state is, they think, probably Russia. Their evidence is circumstantial; their reasoning suggestive but compelling. The tools required resources and expertise to develop and don't have an obvious payoff. And there are similarities in style to earlier Russian efforts. And, of course, Russia is presently engaged in a large-scale hybrid war.
Comment on the GRU's earlier attempt against Ukraine's power grid.
Dave Bittner: Nozomi Networks has commented on Sandworm's attempt to disable portions of Ukraine's power grid. The company's advice is familiar but worth attending to, recommending, as it does, implementation of sound practices and good cyber hygiene. Chris Grove, Nozomi's director of cybersecurity strategy, sees continuity between this attack and earlier, more successful takedowns of portions of the Ukrainian grid. He says the nature of this attack is one that everyone in the international critical infrastructure community should note, as it's one of a handful of attacks that has directly hit OT systems. He strongly recommends keeping an eye out for more Russian activity against power grids.
The difficulty of recovering from a credible threat to industrial systems.
Dave Bittner: An apparently and probably unrelated cyberattack against an industrial concern shows the difficulty such an organization can have returning to normal operations. The Nordex Group, a major wind turbine manufacturer that sustained a cyber incident on March 31, continues its recovery some two weeks later. Only Nordex internal systems are believed to have been affected.
Lazarus Group resumes Operation Dream Job.
North Korea's Lazarus Group has resurfaced with an industrial espionage campaign directed against the chemical sector. Symantec researchers this morning outlined their findings, which conclude that Pyongyang is running a continued version of Operation Dream Job. First observed in August 2020, Operation Dream Job, as its name suggests, is a social engineering campaign that uses bogus job offers as the phishbait to lure the unwary quarry to bite on a malicious attachment that installs an information-stealing payload on the victims' devices. The operations goal is believed to be theft of intellectual property for the benefit of the DPRK's chemical industry.
OldGremlin speaks Russian, and it holds Russian companies for ransom.
Dave Bittner: Group-IB reports that an unusual ransomware gang, OldGremlin, has resumed attacks against Russian targets. OldGremlin is an outlier in several ways. For one thing, it's careful and selective, watching the news closely as it shapes its phishbait. The phishbait proffered in this latest round of attacks details the coming suspension of Visa and MasterCard payment processing in Russia. The payload located in a Dropbox was the TinyFluff back door. OldGremlin's episodic activity may indicate that its members are part-timers working a side hustle. But the most unusual thing about OldGremlin is that it's a Russophone gang targeting Russian organizations. Most Russian ransomware gangs operate effectively as privateers and scrupulously avoid hitting Russian enterprises. Its most recent campaign run last month impersonated a senior accountant at a large Russian financial institution.
Another look at the privateers.
Dave Bittner: And finally, while attention has shifted to Russian intelligence and security services cyber operations during Mr. Putin's hybrid war, the privateers, like Conti, are still with us. CNBC has joined those who've sifted through the internal chatter taken from the gang and dumped online. Conti's operations look a lot like those of a legitimate business. The messages show that Conti operates much like a regular company, with salaried workers, bonuses, performance reviews and even employees of the month. Employee of the month is a particularly nice and caring touch. And note to self - why don't we have those around here? There's one big difference between the gang and a legitimate business. A lot of Conti's associates are unaware that they're working for a criminal enterprise. Lots of them, CNBC says, think they're working for an advertising company. We'd love to see the rate card they were given.
Dave Bittner: Anyone with a security clearance or anyone who's watched old police procedurals are familiar with the notion of the polygraph machine, the old lie detector. Well, whether or not those are actually good at detecting lies is certainly questionable and up for debate, but the technology of lie detection has advanced. Our own Carole Theriault has this report on the latest.
Carole Theriault: Today, I want to talk about lie detectors, something that I rarely think about, but I guess that's probably true for most of us, unless, of course, we're faced with having to pass one. So a little history 'cause it's actually quite interesting - the polygraph, known as the lie detector test, is a medical device for recording a patient's vital signs, things like pulse or blood pressure or temperature or breathing rate. It seems the first polygraph machine was invented in 1921, so a hundred years ago in Berkeley, Calif. Apparently, at the time, Berkeley had a very famous police chief called August Vollmer. And he was in charge of police reform, and he wanted to use this science to make the cops more law abiding themselves. You see; until that point, if you were giving a suspect a third degree, it often meant beating them up. But lie detectors have had a very complicated history and with good reason. Even as near as 2003, Gary Ridgway admitted that he was the Green River killer, having murdered 49 women in the Seattle area. Ridgway had passed a lie detector test in 1987, while another man who turned out to be innocent failed. And the American Psychological Association stated that most psychologists agree that there is little evidence that polygraph tests can accurately detect lies - so, you know, controversial.
Carole Theriault: But none of this has dampened our desire to have a tool that helps us know whether someone's telling the truth or not. I mean, if we could find it - amazing. And the question is, is technology to the rescue? Professor Hanein and professor Dino Levy have led a team at Israel's Tel Aviv University that have developed a new method of lie detection. They say they have identified two types of liars. Now, get this. There are those that involuntarily move their eyebrows when they tell a fib, and there are those that cannot control a very slight lip movement where their lips meet their cheeks. Presumably, this has to be virtually invisible to the human eye, otherwise, why would we need electrodes strapped to the user's face in order to detect these micro-movements? A spokesperson says when you try to conceal a lie, one of the things you try to avoid of any sort is a body reaction. But it's very, very hard for you to conceal a lie with this technology. And they say their software and algorithm can now detect 73% of lies, and they intend to improve that as they develop the system. Well, thank heavens. I mean, a lie detector that works 73% of the time, to me, is near useless. It means if it's used in a setting for someone to be employed or someone who's going to go to jail, you don't want something that's 73% accurate. That is just way, way too high a false-positive rate.
Carole Theriault: But I suspect we're going to be working on this for a while. After all, the first documented example comes from 1000 B.C. in China, where a suspect would have to fill his or her mouth with dry rice. If it stayed dry, they were lying. At least we're not doing that anymore. This was Carole Theriault for the CyberWire.
Dave Bittner: And joining me once again is Josh Ray. He's managing director and global cyberdefense lead at Accenture Security. Josh, it's always great to have you back.
Josh Ray: Thanks for having me, Dave.
Dave Bittner: You know, seeing a lot of chatter about SBOM, which is the software bill of materials, and some of the mandates that are coming down the pike when it comes to that sort of thing. I wanted to check in with you, your take on this - a good idea, you know, something that - its time has come?
Josh Ray: Oh, absolutely, yeah. I mean, when you think about it - you know, we put labels and ingredients on things that we eat. You know, they're on the sides of our medicines. And just the simple fact that, you know, we don't know everything that's in the software that we're linking up. I mean, I equate it to, you know, Bob the IT guy's, you know, getting ready to install the recent update, and his buddy Bill is like, hey, you know, what's in this update? And he's like, I don't know.
Josh Ray: Like, that's just a - that just should never happen, right?
Dave Bittner: Right.
Josh Ray: Just hook it up to the life support system so we can go to lunch, you know? I mean, that's just not, like, something that we should necessarily tolerate going forward. And I think the most recent executive order from a policy standpoint and then, obviously, you know, seeing this play out with Log4j only reinforces the necessity because this is far overdue and something that our clients are very interested in as well.
Dave Bittner: What about folks who say that this - you know, this is an added burden on folks, a regulatory burden, and may even provide a bit of a road map for bad guys?
Josh Ray: Yeah. I mean, that's - you know, that's always the other side of the coin. But, you know, that's also like saying security through obscurity, too, right? And I think that, you know, being transparent and allowing defenders the opportunity to understand what is in their code and what is - what they're deploying on their enterprises and how they're making smart purchase decisions from vendors only makes sense, right? This, you know, natural move towards transparency will hopefully give both the government and other customers, you know, more of a chance to proactively mitigate vulnerabilities before they're exploited.
Dave Bittner: All right. Well, Josh Ray, thanks for joining us.
Josh Ray: Thank you, Dave.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.