Ukraine at D+49: Exchanges of kinetic fire, and preparation for cyberattacks against ICS/SCADA.
N2K logoApr 14, 2022

Ukraine says it's hit the guided missile cruiser Moskva with anti-ship missiles. The US warns of Russian preparations for cyberattacks against ICS and SCADA systems (and both government and industry have published details on the tools they've found). On the ground, Russia continues to resort to heavy and indiscriminate fires as it seeks to reduce cities in the Donbas and along the Black Sea coast.

Ukraine at D+49: Exchanges of kinetic fire, and preparation for cyberattacks against ICS/SCADA.

The UK's Ministry of Defence situation report this morning describes reversion to the norm. "President Putin’s speech on Tuesday highlighted his continued interest in the Donbas where Russia is striking Ukrainian forces in preparation for a renewed offensive. Urban centres have faced repeated indiscriminate attacks from Russia throughout the conflict. The towns of Kramatorsk and Kostiantynivka are likely to be Russian targets for similar levels of violence. The combination of widespread missile and artillery strikes and efforts to concentrate forces for an offensive represents a reversion to traditional Russian military doctrine. However, this will require significant force levels. Ukraine’s continued defence of Mariupol is currently tying down significant numbers of Russian troops and equipment."

Ukrainian and Russian forces continue to exchange fire, mostly in the southern and eastern regions of Ukraine. The mayor of Mariupol says the civilian death toll in his city could exceed 20,000 as Russian forces continue their efforts to reduce the city. Ukrainian Neptune anti-ship missiles are said to have scored against the guided missile cruiser Moskva, flagship of Russia's Black Sea Fleet, which is said to be burning and, in some reports, abandoned. Ukraine claims a sinking; Russia says the ship had been burning, that its crew had been evacuated, and that it has been taken under tow to port. The Guardian reports that Russian statements acknowledge "heavy damage" and secondary explosions in the Moskva's ammunition. Moskva had achieved a measure of notoriety early in the war when her demand for the surrender of the very small garrison on Ukraine's even smaller Snake Island was met with the reply of "Russian warship, go f**k yourself." She will evidently now be out of action for some time.

Warning: threat actor targets industrial systems.

And circumstantial evidence points to Russia. The US Government hasn't made that attribution, but several security companies, notably Mandiant, have.

Late yesterday the US Cybersecurity and Infrastructure Security Agency (CISA) announced that, with its partners in "the Department of Energy (DOE), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI)" CISA had issued a joint Cybersecurity Advisory (CSA). It warns that "certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices using custom-made tools." The vulnerable systems include at least Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers. The advisory recommends familiar best practices for protecting ICS/SCADA systems, and explains the threat actor's tools as follows:

"The APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities. By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions."

The immediate actions CISA recommends are to implement multifactor authentication, change system passwords (especially any default passwords), and use "a properly installed continuous OT monitoring solution to log and alert on malicious indicators and behaviors."

The Washington Post reports expert consensus that the energy sector, especially liquefied natural gas facilities, are probably the tools' most likely targets.

Dragos calls the activity group "CHERNOVITE," the malware "PIPEDREAM." While CISA's advisory called out specific products and merely suggested that others might be vulnerable, Dragos is explicit in its assessment that other systems are at risk: "the tooling may be used to target and attack controllers from hundreds of additional vendors. PIPEDREAM can target a variety of PLCs in multiple verticals due to its versatility." That versatility has been observed elsewhere. Wired quotes sources at Dragos to the effect that PIPEDREAM is “like a Swiss Army knife with a huge number of pieces to it.” It's equally capable of collection, compromise, disruption, and destruction of industrial systems. Two of the points Dragos makes illustrate the versatility: "CHERNOVITE can manipulate the speed and torque of Omron servo motors used in many industrial applications and whose manipulation could cause disruption or destruction of industrial processes leading to potential loss-of-life scenarios. PIPEDREAM’s Windows related components facilitate host reconnaissance, command and control, lateral tool transfer, and the deployment of unsigned rootkits."

PIPEDREAM is a suite of tools. Dragos describes its five principal utilities and their primary functions:

  • "EVILSCHOLAR: A capability designed to discover, access, manipulate, and disable Schneider Electric PLCs."
  • "BADOMEN: A remote shell capability designed to interact with Omron software and PLCs."
  • "MOUSEHOLE: A scanning tool designed to use OPC UA to enumerate PLCs and OT networks."
  • "DUSTTUNNEL: A custom remote operational implant capability to perform host reconnaissance and command-and-control."
  • "LAZYCARGO: A capability that drops and exploits a vulnerable ASRock driver to load an unsigned driver."

The warnings about this threat to control systems are forward-looking, as the tools don't appear to have been used, yet. Such early warning is unusual: "Dragos assesses with high confidence that PIPEDREAM has not yet been employed for disruptive or destructive effects. This is a rare case of analyzing malicious capabilities before employment against victim infrastructure giving defenders a unique opportunity to prepare in advance. Dragos assesses with high confidence that this capability was developed by a state-sponsored adversary with the intention to leverage PIPEDREAM in future operations."

Researchers at Mandiant have a different nomenclature--they call the toolkit "INCONTROLLER," which emphasizes its ability to seize control of industrial processes. Their report opens with background on the tools' discovery that puts them in the context of earlier destructive attacks against industrial systems:

"In early 2022, Mandiant, in partnership with Schneider Electric, analyzed a set of novel industrial control system (ICS)-oriented attack tools—which we call INCONTROLLER—built to target machine automation devices. The tools can interact with specific industrial equipment embedded in different types of machinery leveraged across multiple industries. While the targeting of any operational environments using this toolset is unclear, the malware poses a critical risk to organizations leveraging the targeted equipment. INCONTROLLER is very likely state sponsored and contains capabilities related to disruption, sabotage, and potentially physical destruction.

"INCONTROLLER represents an exceptionally rare and dangerous cyber attack capability. It is comparable to TRITON, which attempted to disable an industrial safety system in 2017; INDUSTROYER, which caused a power outage in Ukraine in 2016; and STUXNET, which sabotaged the Iranian nuclear program around 2010."

They go on to describe three scenarios in which INCONTROLLER might be used:

  1. Disruption of controllers to shut down industrial processes,
  2. Reprogramming controllers for the purpose of sabotage, and (most alarmingly)
  3. Shutting down safety systems to cause physical destruction.

Like others, Mandiant believes the tools were prepared by a nation-state for its own use. That nation-state is, they think, probably Russia. The researchers describe their reasoning as follows:

"We believe INCONTROLLER is very likely linked to a state-sponsored group given the complexity of the malware, the expertise and resources that would be required to build it, and its limited utility in financially motivated operations. We are unable to associate INCONTROLLER with any previously tracked group at this stage of our analysis, but we note the activity is consistent with Russia's historical interest in ICS. While our evidence connecting INCONTROLLER to Russia is largely circumstantial, we note it given Russia's history of destructive cyber attacks, its current invasion of Ukraine, and related threats against Europe and North America.

"Since at least 2014, Russia-nexus threat actors have targeted ICS assets and data with multiple ICS-tailored malware families (PEACEPIPE, BlackEnergy2, INDUSTROYER, TRITON, and VPNFILTER).

"INCONTROLLER's functionality is consistent with the malware used in Russia's prior cyber physical attacks. For example, the 2015 and 2016 Ukrainian blackouts both involved physical process manipulations combined with disruptive attacks against embedded devices. INCONTROLLER similarly allows the malware operator to manipulate physical processes, while also containing denial-of-service (DoS) capabilities to disrupt the availability of PLCs."

The evidence is circumstantial, the reasoning suggestive but compelling.

Tripwire's VP of strategy, Tim Erlin, urges that organizations take the advisory to heart, and, as they do so, that they not lose sight of the larger threat to their systems, which extends beyond the products mentioned in yesterday's dispatches. His comments concur with Dragos's observations about the versatility of the tools discovered:

“Make no mistake, this is an important alert from CISA. Industrial organizations should pay attention to this threat.

"It’s important to note that while this alert calls out tools for gaining access to specific industrial control systems, there’s a bigger picture threat that involves more of the industrial control environment. Attackers need an initial point of compromise to gain access to the industrial control systems involved, and organizations should build their defenses accordingly. The joint advisory recommends isolating affected systems, as well as employing endpoint detection, configuration and integrity monitoring, and log analysis. This isn’t a matter of simply applying a patch.”

Nick Tausek, Security Automation Architect at Swimlane, sees another good reason to reduce the possible scope of human error in ICS/SCADA security:

"Today’s joint advisory from CISA, NSA, FBI and the Department of Energy warns of the possibility of government-backed hacking groups hijacking various industrial devices, including industrial control systems (ICS) supervisory control and data acquisition devices (SCADA). Cybercriminals are able to use custom-built modular malware to infiltrate these systems and conduct highly automated exploits against targeted devices. 

"To ensure that organizations using the ICS/SCADA devices at risk of being compromised remain safeguarded through these attempted attacks, the federal agencies recommend enforcing multifactor authentication; changing and rotating passwords; and using operational technology solutions to detect suspicious activity. In addition to this, leveraging low-code security automation allows companies to take a step further in their cybersecurity best practices by centralizing detection, investigation and response capabilities. With all-encompassing security platforms that automate tedious routines, the chance of both human error and outsider threats are brought down to a minimum and device integrity remains at its maximum."

Nozomi Networks shared a list of comments on the alert, and they emphasize the importance of visibility into OT networks:

  • We typically tell owners and operators that access does not equate to impact or exploitation. This announcement clearly advises the potential for a remote takeover of industrial control systems and components used in various critical infrastructure sectors 
  • If threat actors have established access to OT networks these devices are opportunistic targets for exploitation, meaning in this case access does equate to the potential for exploitation and impact 
  • These attack patterns leverage very accessible methods once they have established access to the OT network, resulting in various customizable ways to gain command and control of these devices 
  • Environments that operate the devices in question should immediately look for both intrusion indicators in their OT networks or suspicious network and asset activity, and assess the degree to which the devices are or are not segmented in these networks 
  • Without visibility, the likelihood of a threat actor successfully remotely taking over one of these devices is high, with greater potential severity and longer recovery depending on the target and their cybersecurity maturity level and posture 
  • If end users do not have visibility into OT network communications, data, and asset behavior anomalies, other mitigations listed in the advisory notice will be more top of mind, namely isolating affected devices, and working through the additional recovery efforts to increase security and resilience to prepare for threat actors targeting these devices 

Eric Byres, CISA ICS advisor and CTO of ICS software cybersecurity firm aDolus Technology understands much of the risk in this particular case as involving the software supply chain: 

"This is a classic case of why we need better supply chain transparency and analytics if we want to secure our critical infrastructure from nation states. Many of the underlying issues aren't in the software Schneider's engineers created, it is in the 3rd-party code supplied by a German company called CODESYS Group. They provide CODESYS Runtime®, a framework designed for executing industrial control system software. According to information that used to be CODESYS website in 2019 (now removed), the CODESYS Runtime product has been used in over 350 devices from dozens of different OT vendors, and is widely used in the energy sector, industrial manufacturing, and internet of things systems. So the industrial customer believes they have Schneider software and thus look for the vulnerabilities assigned to Schneider products in the National Vulnerability Database. They won't find a thing - the vulnerabilities are all listed as CODESYS issues - for example CVE-2022-22519 doesn't mention a single product that is affected.

"And this CISA Alert is also hinting that this is just the tip of the iceberg - "(Note: this capability may work against other CODESYS-based devices depending on individual design and function, and this report will be updated as more information becomes available)". There are thousands of industrial facilities across the nation who believe they have dodged the bullet because they don't use Schneider or OMRON products. They haven't dodged anything - they are just sitting ducks to these nation-state attackers. 

Comment on the GRU's earlier attempt against Ukraine's power grid.

Nozomi Networks has commented on Sandworm's attempt to disable portions of Ukraine's power grid. The company's advice is familiar but worth attending to, recommending as it does implementation of sound practices and good cyber hygiene. Chris Grove, Nozomi's Director of Cybersecurity Strategy, sees continuity between this attack and earlier, more successful takedowns of portions of the Ukrainian grid: "The nature of this attack is one that everyone in the international critical infrastructure community should note, as it's one of a handful of attacks that has directly hit OT systems. According to Nozomi Networks Labs, there have been reports of some hardcoded IPs in the malware sample, which is an indication that the threat actors had intimate knowledge of the environment they were deploying this in. Much like the similar malware that Sandworm deployed in Ukraine in 2016, ICS operators must monitor their networks for any strange activity, as Russian tactics prove to sit in environments for weeks to months before executing these attacks."

Another look at the privateers.

While attention has shifted to Russian intelligence and security services' cyber operations, the privateers, like Conti, are still out there. CNBC has joined those who've sifted through the internal chatter taken from the gang and dumped online. Conti's operations look a lot like those of a legitimate business. "The messages show that Conti operates much like a regular company, with salaried workers, bonuses, performance reviews and even 'employees of the month.'” Employee of the month is a nice touch. One difference between the gang and a legitimate business: a lot of Conti's associates (they should certainly be called "associates," shouldn't they?) are unaware that they're working for a criminal enterprise. Lots of them, CNBC says, think they're working for an advertising company.