Several U.S. federal government agencies issued a warning that industrial control system (ICS) devices which are critical infrastructure are the target of state-backed hackers who are using malware to thwart the systems.
The Cybersecurity and Infrastructure Security Agency (CISA), the department of Energy (DOE), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) released the warning on April 13.
These state-backed hackers could gain access to a system completely by using a custom toolkit. These tools can scan, compromise and control the ICS devices if they are linked to an operational technology (OT) network. The tools were created to focus on programmable logic controllers (PLCs) manufactured by Schneider Electric and Omron.
Why Energy Infrastructure Is a Target
Industrial controls, like IoT devices, are easy targets for hackers because they are often designed with security as an afterthought, Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, told TheStreet.
“That makes them an inviting target for attack, since once the attackers get into the environment, they’ll find it reasonably easy to take over the ICS and other similar devices,” he said. “This is one of the reasons ICS, SCADA, and IoT devices need to be deployed with compensating controls in place.”
Targeting industrial control systems can result in a “dramatic and cascading effect” because it can not only disrupt supply chains, but also power and energy and safety systems to manufacturing, emergency services and national defense, Brian Contos, chief security officer of Phosphorus Cybersecurity, a Nashville, Tenn.-based IoT security company, told TheStreet.
“This is a powerful capability for a nation-state or non-state entity such as a criminal organization or terrorist group to have,” he said.
Industrial control systems remain “juicy targets for nation-state attackers because they typically don't have the same level of security monitoring for detecting unusual or unauthorized activities as corporate IT networks,” Phil Neray, vice president of cyber defense strategy at CardinalOps, a Palo Alto, Calif.-based threat coverage optimization company, told TheStreet.
An ICS attack can literally shut down a power grid or utilities for a large number of people, impacting both their safety and the economy, he said.
Malware Is Highly Effective
Malware or software that can destroy computer systems is often used as a tactic because it is cheaper, easier and carries less attribution, Contos said.
Malware is an effective way to attack systems and can be installed long before it is actually used to attack a company, Alex Hamerstone, director of advisory solutions at TrustedSec, a Strongsville, Ohio-based ethical hacking and cyber incident response company, told TheStreet.
“It also allows the bad actors to scale their attack, and go after many systems instead of attacking each one individually with a different method,” he said.
The mechanisms used in this current malware are similar to the previous examples of purpose-built Russian ICS malware since they demonstrate a “deep knowledge of specialized industrial protocols,” Neray said.
The Industroyer/Crash Override shut down the Ukrainian grid in late 2016, the Triton attack compromised petrochemical safety systems in 2017 and the Industroyer2 was just discovered targeting Ukrainian electrical substations earlier this week, he said.
“Organizations looking to defend against these types of attacks should follow the recommendations detailed in CISA's advisory, including implementing continuous monitoring and segmenting OT from IT networks to make it more difficult for attackers to move from one network to the other,” Neray said.
To hack a power grid, attackers need some mechanism to send remote instructions to make those changes, John Bambenek, principal threat hunter at Netenrich, a San Jose, Calif.-based digital IT and security operations company, told TheStreet.
“Often, simply logging in with the right user account is not enough to make the changes they desire,” he said.
Bad Actors Are Well Funded
These hackers or bad actors appear to be from a nation-state actor or similar actor with considerable financial resources, but determining where they are located is tricky, Contos said.
“Attribution can be challenging - it could be Russians or another nation-state attempting to make it look like it's the Russians, or something entirely different,” he said. “This type of attack is more commonly associated with disruption and destruction, not trying to steal intellectual property or engage in some other form of for-profit attack which are common for cyber criminals.”
These groups of hackers are often fluid and work together, Hamerstone said.
“It is always important to keep in mind with anything of this nature that the people who have the most information are unable to talk about it and the information that you get are thus from people who are not involved in the situation and are speculating,” he said.
Threat actors have been seeking ways to leverage infrastructure for their own agendas for years, Parkin said.
These hackers are either targeting energy infrastructure either for financial gain, competitive advantage, industrial espionage or for political motivation, he said.
“Given the sophistication of the new tools, it’s likely that the threat actors are a well-financed state or state sanctioned group,” Parkin said. “While the joint report does not specify which advanced persistent threat (APT) group is responsible, it would not be unreasonable to assume ‘the usual suspects’ for this kind of malware.”
The hackers could also be living in the U.S., Bambenek said.
“It’s certainly possible that it’s the Russians, however, several countries do author in ICS malware, including the United States,” he said.