Attacks on the Critical Infrastructure happen!

It is not new that in December 2015 and December 2016 Ukraine suffered a power outage due to a cyber-attack. Researchers now figured out that both attacks leveraged the same framework to base their attacks on. It is not as sophisticated as Stuxnet for different reasons (only leverages one vulnerability, the way it communicated, etc.) but it seems that there was some serious reconnaissance needed ahead of the attack to drive it so success. It seems that it was not an “accident” nor something which happened on short notice.

Our iDefense team just published a report on our website Managing Malware called Malware Crashoverride/Industroyer: What’s the story? delivering some interesting background.

While there are suggestions that a specific nation state is behind the Kiev incident, there is little doubt that the CRASHOVERRIDE/INDUSTROYER malware could be used as a blueprint of sorts, modified and used in a more widespread and longer-lasting attack. The potential to disrupt energy, water supplies and other critical industries using ICS for automation, in an economic context, could be highly damaging to a company, municipality or nation for a sustained time.

As you might know, I was responsible for the security of a critical infrastructure in Switzerland. The interesting part to me was (and still is) that I was rarely afraid of a targeted attack on my infrastructure but more of collateral damage – in other words an attack on another country, which then hits me as well just because I am on the same software release. This is highly probably and dangerous the broader ICS are distributed. If I am not mistaken, the highest infection rate of Stuxnet was in Indonesia, just because they had a broad population of the controls attacked.

Malware analysis indicates that the CRASHOVERRIDE/INDUSTROYER samples, although well designed, were not nearly as sophisticated when compared against Stuxnet and similar ICS/SCADA malware. For example, the Stuxnet code contained multiple zero-days and the threat actors employed multiple layers of code obfuscation to evade detection and basic analysis. By contrast, CRASHOVERRIDE/INDUSTROYER leverages Internet Commutations, does not use major encryption to hide malware functionality and exploits only one vulnerability, which is already publicly disclosed.

That’s another side of such an attack. Where Stuxnet needed highly skilled people, this attack seemed to have needed only skilled people (forget about the “highly”) – and a lot of these skills can be purchased in underground markets.

The attack on the electric grid came at the end of two weeks of attacks on Ukrainian infrastructure. It is possible that these operations were part of an ongoing nation state’s attempt to accomplish two things: First, to inflict harm against the Ukrainian government for regional geo-political gain, and second, test and showcase this potential nation state’s ability to launch coordinated attacks against the infrastructures of entire countries.

I think that there is no comment needed here.

Looking at it from a broader perspective: In my opinion, further attacks on the critical infrastructure are to be expected and they will create significant harm at least to the economy if not broader (think about WannaCry and the hospitals). We need to get better protecting such infrastructure and not just ignoring the risks. Industrial systems have a longer lifespan than the software which is embedded in it.

As an example: Windows is supported mainstream for 10 years with security updates. If an ICS-vendor starts to develop a new component and it take two years after launch to get it to the market, you are down to 8 years. The lifetime of such systems typically spread to several decades. That’s the reason we still find a lot of DOS and Windows XP in these environments.

Therefore, it is key that we are shielding these applications on the network and monitor the traffic. But keep in mind: There is no such thing like an airgaped network…

Do not close your eyes: It is a risk and it was to be taken care of. Yes, it costs money but it is the duty of a critical infrastructure to protect it and not wait for the government to fund the investments.

This is a Security Bloggers Network syndicated blog post authored by Roger Halbheer. Read the original post at: Roger Halbheer on Security