Global critical infrastructure remains under significant cyber attack

Last week the Security Service of Ukraine (SBU) announced that VPNFilter malware made it into the nation’s critical infrastructure.

This serves as a reminder that all critical infrastructure organizations, from utilities to chemical manufacturers, need to be vigilant. Of course, anyone who has been watching how cyber-hostilities have been escalating since the turn of the century won’t be surprised. In fact the Kosciuszko Institute, a think tank in Krakow, Poland, predicted that 2018 could be the year we witness increased cyberattacks on critical infrastructure.

Paul Timmers, an academic at Oxford University and former director of the sustainable and secure society directorate in the European’s DG CONNECT (the EU Commission’s policy team dedicated to create a single digital market), said the world has witnessed attacks on systems crucial for the functioning of society, including logistics, health, and energy, as early as in 2016 and 2017. “In 2018, the risk of attacks may spread over to other sectors of the economy, such as water or transport,” he said. “An important element of the potential incidents will be their predicted international and cross-sector nature, which creates a dire need for cooperation between international organizations, governments, and companies.”

The prediction proved on target. According to a statement published by the SBU, a chlorine water treatment station in Auly, Dnipropetrovsk was a targeted for cyberattack by Russian forces, but little more information was made public.

According to the statement, Ukrainian cybersecurity specialists quickly identified that the chlorine station’s process control system and other emergency monitoring systems had been targeted and infected with the VPNFilter malware from systems in Russia. The SBU wrote that, had the attack continued successfully, it could have led to a dangerous incident.

The VPNFilter malware can be used to remotely comprise infected devices and read encrypted traffic. First discovered this spring, VPNFilter is estimated to have infected hundreds of thousands of IoT devices, consumer-grade routers, and network-attached storage devices.

VPNFilter was identified in May by Cisco Talos, who describes VPNFilter as a multi-stage, modular malware platform. You can find additional information about VPNFilter here.

Essentially, VPNFilter consists of three stages. The first stage establishes persistence on targeted devices(a reboot alone does not rid the malware), and stage two performs the typical tasks, including data collection and exfiltration and other command executions. VPNFilter’s third stage provides the ability to accept plugins, which could be additional capabilities such as packet sniffing to monitor traffic, steal credentials, or other tasks.

Numerous Western intelligence agencies, including Ukraine’s, identified the creators of VPNFilter as APT 28 and associated it with the Russian military intelligence.

Of course, not all malware discovered on critical infrastructure devices means it was placed there by a nation-state. Last year, there was quite the kerfuffle when a series of stories broke regarding a nation-state attack on a Vermont-based utility company. Those stories later proved to be incorrect. After all, once malware like VPNFilter gets out in the wild, it  can appear anywhere and within all kinds of systems, even critical infrastructure, because that’s what viruses and worms and other forms of malware do.

Still, the threat is real. Earlier this week, director of national intelligence Dan Coats said that risks were growing for a devastating cyber assault on critical U.S. infrastructure, saying the “warning lights are blinking red again,” according to this Reuters news story.

Russia, China, Iran and North Korea are launching daily cyber strikes on the computer networks of federal, state and local government agencies, U.S. corporations, and academic institutions, Coats said.