Articles

Rare and dangerous Incontroller malware targets ICS operations

A coalition of U.S. government agencies, security researchers, and companies warn about this new malware that can gain complete access to ICS and SCADA systems.

In the second major industrial control system (ICS) threat development this week, the U.S. Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) issued a Cybersecurity Advisory (CSA) warning of a complex and dangerous ICS threat. The CSA says that specific unnamed advanced persistent threat (APT) actors have exhibited the capability to gain complete system access to multiple ICS and supervisory control and data acquisition (SCADA) devices.

These agencies collaborated with a group of top-tier industrial control and security leaders including Dragos, Mandiant, Palo Alto Networks, Microsoft, and Schneider Electric in drafting the alert. The CSA pointed specifically to three categories of devices vulnerable to the malware:

  • Schneider Electric programmable logic controllers (PLCs)
  • OMRON Sysmac NEX PLCs
  • Open Platform Communications Unified Architecture (OPC UA) servers

The malware consists of a package of dangerous custom-made tools targeting ICS and SCADA devices that can scan for, compromise and control affected devices once they have established initial access to the operational technology (OT) network.

This article appeared in CSO Online. To read the rest of the article please visit here.

Image by Frauke Feind from Pixabay

Articles

Ukraine energy facility hit by two waves of cyberattacks…

Sandworm succeeded in planting a new version of the Industroyer malware to disrupt ICS infrastructure at multiple levels, but was thwarted from doing serious damage.

Ukraine’s Governmental Computer Emergency Response Team (CERT-UA) announced that Russia’s state-backed threat group Sandworm launched two waves of cyberattacks against an unnamed Ukrainian energy facility. The attackers tried to decommission several infrastructural components of the facility that span both IT and operational technology, including high-voltage substations, Windows computers, servers running Linux operating systems, and network equipment.

CERT-UA said that the initial compromise took place no later than February 2022, although it did not specify how the compromise occurred. Disconnection of electrical substations and decommissioning of the company’s infrastructure were scheduled for Friday evening, April 8, 2022, but “the implementation of the malicious plan” was prevented.

The Ukrainian team received help from both Microsoft and ESET in deflecting any significant fallout from the attacks. ESET issued a report presenting its analysis of the attacks, saying its collaboration with CERT-UA resulted in its discovery of a new variant of Industroyer malware, the same malware that the Sandworm group used to take down the power grid in Ukraine in 2016.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

US bulk energy providers must now report attempted breaches

US bulk energy providers must now report attempted breaches as well as successful breaches. Guidance is murky over what constitutes an “attempted” breach.

One of the most pernicious aspects of the far-reaching and potentially devastating SolarWinds supply chain hack is that it successfully evaded detection for at least ten months by hiding inside seemingly normal software operations. The hack of SolarWinds’ Orion product enabled Russian actors to embed surveillance malware into widely used management software. It pushed the so-called SUNBURST malware deep into public and private networks using the invisibility cloak of ordinary activity, causing no harm or disruption as it silently operated.

The SolarWinds hack is largely considered a turbo-charged nation-state espionage campaign. Most experts, however, won’t rule out that out the possibility that the Russian intelligence team behind the breach weren’t also paving the way for attacks that could damage operations. One of the biggest concerns about the hack’s impact is how it affected the nation’s power grid.

New regulations aimed at spotting attempted compromises in the power grid that don’t cause damage, like SolarWinds, went into effect on January 1, 2021. It’s not at all clear that the new requirements will help the energy industry spot these kinds of attacks.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

 

Articles

FEATURE – The Mysterious Case of the Missing 250-Ton…

lead centered=”no”
In May, the Trump administration seized a $3 million transformer on its way to Colorado. What happened to it, and where is it now?
/lead

In May, the Trump administration seized a 250-ton, $3 million Chinese high-voltage transformer that was on its way to Colorado. It was taken to Sandia National Labs in New Mexico for reasons unknown. What happened to it still remains a mystery.

On May 1, the Trump Administration issued a surprise Executive Order (EO), “Securing the United States Bulk Power System.” The directive aims to keep critical equipment supplied by foreign adversaries out of the nation’s power grid due to supposed supply chain security threats. It requires the Secretary of Energy to work with other agencies in identifying the specific equipment from adversarial suppliers, particularly Chinese suppliers, that the government should bar from the bulk-power system.

The Department of Energy (DOE) has to issue relevant rules on the matter within 150 days, or by September 28. Shortly after the EO’s release came the surprising revelation that a federally owned utility managed by DOE, the Western Area Power Administration (WAPA), hijacked a nearly $3 million Chinese-manufactured transformer initially intended for one of its substations in Colorado. WAPA instead diverted it to one of DOE’s national laboratories, Sandia National Labs, in New Mexico.

The manufacturer of the high-voltage 500,000-pound transformer was Chinese company JiangSu HuaPeng Transformer Co., Ltd., or JSHP, which shipped the transformer from Shanghai to the Port of Houston in August 2019.JSHP’s North American representative Jim Cai told Motherboard his company planned to spend a couple of hundred thousand dollars to transport the high-grade steel using a particular kind of railroad car to WAPA’s Ault substation in Colorado, where JSHP would then install it. Like all electric substations, the Ault facility’s main purpose is to “step down” high-voltage electricity, typically above 1,000 volts, to lower, more manageable levels that can be distributed safely to homes and businesses.

Before the ship docked in Texas, WAPA told JSHP to cancel its plans to transport and install the transformer and to forget about selling a warranty on the equipment, which is almost always mandatory for highly specialized, expensive electrical system equipment. The utility then transported the transformer itself to Sandia. Since then, WAPA and DOE have been silent on this odd development, which has sparked confusion and concerns among utilities and industrial control system (ICS) security specialists.

This article appeared in Vice News. To read the rest of the article please visit here.

Photo by ETA+ on Unsplash