Showing posts with label industrial control. Show all posts
Showing posts with label industrial control. Show all posts

New Ransomware Attacks Against Industrial Control Systems (ICS)

Dragos is a company that provides industrial asset identification, threat detection, and response to help organizations stay ahead of adversaries. According to Dragos intelligence and threat reports, it appears that a segment of code called Snake or EKANS, first recognized in December, 2019, has been designed as ransomware to target Windows systems used in industrial control systems (ICS). 

Ransomware is malicious software that will lock up data on a computer’s drive, then travel across the network and encrypt other data. The saboteurs will then demand payment in exchange for releasing the data. Whereas industrial control system machines are high-value targets (healthcare is the other high-value target) EKANS is unusual in that the malicious code uses targeted intelligence for control systems to first encrypt the root data (files are encrypted and renamed with random 5-character extension) and then ruin the software processes and hold the data hostage.

EKANS targeted companies and are sent a ransom note with the instruction to pay the ransom in cryptocurrency. There is an email address provided for contact/replies.

Manufacturing plants, power grids, and industrial concerns (such as oil refineries) are all targets of this malicious malware.

Another feature of the EKANS ransomware is it is programed to terminate sixty-four (64) various processes on computers – most of which are ICS specific.  This suggests the possibility that the EKANS may also share features similar to the Megacortex ransomware, which first appeared in early 2019.  Megacortex relies on a manual method of deployment rather than self propagation ransomware deployment.

It is still unknown whether the EKANS ransomware originated from state-sponsored hackers or via real cybercriminals trying to profit from industrial control system owners. It appears that it may be the latter, based on the most recent analysis of the nature of the ransomware – analysis by Dragos researchers.

It is wise to raise awareness with among everyone who touches your systems and it would be prudent to have someone within your organization (or a consultant) tasked with keeping data security protections current.  In addition, it is crucial to have ICS organizations rethink their cybersecurity leadership philosophy. In many organizations, the evangelists for cybersecurity are not equipped to exert influence in the company.  Cybersecurity is still treated as a back-office job, but it needs to be treated as priority by the organizational leaders.

Dragos adversary hunters recommend keeping ICS systems segmented from the rest of the network. In this way, if just one Window machine is infected, the virus can’t mobilize to the systems that control the infrastructure. In addition, standard practices such as backups, stored offline, and including the last known good configuration data will somewhat reduce the liability of slow recovery. Guardrails such as improved access and mechanisms for authentication will also help to reduce the risk of these increasingly troubling attacks on ICS systems.

More detailed information can be accessed here:
https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/

Article courtesy of A-P Corporation, a manufacturer’s representative for the leading suppliers of sensors, instrumentation, and induction heating equipment. Providing professional sales engineering services to New England and upstate New York since 1959.

US Power Grids, Oil and Gas Industries, and Risk of Hacking


A report released in June, from the security firm Dragos, describes a worrisome development by a hacker group named, “Xenotime” and at least two dangerous oil and gas intrusions and ongoing reconnaissance on United States power grids.

Multiple ICS (Industrial Control Sectors) sectors now face the XENOTIME threat; this means individual verticals – such as oil and gas, manufacturing, or electric – cannot ignore threats to other ICS entities because they are not specifically targeted.

The Dragos researchers have termed this threat proliferation as the world’s most dangerous cyberthreat since an event in 2017 where Xenotime had caused a serious operational outage at a crucial site in the Middle East. 

The fact that concerns cybersecurity experts the most is that this hacking attack was a malware that chose to target the facility safety processes (SIS – safety instrumentation system).

For example, when temperatures in a reactor increase to an unsafe level, an SIS will automatically start a cooling process or immediately close a valve to prevent a safety accident. The SIS safety stems are both hardware and software that combine to protect facilities from life threatening accidents.

At this point, no one is sure who is behind Xenotime. Russia has been connected to one of the critical infrastructure attacks in the Ukraine.  That attack was viewed to be the first hacker related power grid outage.

This is a “Cause for Concern” post that was published by Dragos on June 14, 2019

“While none of the electric utility targeting events has resulted in a known, successful intrusion into victim organizations to date, the persistent attempts, and expansion in scope is cause for definite concern. XENOTIME has successfully compromised several oil and gas environments which demonstrates its ability to do so in other verticals. Specifically, XENOTIME remains one of only four threats (along with ELECTRUM, Sandworm, and the entities responsible for Stuxnet) to execute a deliberate disruptive or destructive attack.

XENOTIME is the only known entity to specifically target safety instrumented systems (SIS) for disruptive or destructive purposes. Electric utility environments are significantly different from oil and gas operations in several aspects, but electric operations still have safety and protection equipment that could be targeted with similar tradecraft. XENOTIME expressing consistent, direct interest in electric utility operations is a cause for deep concern given this adversary’s willingness to compromise process safety – and thus integrity – to fulfill its mission.

XENOTIME’s expansion to another industry vertical is emblematic of an increasingly hostile industrial threat landscape. Most observed XENOTIME activity focuses on initial information gathering and access operations necessary for follow-on ICS intrusion operations. As seen in long-running state-sponsored intrusions into US, UK, and other electric infrastructure, entities are increasingly interested in the fundamentals of ICS operations and displaying all the hallmarks associated with information and access acquisition necessary to conduct future attacks. While Dragos sees no evidence at this time indicating that XENOTIME (or any other activity group, such as ELECTRUM or ALLANITE) is capable of executing a prolonged disruptive or destructive event on electric utility operations, observed activity strongly signals adversary interest in meeting the prerequisites for doing so.”