Malware can create devastating impacts to any company, including temporary or permanent shutdown of operations, data and financial loss, and under certain conditions potentially loss of life. Dragos has identified an increase in malware infections at industrial companies globally throughout 2019 and the beginning of 2020. The notable malware infections of 2019 include LockerGoga, Emotet, and Ryuk that support the trend of an increase in industrial-impacting malware infections globally.
What LockerGoga, Emotet, and Ryuk all have in common is the potential for creating operational disruption. From costly operational impacts to disrupted production processes, opportunistic malware infections can have varying and unpredictable impacts on victim networks. Adversaries are increasingly targeting industrial operations with general-purpose malware. With every malware infection an organization receives it not only directly hurts the reputation of that company and potentially puts the business in jeopardy, it may also jeopardize the safety of the impacted employees through unpredictable or unintended side effects.
LockerGoga first appeared in an incident at a French engineering company, Altran Technologies, in January 2019. The most notable impact was to a Norway-based company, Norsk Hydro, in March 2019 that resulted in prolonged and costly operational impacts. LockerGoga encrypted all files outside the Windows directory and implemented changes to make restoration difficult, if not impossible, at Norsk Hydro. Given LockerGoga’s evolving functionality, in many respects it represents as much of a disruptive threat as a ransomware vector for many entities in its last observed version.
Emotet malware first appeared in 2018 and is a modular trojan commonly observed deploying Trickbot and Ryuk malware. In February 2019, Emotet infected a vessel bound for the Port of New York and New Jersey which impacted the shipboard network (though no essential control systems were impacted), according to the U.S. Coast Guard. The Australian Cyber Security Center (ACSC) said it was aware of at least 19 Emotet infections in Australia that impacted critical infrastructure providers and government agencies.
According to publicly available information shared with Dragos, attackers used Ryuk ransomware in events involving a U.S. airport, U.S. airline, Canadian supply chain company and a Europe-based aviation industry supplier. Mitsubishi Canada Aerospace experienced a Ryuk attack lasting weeks, according to local media. Ryuk also impacted an unspecified marine facility that disrupted its camera and physical access control systems and caused a loss of critical process control monitoring systems, according to a bulletin from the U.S. Coast Guard. In June, the U.K.’s National Cyber Security Centre (NCSC) warned of ongoing Ryuk ransomware campaigns that may target global organizations.
Numerous other malware events disrupted ICS entities in 2019. In July, a ransomware attack on the IT systems for the municipal power company in Johannesburg, South Africa prevented prepaid electricity purchase via online systems and effectively created a denial of service condition interrupting the delivery of electricity. In September, Rheinmetall Automotive experienced an unnamed malware attack that disrupted production processes. A cyber event disrupted production and distribution at the Danish health device manufacturer, Demant, and BitPaymer ramsomware impacted order fulfillment and delivery at the automation firm Pilz in October. The oil company Petroleos Mexicanos experienced a ransomware attack in November that disrupted the company’s administration, business, billing and supply chain operations.
Ransomware and potentially disruptive malware are not new threats, but threats will continue to propagate through networks in ways never seen before, including leveraging different spreading mechanisms for propagation. For more information on malware threats, please read the Dragos Year in Review report.
Follow the recommendations below to mitigate malware threats and risk.
- Enforce Multifactor Authentication (MFA) wherever possible. Focus critically on connections to integrators, maintenance, vendor personnel, and crown jewels such as safety equipment.
- Passively identify and monitor ICS network assets to identify key assets, chokepoints, and external communications in the network.
- Monitor network traffic to identify connections between networks and connections that were not originally known. Monitor to provide insights into ICS communications and help with better zoning and segmentation.
- Create an ICS specific incident response plan and conduct tabletop exercises to practice how to handle different incidents.
- Look for threat behaviors and known Tactics, Techniques, and Procedures (TTPs) that adversaries use, like those mapped to ATT&CK for ICS.
- Monitor outbound communications from ICS networks to detect malicious threat behaviors, configuration changes, indicators, and anomalies. Understanding malicious behaviors exhibited by malicious Activity Groups is crucial for defending against them.
- Identify and label critical ICS assets to aid with detection and monitoring. Dragos Asset Identification allows for certain analytics to function by detecting malicious behaviors against asset types.
- Leverage industrial-specific threat detection mechanisms to identify malware within OT and reinforce defense in depth strategies at the network level, leading to a more robust investigation ability by defenders and analysts.
- Ensure strong network defenses between the IT and OT networks, creating chokepoints to limit malware spread.
- Ensure corporate networks are patched to prevent malware infections from entering the environment and to prevent subsequent propagation.
- Ensure that critical network services, such as Active Directory (AD) and the servers hosting it, are well-defended and that administrative access to hosting devices is restricted to the greatest degree possible.
- Evaluate and limit AD federation and sharing between IT and ICS networks to the greatest extent possible. Among other items, create dedicated security groups for OT systems within a shared AD environment and limit permission for deploying GPOs or other changes to only a subset of administrators to reduce attack surface.
- Critically examine and limit connections between corporate and ICS networks to only known, required traffic.
- Ensure backups of enterprise network systems are maintained and test backups during disaster recovery simulations.