2020 ICS Cybersecurity Year In Review

Ransomware contains built-in, ICS-specific functions within the ransomware and a likely relationship to a previous malware called MEGACORTEX. This malware also contained built-in industrial process targeting.

ATT&CK for ICS is an independent and community-sourced way to communicate about the unique threat behaviors that ICS adversaries are using and will help the community identify their coverage and gaps to increase their ability to detect and respond to threats. It is a huge win for the front-line ICS network defenders who now have a common lexicon for categorizing ICS specific techniques to support reporting and further analysis. Dragos understands the critical importance ICS threat behaviors play in an effective cybersecurity strategy and continues to contribute to this program and community resource.

The ransomware event impacted both IT and ICS and caused loss of view and control. The facility implemented controlled shutdown processes and the attack resulted in a reported two days of downtime.

PARISITE initial access activity largely focuses on ICS-related entities and may serve as an initial access vector for future disruptive operations associated with MAGNALLIUM. PARISITE’s initial access activity can enable a foothold for further penetration of the environment and potential ICS attack.

Public reporting identified one victim as ENTSO-E, and Dragos learned this intrusion included full IT network access and access to the organization’s Active Directory instance. A national nuclear regulator experienced an attack in which the adversary used access to the regulator to enable phishing activity and credential capture against supported entities.

As the COVID-19 pandemic spread globally, companies began requiring some workers to remain at home, even in industrial environments. Multiple ICS-targeting activity groups have historically targeted remote access technologies or logon infrastructure including PARISITE, MAGNALLIUM, ALLANITE, and XENOTIME, and criminal adversaries began taking advantage of the global transition to remote work.

Dragos identified a new variant of DTrack malware associated with WASSONITE. The sample had the ability to communicate with Fujitsu Systemwalker management software, which is associated with distributed computing and data center management operations.

The group targets wind generation organizations and government entities in Azerbaijan. Intrusions are limited to access development and information gathering focused on critical infrastructure sectors. Cisco Talos first reported on this group's activities.

Dragos identified new EKANS activity targeting multiple industrial related companies including Fresenius Kabi, a pharmaceutical division of the European company Fresenius Group; global manufacturer Honda; and Italian energy company Enel. Some operations were disrupted.

The identified activity includes credential harvesting via watering hole attacks followed by use of captured credentials and built-in system tools to launch intrusions into the German electric and potentially water and wastewater sectors.

The U.S. National Security Agency (NSA) published a brief report on continued activity by the Sandworm activity group. Sandworm served as the likely initial access vector to enable ELECTRUM to conduct an ICS-specific attack aimed at physical process destruction in CRASHOVERRIDE. Following the publication of the NSA report, Dragos identified multiple items relating to additional SANDWORM infrastructure and other activity.

TALONITE uses malware called LookBack and FlowCloud that enables initial access and reconnaissance activities within a victim environment. All the group’s operations focus on the U.S. electric sector and delivers its malware via phishing. Proofpoint first publicly reported on this group.

Security researchers disclosed a series of 19 vulnerabilities in the Treck TCP/IP software library. Example ICS devices impacted include Programmable Logic Controllers (PLCs), Serial to Ethernet Converters, Protocol Converters, Remote Terminal Units (RTUs), digital protective relays, and some managed network switches and routers.

The U.K. NCSC, in cooperation with related intelligence agencies in Canada and the United States, released a report identifying Russian intelligence activity performing espionage operations targeting several industrial sectors including pharmaceutical research focused on COVID-19 vaccine development.

Severe vulnerabilities were identified in multiple products including from MobileIron, Citrix, Palo Alto Networks, Juniper Network, and SAP. Some of these vulnerabilities have been used by ICS-targeting adversaries to gain initial access to target networks.

VANADINITE activity has targeted strategically significant industrial organizations to serve as an initial access vector for future operations. The group has targeted North America, Europe, and possibly Australia and Asia. VANADINITE uses publicly identified vulnerabilities in external-facing appliances and services to install backdoors or other persistence mechanisms to operate against energy and manufacturing entities, and some operations in government and educational sectors.

Oil and gas and electric utilities across the Middle East and North America face continued threats from the ICS-focused activity group MAGNALLIUM, as Dragos discovered new malicious infrastructure and continued use of historical infrastructure.

A vulnerability was discovered in Microsoft's Netlogon that could allow an adversary to escalate privileges. CISA has reported APT groups actively exploiting this vulnerability. ICS-focused adversaries, including PARISITE and VANADINITE, have been observed to quickly incorporate known vulnerability exploits into their activity.

Dragos continues to identify ongoing watering hole activity associated with DYMALLOY. This group is attempting to target users visiting various websites including original equipment manufacturers, news, and government websites.

Dragos learned of activity possibly linked to ALLANITE or DYMALLOY targeting multiple U.S. industrial entities from September through October 2020. Operations included use of ZeroLogon to further intrusions into victim networks.

Dragos identified a new FlowCloud malware sample. Subsequent investigation, in collaboration with information sharing partners, identified new infrastructure associated with this group that suggests activity is ongoing.

The U.S. Treasury sanctioned the Russian institute allegedly responsible for assisting in the development of malware in the TRISIS attack. It was the first time a government entity has issued formal penalties for an ICS-specific cyberattack.

Dragos identified ongoing phishing activity targeting government entities in Lebanon which Dragos associates with the activity group CHRYSENE. Dragos also identified new malware and capabilities associated with this group.

Americold, a U.S.-based temperature-controlled warehousing and transportation company, experienced a cyberattack that may have disrupted operations. The coronavirus pandemic has underscored the vital importance of cold-storage facilities and the requirement for supply chains to adapt to changing requirements. As vaccines for the coronavirus become available, manufacturers and distributors will require cold storage to ensure the vaccine can maintain its efficacy.