The threat posed to critical infrastructure via cyber-attacks has long been a major concern for security researchers. Recent developments have seen ransomware gangs actively targeting critical infrastructure. The HelloKitty ransomware variant might be best known for its attack upon CD Projekt Red, but the ransomware’s operators have proved equally capable of going after power plants. The bad news for organizations within the critical infrastructure sector does not end with HelloKitty.
In a report published by Dragos, researchers uncovered the activities of four new and distinct hacking groups targeting critical infrastructure. The discovery of these four groups seemingly accounted for a 36% increase in known groups tracked by the security firm that specializes in targeting industrial control systems (ICS). Dragos previously released details of 11 other groups known for targeting the US power grid. Further, the security firm noted that issues making targeting critical infrastructure such fertile ground include, not having enough visibility with the Operation Technology (OT) network and the unsafe sharing of OT credentials across the network. What follows is a brief look at each of the four new groups identified by Dragos.
STIBNITE is primarily focused on targeting wind turbine companies in Azerbaijan. From Dragos’ data, the group seems to exclusively focus on companies in Azerbaijan for the moment. It is believed that the focus on these companies may relate to the ongoing hostilities between Azerbaijan and Armenia due to disputed territory. The hostility often results in power generation as part of critical infrastructure been targeted. Dragos admits that the correlation between STIBNITE and the ongoing hostility is currently tenuous, so they have not pointed a finger at which side is responsible, however, the security firm does believe that STIBNITE requires close attention given the current hostilities.
Researchers noted that victims shared technology with Ukrainian wind farms. This led researchers to believe that the Ukrainian supplier was the initial target in order to compromise facilities in Azerbaijan. As the supplier is also the operator and maintainer of the sites, this possibility is of a high probability. The group also makes use of the POETRat a remote access trojan capable of logging keystrokes, steal passwords, access victims' webcams, manage files, upload files from a Command & Control server. Summarizing STIBNITE’s tactics researchers noted,
“STIBNITE used shared Command and Control (C2) infrastructure between multiple intrusions in late 2020 and updated its malware capabilities to avoid detection after public reports on its activity were released. STIBNITE uses PoetRAT remote access malware in its intrusion operations to gather information, take screenshots, transfer files, and execute commands on victim systems. STIBNITE gains initial access via credential theft websites spoofing Azerbaijan government organizations and phishing campaigns using variants of malicious Microsoft Office documents. STIBNITE also used information related to the global COVID-19 pandemic for malicious document themes.”
This group also is primarily focused on targeting victims within a strict set of parameters. The group is seemingly focused on organizations that make up the US power grid. The group's main malware distribution method is to make use of phishing techniques to deliver malware-loaded documents or executables. These phishing campaigns utilize electric and power grid engineering-specific themes and concepts, indicating an intent to gain a foothold within energy sector entities. This is done to, as explained by Dragos,
“Such access could facilitate gathering host and identity information, collecting sensitive operational data, or mapping the enterprise environment to identify points of contact with ICS. The identified infrastructure and phishing emails spoofed the National Council of Examiners for Engineering and Surveying (NCEES), North American Electric Reliability Corporation (NERC), the American Society of Civil Engineers (ASCE), and Global Energy Certification (GEC).”
TALONITE is known for employing two custom malware variants to achieve its goals, these being LookBack and FlowCloud that are primarily used to gather information. These malware strands are employed using legitimate binaries in order to hide their true purpose and avoid detection. LookBack contains persistence mechanisms that add two Windows registry keys to execute legitimate but modified files when the infected user next logs in. FlowCloud launches a renamed copy of the legitimate HTML Help Workshop (hhw.exe) utility from Microsoft to complete a similar goal.
Unlike the previous two VANADINITE has been seen targeting organizations within the industrial sector across multiple vectors and states. Initial access campaigns were conducted against the energy, manufacturing, and transportation sectors in North America, Europe, Australia, and Asia. It is believed that the group's main aim is information gathering which includes ICS compromise and data theft. However, there is a slight possibility the group deployed the ColdLock ransomware variant against Taiwanese state-owned ICS companies. Researchers noted they have low confidence in this scenario occurring and if true, did not know if the attack was for financial gain or to disrupt those targeted. Based on the data compiled by Dragos VANADNITE seems to focus on ICS intel gathering and intellectual property theft relating to CS processes, function, and design to assist the group's sponsor in developing improved ICS targeting and compromise. As to the group's main method of achieving initial access to a target's network, researchers noted,
“Dragos consistently observed a pattern in VANADINITE behavior, including the targeting of recently disclosed “n+1” vulnerabilities in a range of networking and gateway devices impacting remote access services like VPNs. Asset owners and operators should treat vulnerabilities in external-facing network appliances as a serious issue. Dragos observed multiple entities, including PARISITE, increasingly adopt this methodology. These remote access technologies often directly enable access to ICS networks bypassing enterprise networks and are commonly used by integrators and ICS OEMs.”
The last of the newly discovered groups, KAMACITE, targeted U.S. energy companies by leveraging stolen credentials or brute force logons of remote services to access victim networks throughout 2020. Researchers believe KAMACITE is a major threat to critical infrastructure as there is an overlap with the Sandworm group. Sandworm is infamous for its attack on the Ukrainian power grid on several occasions that left many without power for extended periods. While there is an overlap in tactics and methods between KAMACITE and Sandworm, Dragos researchers believe the new group is a distinct entity based on the evolution of tactics when compared to Sandworm. Researchers noted,
“Dragos assesses KAMACITE is an access-enablement team that operates to support other teams conducting disruptive and destructive effects. Previously, Dragos identified ELECTRUM as the group responsible for the Ukraine 2016 electric transmission substation cyberattack. The important distinction is that in Dragos’s analysis, KAMACITE conducted the access operations, enabling ELECTRUM to create and use CRASHOVERRIDE malware to carry out the attack. Dragos determined this based on behavioral differentiations from ELECTRUM activity and earlier access operations demonstrating two distinct groups of activity.”
Dragos observed the group performing reconnaissance against US energy companies. Once the reconnaissance phase was complete the group attempted to take advantage of the webmail of those companies and cloud-based logon services including Microsoft Active Directory (AD) and Office 365 services. For those tasked with defending OS networks and ICS software and hardware, the report is a must-read as it includes sections on what tactics are favored by attackers and vulnerabilities used. The vulnerabilities are rated to help administrators make better decisions on what to look for to shore up defenses. In order to boost security presence across these networks and systems, organizations should also attempt to apply network segmentation, separating operational technology from information technology, so that in the event of attackers compromising the IT network, moving laterally onto the OT network is not a simple task.