Claroty is closely monitoring the Russia-Ukraine conflict for expected cyberattacks and disruptions.
Already, security company ESET has discovered new wiper malware in use against targets inside Ukraine prior to the start of the invasion. This Twitter thread has some details:
These attacks came on the heels of disruptive DDoS attacks against government agencies and financial institutions, and a separate wiper malware attack in January, called WhisperGate.
Critical infrastructure organizations should prepare for misinformation and disinformation campaigns and influence operations targeting utilities, water, and other sectors. CISA has published an alert you should be aware of
Organizations should be vigilant about any systems connected or exposed to the internet. These would be targets or victims of opportunity in a conflict. Engineering workstation patch levels must be current, and critical applications up to date. Policy should dictate whether those workstations can browse out to the internet and enforce any restrictions.
All remote connections must be monitored and secured. Remote connections to HMIs and other Level 1 and 2 devices must also be monitored, audited, and actively disconnected at the first sign of malicious activity.
As Russia and Ukraine inch toward imminent conflict again, according to the White House, it's important that critical infrastructure operators globally understand the reach of such conflict isn't always confined to the battlefield.
Escalating tensions between the two nations have now spilled over into alleged Russian cyberattacks targeting Ukrainian government agencies with website defacements and wiper malware. Reminiscent of previous incursions attributed to Russia against Ukraine, including the destructive NotPetya attacks of 2017, cyberattacks have always been a concern as a precursor to a kinetic attack, or in conjunction with one.
Microsoft was among the first to detect the current campaign of wiper malware attacks. It published a report over the weekend warning users of coordinated destructive attacks it calls Whispergate, which much like NotPetya, arrives purporting to be ransomware, but in reality, is wiper malware that overwrites the master boot record on compromised computers, effectively bricking the hardware. Two government agencies have been affected already with dozens of computers wiped; more than 70 agencies were targeted in this campaign, Microsoft and other outlets have said.
One lesson learned from NotPetya, which in 2017 exploited vulnerabilities to backdoor Ukrainian business software provider M.E. Doc's update infrastructure is that collateral damage is inevitable. NotPetya quickly spread throughout Europe and threatened confidence in an important software supply chain.
Claroty has identified eight things, below, that asset owners and operators can remember to check for today—many of which should already be in place as best practices—to secure assets in a tense geopolitical climate.
Asset owners and operators must limit internet access afforded control systems and other devices and machines operating on an OT network. Engineering workstations are traditionally Windows-based machines, and these can be vulnerable entry points to an OT network that attackers can leverage. Patch levels must be current, and critical applications up to date. Policy should dictate whether those workstations can browse out to the internet and enforce any restrictions. Remote connections to HMIs and other Level 1 and 2 devices must also be monitored, audited, and actively disconnected at the first sign of malicious activity.
CISA, the FBI, and NSA published a document Jan. 11 laying out known tactics, techniques, and procedures used by Russian APT groups against critical infrastructure operations. The joint cybersecurity advisory reinforces the need for cyber incident response plans, resilience planning, and business continuity in the event of a disruption.
The advisory lists a number of vulnerabilities Russian operatives favor for initial access, many of which are in network technology such as VPNs, routers, application delivery hardware, virtual machines, and Microsoft Exchange infrastructure. ICS devices and OT networks have also been targeted by Russian APTs in the past with destructive malware and other malicious code tailor-made for ICS, including Havex, Crash Override, Triton, and others.
A second CISA document, published this week, warns critical infrastructure organizations working with Ukrainian organizations to be vigilant about monitoring, inspecting, and segmenting traffic from that country, and reviewing access controls for that traffic. Crisis-response teams must be on call and internal stakeholders must have defined roles and responsibilities in the event of a cyberattack.
Backup is a key strategy in combating ransomware and destructive malware attacks. Most organizations should have a regularly scheduled backup period where critical files and systems are backed up and stored offline in a secure offsite location. ICS project files must be included in these backup procedures.
Project files are crucial pieces of intellectual property. They usually take the form of archive file formats that contain OLE files, SQLite databases, proprietary binary formats, text files, and directories created within engineering workstations. These programs are used by engineers to monitor, configure, and communicate with programmable logic controllers (PLCs) and other control systems. The program logic contained in a project file governs ICS devices and oversees processes, and it also may include network configuration data and—at times—a complete OT network layout.
Project files are complex, take time to develop and refine, and need to be protected.
Every data point is critical to detecting a breach during a cyber incident. The best way to enhance detection is to centrally correlate data from as many sources as possible to a SIEM. This would also include correlating OT systems and security logs from engineering workstations, as well as information from threat detection platforms such as Claroty Continuous Threat Detection (CTD), remote access connections, and third-party SCADA platforms. SIEM vendors often charge by inbound volume, so managers should make the decision whether to temporarily increase an existing quota or utilize available flex capacity.
Open firewall ports can also be leveraged by threat actors as an initial foothold onto a network. In a time of heightened vigilance, it's important to restrict access via enhanced firewall rules. One particular area of concern is access to contractors and other third parties. Oftentimes, those connections afford partners and contractors substantial access and permissions to network assets. This is a good time to double check those rules.
While anomaly detection is a popular defense-in-depth technology, it can be noisy and contribute mightily to alert fatigue for administrators. It's not uncommon for these systems to be tuned down in an attempt to temper the number of rules that may be triggered and alerts created. In certain instances, such as in today's climate, it may be a good idea to reduce filtering a bit and allow for second-tier events, for example. This may require a bit more review for administrators, but it will also enhance detection capabilities.
Webmail services such as Yahoo and personal Gmail accounts, as well as local IMPA/POP3 clients, should be blocked on the OT network. These services, along with social media, are popular and risky avenues for phishing and spear-phishing attacks favored by APT groups to gain an initial foothold on an OT network. Limiting operators from checking personal email or Facebook accounts by policy reduces the risk of devastating attacks launched over these channels.
Heed these alerts from the White House, and leverage them to reinforce the need internally for incident response, tabletop exercises, and more resources across the organization. Explain the need for extra vigilance, describe the potential consequences, and pull experience from others within the IT and OT security teams.