How Dragonfly Hackers and RAT Malware Threaten ICS Security

The age of malware specifically targeting industrial control systems (ICS) began in 2010 when Stuxnet was revealed to be disrupting operations at one of Iran’s nuclear enrichment facilities. Since that shock, we have seen advanced malware, such as Flame and Duqu target energy companies for espionage purposes. We have also seen the unsophisticated, but highly effective, Shamoon malware massively infiltrate Saudi Aramco .

Today, I want to let you know about a new malware, coined as coming from the “Dragonfly hacking group” by Symantec. It indicates a modis operandi on the level of Stuxnet in terms of technical brilliance and strategic execution.

Aimed at energy companies, it has at least three different attack mechanisms, including taking over the software download sites at trusted ICS/SCADA suppliers. The download packages look legitimate (since they come from trusted suppliers), but when the unsuspecting user installs them on their control system, the malware comes to life.

What does this have to do with everyday ICS and SCADA security? It is yet another example of targeted attacks of organizations in the energy sector. If you are in the energy sector, or your business relies on it, you may need to factor this type of cyber threat into your security risk assessments.

Let’s take a look at Dragonfly in more detail and see what we can learn from it.

SecurityExpertsImage3

RATs (Remote Access Tools) are key components of the Dragonfly malware.
Image Credits: 
The Quinton Report and The Dragonfly Woman

Read more »

Not All SCADA Security Attacks are Stuxnet Quality

Recently I received am email (shown further down on this page) purporting to be from the US Internal Revenue Service (IRS).

Phishing, like fishing, can be profitable. Image Credit: Fotopedia
Notice that the US Internal Revenue Service now uses Cyrillic script on its staff email addresses! And they use AOL as an email service, rather than irs.gov. (Is the US budget sequestration really hurting that badly? )
The third fun item is that the link you are supposed to click on (irs.gov/pub/irs-pdf/forms2012/) actually resolves to prospectrealty.net/wp-content/plugins/Bridge-Book-Printer/forms.htm.

(Note to Prospect Realty – you might want to secure your web site a little better.)

Beware Industrial Security Pros: Phishing Season is Open

Obviously, this email is a phishing attack. The creators of the email want me to click on the fake IRS link. If I did, my browser would be directed to the Prospect Realty website they have hacked. There I would either see a page that looked like an IRS log-in page (so the crooks could steal any confidential corporate information I enter) or the site would try to download some nasty Java applet that would take over my computer (assuming I hadn’t patched Java recently).

This phishing attack is so crude and so obvious that it is funny.

But in another way, it isn’t funny at all.

Read more »

Industrial Security: New Vulnerability Disclosure Framework A Step Forward

This is an excerpt from the Think Forward blog by Ernie Hayden at verizonbusiness.com 

In a move that may be helpful for critical infrastructure asset owners, on July 23 the Industrial Control Systems Joint Working Group (ICSJWG) published a new document on a framework for disclosing Industrial Control System (ICS) vulnerabilities.

Common Industrial Control System Vulnerability Framework

Industrial Control Systems Joint Working Group (ICSJWG), which was established by the U.S. Department of Homeland Security Control Systems Security Program, published the document – Common Industrial Control System Vulnerability Framework. The document was developed with the intention of providing consensus-based guidance to vendors and system integrators in helping them create ICS vulnerability disclosure policies. Read more »

SCADA Security: Falling into the Air Gap Trap

This is an excerpt from the Practical SCADA Security blog at Tofino Security.

Last week I discussed how security experts and ICS / SCADA vendors are giving up on the dream of the air gap as a viable security solution for the modern control system. Unfortunately, it is still all too easy to believe your control system is isolated.

Recently I had a very enlightening conversation with a control engineer who thought his system was air gapped. Read more »

Are SCADA Air Gap Supporters a Dying Breed?

Last week I updated my air gap blog from 2011. I noted some companies (like Siemens) no longer mention air gaps. Then to keep things balanced, I added new examples of consultants that support the air gap theory. In particular, I selected this quote from Paul Ferguson at Trend Micro:

“I’ve written about SCADA issues in the past, but one issue that I’ve consistently tried to emphasize is that critical control systems should never, ever interact nor interconnect with Internet systems in any way, shape, or form. There’s a good reason for this, and it’s always been referred to as the “Air Gap” Principle.” Read more »

Stuxnet: The Start of a Cyber Arms Race

The discovery of the Flame malware last week focused the cyber security world on the sophisticated strikes targeting energy companies in the Middle East. Although Flame’s goal was espionage rather than damaging operations as Stuxnet did, it has been seen as one more indication that the industrial world is now in the bull’s eye of clever attackers.

On the heels of Flame coverage, this week David Sanger, the Pulitzer Prize winning Washington correspondent for The New York Times, released his new book “Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power“. Up to now, many writers speculated that the U.S. and Israel collaborated on Stuxnet. This book does not speculate; it builds a strong circumstantial case that these two countries did indeed create and launch Stuxnet against Iran. Read more »

Improving Control System Security with ANSI/ISA-99 Standards

Recently I wrote about one of the fundamentals of industrial cyber security, which is the concept of Defense in Depth.Today I am going to write about another foundation concept, which goes hand-in-hand with Defense in Depth, and that is using ANSI/ISA-99 Standards to improve control system security.

Factors that have degraded Control Network Security

There are two opposing trends impacting control network design today:

  1. The trend toward greater “interconnectedness” of control systems with enterprise systems as organizations seek increased business productivity and as they increase the use of Ethernet-TCP/IP technology.
  2. The trend to isolate control networks as an attempt to block advanced malware threats such as Stuxnet.

How does a controls engineer deal with the conflicting requirements of more integration and more isolation? My advice is to accept and plan for high integration with business systems, and to dismiss the idea that control systems can be isolated. Read more »

SCADA Security: Justifying the Investment

Cost-Value-Graphic

In my blog article Industrial Data Compromise – The New Business Risk I recommended that End Users and Control Engineers need to redouble their efforts in relation to securing their process.  However, finding the best way to justify the costs of implementing and maintaining a more secure process environment is new territory even for the most seasoned control system engineer.  In this article I suggest a way to determine the right amount of investment in ICS and SCADA security measures. Read more »

Controlling Stuxnet – No More Flat Networks PLEASE. Let’s Embrace “Security Zones”.

an-119_using_tofino_to_control_stuxnet_figure_1

In last week’s post, I mentioned that Eric Cornelius gave a very interesting talk at last week’s ICSJWG meetings. Cornelius works for INL (Idaho National Labs) and they are doing Stuxnet research for the US Government. Read more »

On Twitter