Keeping on top of ICS-focused hacking groups, defenses

How many hacking groups are focusing on ICS systems? Dragos security researchers say at least five were active in 2017.

“While only one has demonstrated an apparent capability to impact ICS networks through ICS-specific malware directly, all have engaged in at least reconnaissance and intelligence gathering surrounding the ICS environment,” the company noted in a recently published report.

ICS-focused hacking groups

Electrum – responsible for the 2016 Ukrainian power outage event, created through the CrashOverride malware. They believe Electrum previously served as the ‘development group’ facilitating the activity of the Sandworm APT, but that they moved into a development and operational role in the CrashOverride event.

“Based on available information, Electrum remains active, but evidence indicates the group may have ‘moved on’ from its previous focus exclusively on Ukraine,” the researchers shared.

Covellite – The group behind a phishing campaign against a US electric grid company and similar attacks in Europe, North America, and East Asia. There are similarities in both infrastructure and malware used by Covellite and the Lazarus Group APT but, for now, the former has not used or shown evidence of an ICS-specific capability.

Dymalloy – “Starting in late 2015 and proceeding through early 2017, Dymalloy was able to successfully compromise multiple ICS targets in Turkey, Europe, and North America. Dragos has also learned that, while the group does not appear to have a capability equivalent to Dragonfly’s Havex malware, the group was able to penetrate the ICS network of several organizations, gain access to HMI devices, and exfiltrate screenshots,” the researchers noted.

Chrysene – Mostly focused on targets in the oil and gas and electric generation industries in Western Europe, North America, Iraq, and Israel. So far, their activity focused on IT penetration and espionage.

Magnallium – The group’s activity is focused on Saudi Arabia, specifically government-run or -owned enterprises in petrochemicals and the aerospace industry. They haven’t yet shown ICS-specific capability, so the researchers are not very worried about this particular group.

“2017 witnessed a dramatic expansion in ICS security activity and awareness,” the researchers pointed out. “Considering that defenders knew of only three ICS-focused malware samples before 2017 – Stuxnet (pre-2010), Blackenergy2 (2012), and Havex (2013), the emergence and discovery of two more this year indicates that adversaries are focusing more effort and resources on ICS targeting, and those capabilities are expanding.”

Advice for vendors and operators

With that in mind, they emphasize the importance of timely threat intelligence and useful vulnerability reports in helping these organizations keep their systems and networks secure.

But they are not wild about the current vulnerability advisories published by ICS-CERT and vendors.

“‘Deploy firewalls and use only trusted networks’ is not a meaningful suggestion, yet is the only alternative guidance provided by most advisories aside from ‘patch,'” they pointed out in a concurrently published report.

“Vulnerability advisories must provide reasonable effective alternative options. Offer several alternatives which may not be applicable to all users but help some. This advice should include specific ports and services to restrict or monitor to reduce risk and impact from an attack, or specific system hardening recommendations to better defend systems from local exploitation.”

While it’s possible that vendors might choose to err on the side of safety and keep more specific information only for customers’ eyes, Reid Wightman, a senior vulnerability researcher at Dragos, tells me that they have not seen evidence of vendors delivering such information privately.

He also pointed out that OT security folks should not concentrate only on vulnerability advisories related to hardware and field devices, but also peruse those related to hardware and software used to protect the network perimeter and entry points to ICS networks.

“In some locations, OT security teams focus on feeds from ICS-CERT and do not pay much attention to other public advisories. Highlighting these advisories as part of an OT security program would be helpful to the industry,” he noted.

Another thing that they would like to see included in these advisories is a more specific assessment of vulnerabilities’ impact on industrial control processes.

“An example of this is indicating the operational impact of compromise of a system,” he says.

“For example, if the vulnerable system results in the loss of view or loss of control to operators, and whether a loss of control is ‘soft’ (the autonomous process device continues operating, just communication and the ability to perform remote manual operations is lost) or ‘hard’ (the autonomous process device is no longer performing its function. E.g., a protective relay for the electric grid is no longer making decisions to open a circuit breaker when an overload is detected).”

Finally, the researchers advise operators to set up a test control systems network that contains samples of the actual plant’s critical systems, so that they can test patches before they actually apply them and thus minimize the risk of an outage of any critical plant systems.