Slashdot Mirror

← Back to Stories (view on slashdot.org)

Industrial Control System Firms In Dragonfly Attack Identified

Posted by Unknown on from the they're-in-the-grid dept.

chicksdaddy (814965) writes Two of the three industrial control system (ICS) software companies that were victims of the so-called "Dragonfly" malware have been identified. ... Dale Peterson of the firm Digitalbond identified the vendors as MB Connect Line, a German maker of industrial routers and remote access appliances and eWon, a Belgian firm that makes virtual private network (VPN) software that is used to access industrial control devices like programmable logic controllers. Peterson has also identified the third vendor, identified by F-Secure as a Swiss company, but told The Security Ledger that he cannot share the name of that firm.

The three firms, which serve customers in industry, including owners of critical infrastructure, were the subject of a warning from the Department of Homeland Security. DHS's ICS CERT said it was alerted to compromises of the vendors' by researchers at the security firms Symantec and F-Secure. DHS said it is analyzing malware associated with the attacks. The malicious software, dubbed "Havex" was being spread by way of so-called "watering hole" attacks that involved compromises of vendors web sites. According to Symantec, the malware targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers. Most of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland.

11 of 24 comments (clear)

  1. Watering Hole Attacks by Guano_Jim · · Score: 1

    I hadda look this one up.

    --
    3D Printing Tips and Tricks at Zheng3.com
  2. Re:Decentralize the power grid by Nkwe · · Score: 2

    Doing so is really hard if you need to move power between grids - which you probably do.

  3. OLE for Process Control (OPC) by Anonymous Coward · · Score: 1

    Good luck with securing that as a protocol. Might as well tape a 'kick me' sign on your back. When you are controling things that can kill people why is ease of use/development even a consideration?

  4. Why can't the Swiss company be named? by rduke15 · · Score: 2

    So the Belgian and German companies can be named, but not the Swiss one? That seems strange.

    1. Re:Why can't the Swiss company be named? by peterson2484 · · Score: 5, Informative

      We found the Belgian and German companies independently. The name of the Swiss company was shared in confidence, primarily to confirm our contention it was another small company with actually less of an impact than eWON or MB Connect. We are in the process of getting the name from additional sources without restrictions and will publish it when we can. It should be out as should the ICS and energy sites that were redirecting. Of course, it still is a mystery why US-CERT/ICS-CERT and the European CERTs don't mention any of the company names. The names would certainly be helpful if they wanted to alert asset owners that they may be compromised. eWON, to their credit, posted an updated notice on their home page of the website breach. MB Connect and the Swiss vendor sites are still silent on the issue. Dale Peterson @digitalbond

    2. Re:Why can't the Swiss company be named? by plover · · Score: 1

      I was watching a TV show about Alaska, where some small town had their generator go out and they needed to fly in an engineer. In those tiny villages, the kind where an engineering degree means you can get a job somewhere else that can afford to pay you, remote monitoring and diagnosis is the only option they have. They had one guy in the town who had the keys to the building, knew to keep the fuel tanks filled, and could do some minor mechanical repairs to the system, but that was pretty much the limit of his capabilities.

      Nobody in that town would be qualified enough to even understand those notices. Nobody there would likely know what software was being used, let alone visit the home pages of the company providing it. A town like that won't have the money to pay for monitoring services - they're going to be on a repair-only basis. And they're going to be the ideal consumers of a remote solution like the kind these firms are selling.

      While this town may be a worst case scenario, it exemplifies the kinds of bad luck circumstances that would lead someone right into this risk, and CERT notices probably won't ever help them much.

      --
      John
    3. Re:Why can't the Swiss company be named? by ThatsNotPudding · · Score: 1

      Of course, it still is a mystery why US-CERT/ICS-CERT and the European CERTs don't mention any of the company names. The names would certainly be helpful if they wanted to alert asset owners that they may be compromised.

      It's no mystery at all.

  5. Boy by Billly+Gates · · Score: 1

    It's a good thing none of these industrial controls require IE 6 with an unsupported OS with updates turned off requiring a live internet connection or anything stupid. For a minute that would imply mass incompetence

    --
    http://saveie6.com/
  6. Water Treatment Plant by tquasar · · Score: 2

    My employer had SCADA sent via a telephone line to some engineer at another location Walt had no idea how the plant operated or what the info he could see meant and could have started or stopped some equipment remotely. One of the telemetry techs allowed a contractor to shut down a 9 million gallon/day lake pump, not a good thing. There wasn't even a password.

  7. Against man's stupidity... by folderol · · Score: 1

    ... the gods themselves, contend in vain. The first time I heard of this, my instant thought was that it was utter stupidity to connect any industrial process to the Internet. Since then, every comment I've heard or seen from every source follows the same idea, so why is anyone still doing it?

    The cost argument really doesn't fly. Can you imagine the firestorm of compensation claims when (not if) the first major disaster takes place?

    1. Re:Against man's stupidity... by EETech1 · · Score: 2

      I use the eWon, and MBConnect devices all the time, one or the other goes in to every machine we build. They are VPN gateways with secure login so we can remotely work on a machine instead of having to immediately travel to it to check the slightest thing.

      None of our customers leave the internet side of the device plugged in. Unless we are on the phone with them, and they are by the machine, it is unplugged. As an additional level of security, the device has a keyswitch connected to it that must be turned on to allow it to connect to the internet, just in case it gets plugged in.

      Most devices are managed through the respective manufacturers applications via the cloud, so we just have to download their application, and log in, and it handles getting the keys, and establishing the secure VPN tunnel. It is possible to manage your own infrastructure, but I don't know of anyone who is large enough, or chooses to do it.

      I put the eWon app on my brand new work PC, now I have to check if I got pwned the first day got my new Lappy:( The remote access apps are one of the few things that does not get installed on the VM. Connecting to the VPN, through the VM can really be a pain!

      The MBConnect devices are really cool, they can even verify the entire system, and reload anything that does not match what is stored inside itself. Besides providing a huge obstacle for anyone wanting to Stuxnet the system, they allow a customer to replace a PLC with a spare, reboot, and have everything come back to normal, and they allow for easier updating of a whole system by passing the program to the MBConnect device, and having it apply the update locally.

      Nothing more scary than flashing a PLC remotely, and rebooting it. If it doesn't come back online, you might have to take your Lappy, and leave on an immediate road trip!