Slashdot Mirror

← Back to Stories (view on slashdot.org)

Industrial Control System Firms In Dragonfly Attack Identified

Posted by Unknown on from the they're-in-the-grid dept.

chicksdaddy (814965) writes Two of the three industrial control system (ICS) software companies that were victims of the so-called "Dragonfly" malware have been identified. ... Dale Peterson of the firm Digitalbond identified the vendors as MB Connect Line, a German maker of industrial routers and remote access appliances and eWon, a Belgian firm that makes virtual private network (VPN) software that is used to access industrial control devices like programmable logic controllers. Peterson has also identified the third vendor, identified by F-Secure as a Swiss company, but told The Security Ledger that he cannot share the name of that firm.

The three firms, which serve customers in industry, including owners of critical infrastructure, were the subject of a warning from the Department of Homeland Security. DHS's ICS CERT said it was alerted to compromises of the vendors' by researchers at the security firms Symantec and F-Secure. DHS said it is analyzing malware associated with the attacks. The malicious software, dubbed "Havex" was being spread by way of so-called "watering hole" attacks that involved compromises of vendors web sites. According to Symantec, the malware targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers. Most of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland.

5 of 24 comments (clear)

  1. Re:Decentralize the power grid by Nkwe · · Score: 2

    Doing so is really hard if you need to move power between grids - which you probably do.

  2. Why can't the Swiss company be named? by rduke15 · · Score: 2

    So the Belgian and German companies can be named, but not the Swiss one? That seems strange.

    1. Re:Why can't the Swiss company be named? by peterson2484 · · Score: 5, Informative

      We found the Belgian and German companies independently. The name of the Swiss company was shared in confidence, primarily to confirm our contention it was another small company with actually less of an impact than eWON or MB Connect. We are in the process of getting the name from additional sources without restrictions and will publish it when we can. It should be out as should the ICS and energy sites that were redirecting. Of course, it still is a mystery why US-CERT/ICS-CERT and the European CERTs don't mention any of the company names. The names would certainly be helpful if they wanted to alert asset owners that they may be compromised. eWON, to their credit, posted an updated notice on their home page of the website breach. MB Connect and the Swiss vendor sites are still silent on the issue. Dale Peterson @digitalbond

  3. Water Treatment Plant by tquasar · · Score: 2

    My employer had SCADA sent via a telephone line to some engineer at another location Walt had no idea how the plant operated or what the info he could see meant and could have started or stopped some equipment remotely. One of the telemetry techs allowed a contractor to shut down a 9 million gallon/day lake pump, not a good thing. There wasn't even a password.

  4. Re:Against man's stupidity... by EETech1 · · Score: 2

    I use the eWon, and MBConnect devices all the time, one or the other goes in to every machine we build. They are VPN gateways with secure login so we can remotely work on a machine instead of having to immediately travel to it to check the slightest thing.

    None of our customers leave the internet side of the device plugged in. Unless we are on the phone with them, and they are by the machine, it is unplugged. As an additional level of security, the device has a keyswitch connected to it that must be turned on to allow it to connect to the internet, just in case it gets plugged in.

    Most devices are managed through the respective manufacturers applications via the cloud, so we just have to download their application, and log in, and it handles getting the keys, and establishing the secure VPN tunnel. It is possible to manage your own infrastructure, but I don't know of anyone who is large enough, or chooses to do it.

    I put the eWon app on my brand new work PC, now I have to check if I got pwned the first day got my new Lappy:( The remote access apps are one of the few things that does not get installed on the VM. Connecting to the VPN, through the VM can really be a pain!

    The MBConnect devices are really cool, they can even verify the entire system, and reload anything that does not match what is stored inside itself. Besides providing a huge obstacle for anyone wanting to Stuxnet the system, they allow a customer to replace a PLC with a spare, reboot, and have everything come back to normal, and they allow for easier updating of a whole system by passing the program to the MBConnect device, and having it apply the update locally.

    Nothing more scary than flashing a PLC remotely, and rebooting it. If it doesn't come back online, you might have to take your Lappy, and leave on an immediate road trip!