Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mysterious Safety-Tampering Malware Infects Second Critical Infrastructure Site (arstechnica.com)

Posted by BeauHD on from the there's-more-where-that-came-from dept.

An anonymous reader quotes a report from Ars Technica: Sixteen months ago, researchers reported an unsettling escalation in hacks targeting power plants, gas refineries, and other types of critical infrastructure. Attackers who may have been working on behalf of a nation caused an operational outage at a critical-infrastructure site after deliberately targeting a system that prevented health- and life-threatening accidents. What was unprecedented in this attack -- and of considerable concern to some researchers and critical infrastructure operators -- was the use of an advanced piece of malware that targeted the unidentified site's safety processes. The malware was named Triton and Trisis, because it targeted the Triconex product line made by Schneider Electric. Its development was ultimately linked to a Russian government-backed research institute.

Now, researchers at FireEye -- the same security firm that discovered Triton and its ties to Russia -- say they have uncovered an additional intrusion that used the same malicious software framework against a different critical infrastructure site. As was the case in the first intrusion, the attackers focused most of their resources on the facility's OT, or operational technology, which are systems for monitoring and managing physical processes and devices. The discovery has unearthed a new set of never-before-seen custom tools that shows the attackers have been operational since as early as 2014. The existence of these tools, and the attackers' demonstrated interest in operational security, lead FireEye researchers to believe there may be other sites beyond the two already known where the Triton attackers were or still are present. "After establishing an initial foothold on the corporate network, the Triton actor focused most of their effort on gaining access to the OT network," FireEye researchers wrote in a report published Wednesday. "They did not exhibit activities commonly associated with espionage, such as using key loggers and screenshot grabbers, browsing files, and/or exfiltrating large amounts of information. Most of the attack tools they used were focused on network reconnaissance, lateral movement, and maintaining presence in the target environment."

50 comments

  1. Why are these sites connected to the Internet? by Attila+Dimedici · · Score: 4, Insightful

    I know it is inconvenient, but these sites should not be connected to the Internet.

    --
    The truth is that all men having power ought to be mistrusted. James Madison
    1. Re:Why are these sites connected to the Internet? by Anonymous Coward · · Score: 0

      Nor should they run "operating software" well-known for being hopelessly insecure and insecurable.

      And yet they continue to do both.

    2. Re:Why are these sites connected to the Internet? by grep+-v+'.*'+* · · Score: 3, Insightful

      I know it is inconvenient, but these sites should not be connected to the Internet

      CEO: What are you talking about?? They're not -- we moved them all to the cloud!

      --
      If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
    3. Re:Why are these sites connected to the Internet? by Anonymous Coward · · Score: 0

      You may not be able to fully resolve the security issues, but certainly you can isolate the systems via dedicated networks and reduce the risk greatly. As long as you have dedicated devices that restrict input and authenticate/encrypt traffic attached for the explicit purpose of managing other devices on that network you will have reduced the risks greatly. Think of it like this. An insecure device (say a printer) is connected to a router with an embedded operating system that can encrypt the traffic and be easily updated for security reasons is connected over a physical network (via phone lines) to a central location that then decrypts the traffic. The user who needs to communicate with that device can then do so using another dedicated computer which is not tied to the internet and has no other input other than a keyboard and mouse. In order to comprise the system you need physical access to the area with the printer and/or central location. As neither have internet access nor other input the system should be relatively safe from attack. You can remotely monitor the site if there is not 24/7 on-site security available. If the site is or may become physically compromised (say monitoring equipment fails) you can then send someone out to replace the equipment and the devices keys which are connected can be revoked upon loss of said monitoring capability. Minimizing any possible damage or compromise to other sites.

    4. Re:Why are these sites connected to the Internet? by Anonymous Coward · · Score: 0

      Been writing documents all day it sounds like...

    5. Re:Why are these sites connected to the Internet? by tlhIngan · · Score: 4, Insightful

      I know it is inconvenient, but these sites should not be connected to the Internet.

      Except airgaps have vulnerabilities, or has Stuxnet not taught you anything?

      Even isolated networks need updating - and that's where a breach of containment can take place. If your goal is to destroy protections or equipment versus exfiltrate information, that's all you need - just hop from the laptop that was internet connected to the USB drive being used to update the production network and there you go.

      And because airgapped networks are a PITA to update, the software running on them is almost hilariously out of date, so finding a vulnerability so you can hop onto the network on USB insertion is laughably easy.

      Unless you're a super large organization with dedicated staff who do nothing but maintain the airgapped network (like say, the military) airgapping is not a panacea.

      And finally, like all factories, executives will also want some sort of feedback - production numbers and stuff. So there will need to be some sort of facility where production updates can happen in near real-time. Or perhaps some technician overseeing several facilities would like to know if some piece of equipment is failing more often than normal, or if something is approaching its end of life and needs replacement, or even better, if some common failure mode is starting to present itself. All of which are complicated if said tech has to visit every facility in question.

    6. Re: Why are these sites connected to the Internet? by Anonymous Coward · · Score: 0

      Who said they were?

    7. Re:Why are these sites connected to the Internet? by Anonymous Coward · · Score: 0

      > I know it is inconvenient, but these sites should not be connected to the Internet.

      Duh .. are you some kind of security expert .. duh :]

    8. Re:Why are these sites connected to the Internet? by Anonymous Coward · · Score: 0

      Russia hacks is the new Red Scare being used to justify tax payer dollars given to large corporations.

    9. Re: Why are these sites connected to the Internet? by Anonymous Coward · · Score: 0

      Maybe we should go back to Pilz relays instead of programmable safety. Seriously, you can't hack dual channel hardware nearly as easily.

    10. Re:Why are these sites connected to the Internet? by Anonymous Coward · · Score: 0

      Assassinate Vladimir Putin!

    11. Re:Why are these sites connected to the Internet? by thegarbz · · Score: 4, Interesting

      I know it is inconvenient, but these sites should not be connected to the Internet.

      No it's not inconvenient. It's not actually possible to operate them efficiently anymore. Heck it may not be possible to legally operate them without external connection to push off data in realtime.

      Another poster has already told you an airgap is not a panacea. I would argue worse than that, an airgap is effectively bad for security as it leads to incredible overconfidence. Give me a well designed network monitored by a security team over "airgap is our security why try harder" any day, which is ultimately what any airgapped network will reduce to.

    12. Re:Why are these sites connected to the Internet? by Anonymous Coward · · Score: 0

      There is so many things wrong with this...

      What about personal interested in the contents of a "lost" USB key from the parking lot?

      How are you going to do remote monitoring of your infrastructure, if you don't want to connect your infrastructure to a network?
      Yes, you can look at it through a webcam, but it doesn't give you any insight in what is going on with the infrastructure itself.

      Encryption does not give you any additional "security", it gives privacy (protects confidentiality).
      Most encryption alghoritms (but not all) also protect the integrity of the data. Yes, some ciphers allow an attacker to change the contents of an encrypted message without them being able to decrypt it.

      BTW: Dataleaks and hacks have been done through sidechannels, such as: sound, light, temperature changes, etc...

    13. Re:Why are these sites connected to the Internet? by Anonymous Coward · · Score: 0

      Agreed. And damnit man, if there are sweeping vulnerabilities in critical infrastructure, MAYBE consider not letting word get out so that it's broadcast to the world for immediate research on how to hack it.

    14. Re:Why are these sites connected to the Internet? by Anonymous Coward · · Score: 0

      "and that allowed us to cut our IT staff such that we only need phone support. Saved a fortune!" - CEO continued.

    15. Re:Why are these sites connected to the Internet? by omfglearntoplay · · Score: 1

      I'm not convinced with the whole anti-airgap argument. In the past news they were compromised because someone brought a USB from the parking lot to that network.

      What airgapped networks need is a strict as hell policy that only allows fresh from a package USB drives to move data between networks. Or write only DVDs. Or something equally simple, but strict as hell, like that. If you can't enforce those rules easily, then you have 2 people who are the only ones with access/passwords, and they follow those rules, with one or two managers as backup.

      Somebody said something about legally supply data to the public in realtime. If this is true, the laws need to change if network security is critical in that business.

    16. Re:Why are these sites connected to the Internet? by pegdhcp · · Score: 1

      Any airgap that does not include airtight doors, xray machines and armed guard is a potential IQ test of staff that determines who has the lowest score amongst them. Even with additional security factors you just hope that MTBF became longer than expected facility life.
      I had a governmental customer who after refusing to buy our lower cost dedicated and isolated VSAT network for their SCADA, paid for our more expensive Internet over VSAT package for "staff happiness". I am sure their staff was extremely happy with all the porn they can hope to download over a satellite link, in the middle of mountains. Idiocy always wins.

    17. Re:Why are these sites connected to the Internet? by Attila+Dimedici · · Score: 1

      Sure, airgaps have vulnerabilities...but systems connected to the Internet have all the vulnerabilities of a system with an airgap, plus those which come from being on the Internet. Your answer to why they are connected to the Internet is that it makes things more convenient.

      --
      The truth is that all men having power ought to be mistrusted. James Madison
    18. Re:Why are these sites connected to the Internet? by Attila+Dimedici · · Score: 1

      Of course an airgap is not a panacea. There is more to security than an airgap, but what makes you think that a company that won't maintain security on a system with an airgap will maintain security on one without it?

      Do you really think that a company that cannot maintain the simpler level of security necessary for a system with an airgap is going to be up to the immensely more complicated security needed for a system connected to the Internet?

      --
      The truth is that all men having power ought to be mistrusted. James Madison
    19. Re: Why are these sites connected to the Internet? by Anonymous Coward · · Score: 0

      Also assuming the dedicated phone line will never be comprimised.

    20. Re:Why are these sites connected to the Internet? by shess · · Score: 1

      I know it is inconvenient, but these sites should not be connected to the Internet.

      Hell, they shouldn't even be running off-the-shelf software in the first place.

      I remember the first time I saw an airplane's video system rebooting. Seeing all of the text messages and various clunky graphical transitions was ... painful. I mean, yes, it is a challenge to get that kind of thing right, but when you're flying on a $50M airplane which is part of a fleet of hundreds of the same, I honestly don't think it's a big deal to pay someone an extra $25k to put in a few nights or weekends to sanitize the boot process. To me, this indicates that they were either too cheap or too incompetent to manage it - and they probably have the same people working on various other aspects of their systems. Even if you assume they have "real" software engineers working on the flight controls (IMHO a dubious assumption), you still have to assume the group which accepted the various crappy experiences on the entertainment systems was also the group programming the credit-card handling and onboard wifi.

      So, when I see a medical system or subway system or other critical infrastructure showing an ancient Windows boot error, I have to aggressively ignore it to maintain my sanity.

  2. Crazy Conspiracy Theories by Anonymous Coward · · Score: 0

    There's no proof Russia had anything to do with it. Just wild speculation from leftist conspiracy theorists.

    Slashdot needs some scientific facts like from AE911Truth Org

    1. Re:Crazy Conspiracy Theories by Anonymous Coward · · Score: 0

      Go troll somewhere else. You have no power here.

  3. Bland language by Anonymous Coward · · Score: 0

    Is it me, or is this language extremely bland, featuring huge bubbles full of... nothing? As from a sci-fi text written by someone who has no clue of sci or tech?

    1. Re: Bland language by Anonymous Coward · · Score: 0

      It's you. Wait no, it's not you. Well, maybe it's you. No, it's not.

    2. Re:Bland language by Mister+Transistor · · Score: 2

      Not everything has to be reported with breathless end-of-the-world doom and gloom just to be the best click-bait.

      Once in a while it's nice to give the hyperbole and bullshit a rest. However, this is a serious issue that needs to be addressed quickly. Isolation from the internet is probably the best solution, but even that is not idiot-proof (think USB drives in parking lot) and it's massively inconvenient, but until we can develop remote access systems that are truly bulletproof, then we shouldn't be risking our critical infrastructure.

      --
      -- You are in a maze of little, twisty passages, all different... --
  4. Site-to-Site Wide Area Network by Anonymous Coward · · Score: 0

    The solution to the problem is likely physical network connections between remote sites that include authentication, monitoring, and encryption (in the case the physical line is compromised) and dedicated devices that do not have support for outside input other than keyboard and mouse. There is likely no real need to open up critical infrastructure to the internet or other networks that may be connected to the internet. By utilizing dedicated devices you close down access via remote vulnerabilities. Now your opponent needs some sort of physical access at specific points to tap into your network and that can be more easily monitored. If an employee needs access at home for instance to 'critical' and remote infrastructure he'll have it. I can imagine the need for this at destinations where there may not be 24/7 on-site staff and dedicated security (like infrastructure in a more rural area).

  5. Why are these sites connected to centrifuges? by Anonymous Coward · · Score: 0

    Like those Iranians and their centrifuges. Really it looks like between election tampering and cyberattacks Russia is aiming to start world war three.

  6. You didn't expect that nobody would turn the table by Anonymous Coward · · Score: 0

    First Strike: Stuxnet

    (captcha: shutdown)

  7. Time to have two operational technology systems by davidwr · · Score: 4, Interesting

    One, that is modern and feature-rich, and a second one that is very simple, maybe even analog, well-understood, reliable systems which will provide protection when the main system isn't working.

    I'll use brakes in trains as a comparison:

    You can have a modern system where automated train controls can cause the train to speed up or slow down, but you still have 19th century air brakes connected to some very simple but very reliable sensors. These sensors would detect "critical" things like the train moving too fast around a curve or moving too fast downhill, among other things. If the air-brake line is damaged and loses pressure, the train stops. If any of the simple sensors detect a problem, the trains stops. To get the train going again, a human being has to go to the train and fix the problem with the air brake system or manually reset the sensors.

    Apply this design philosophy to any system where you absolutely positively do not want certain bad things to happen without corrective action being taken and/or an alarm sounding, and you'll have at least some minimum level of safety even when your modern technology fails or is compromised.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Time to have two operational technology systems by dargaud · · Score: 4, Informative

      Well, I work with critical systems and we kind of do it like this: all the real-time and critical (security-wise) stuff is done in VHDL, then it communicates with embedded systems whose software is updatable. Then those in turn communicate with data-centralization and control/command PCs. If the top or top-2 layers go down, the hardware keeps running and goes in security modes, meaning nothing blows up and things just keep going or stop (depending on the VHDL which is NOT updatable by software).

      --
      Non-Linux Penguins ?
    2. Re:Time to have two operational technology systems by thegarbz · · Score: 1

      This layered approach exists. The bottom level is inherently safer design. The next level up is pressure relief. Only after those two do you get to instrumented safety systems.

      The problem you have focusing on offline mechanical safety features is that unlike your train example in the process industry they are incredibly unreliable and have no diagnostics meaning you can't identify problems with them until they actually fail.

      As a basic example take a check valve (mechanical valve with a spring loaded return that only allows flow in one direction). A typical analysis will assume a 50% failure rate in dirty service and 10% in clean service.
      Now take an instrumented backflow protection system that has an air actuated spring return valve along with differential pressure monitoring across it. Depending on your engineering design you could take 1 or 2 orders of magnitude higher credit for this over a simple mechanical system.

      Complexity does not mean something is less reliable.

    3. Re:Time to have two operational technology systems by Anonymous Coward · · Score: 0

      The issue is that when designing security systems, you have to make a decision on how to handle failures: Fail safe, or fail secure?

      It would be secure to keep all doors locked when a fire alarm goes off, but humans will die if there is a real fire.
      It would be safe to unlock essential emergency doors when a fire alarm goes off, but intruders might get in if they tripped the alarm themselves.

      In digital security, human life is to be protected first, then business interests.
      So yes, you can make it secure, but only after making it safe.

  8. Welp by Anonymous Coward · · Score: 0

    We are already 16 comments in and it is clear slashdot readers are uninformed and don't even keep up with the issues.

  9. Reichstag fire by PPH · · Score: 1

    False flag or not, your gas prices are going up.

    --
    Have gnu, will travel.
  10. Mysterious safety-tampering malware by Anonymous Coward · · Score: 0

    Is it MS Windows? The JS code of Google and Facebook?

  11. Hacks targeting critical infrastructure by Anonymous Coward · · Score: 0

    Sixteen months ago, researchers reported an unsettling escalation in hacks targeting power plants, gas refineries, and other types of critical infrastructure.”

    Then what the heck is this critical infrastructure even doing connected to the public Internet?

  12. I know this is a stupid question but by nehumanuscrede · · Score: 2

    It's 2019, why the F*CK are ANY systems designated as critical infrastructure still connected to the GD internet.
    Lease a private line FFS and air-gap the head end systems.

    Yes, it's expensive.
    Yes, it's not very convenient.
    Yes, it's NECESSARY.

    GDMIT.

    Until we start throwing CEO's in prison for significant amounts of time when their incompetence results in epic level WTF, this sh*t will never get fixed.

    1. Re:I know this is a stupid question but by Anonymous Coward · · Score: 0

      Because it really isn't about securing the system at all. It's about maintaining the ability to snoop without unauthorized use by someone other than the government. And that task, I might add, is impossible to achieve, but the ends justifies the means as we say...

    2. Re:I know this is a stupid question but by Anonymous Coward · · Score: 0

      Is it critical infrastructure?

      Imagine a electricity power plant is considered critical infrastructure.

      If you, or your business, thinks electricity is vital, you probably have taken precautions, such a a UPS, or generator, etc...
      This implies the power plant itself would not be "critical" anymore for you. (At least for a certain duration.)

      If you do not have taken any precautions, you can not state it is critical for you.
      If you insist the power plant should make itself intrusion proof, you will increase the electricity price for everybody. This would mean the power plant will start losing customers as above a certain price threshold their customers will start generating their own electricity.

      It is a business decision to make the power plant run, while still being economically viable.
      That's why they are run the way they are.

  13. Another Windows Omission by Anonymous Coward · · Score: 1

    It seems that every malware article goes out of the way to avoid using the word WINDOWS. In practically every reported instance of remote infection, the initial vector is WINDOWS.

    Regarding Triton:

    Security firm Symantec said that Triton has been active since August and works by infecting a Windows computer attached to the safety system. It said: “While there have been a small number previous cases of malware designed to attack industrial control systems (ICS), Triton is the first to attack safety instrumented system devices.”

    https://www.theguardian.com/technology/2017/dec/15/triton-hackers-malware-attack-safety-systems-energy-plant

    1. Re:Another Windows Omission by Anonymous Coward · · Score: 0

      That is pretty interesting, considering every article talking about a Linux or MacOS vulnerability is so quick to point fingers at the operating system in the headline. Good observation.

  14. Here we go by Dunbal · · Score: 4, Insightful

    It's Russia again. Just when Russia was finally out of the headlines. Color me shocked. Call me when you have more proof than all the last times it was supposed to be Russia.

    --
    Seven puppies were harmed during the making of this post.
    1. Re: Here we go by DNS-and-BIND · · Score: 1

      Don't forget, we know for a fact that CIA/NSA can forge signatures to make it look like the Russians or Chinese did it. Wikileaks confirms.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    2. Re:Here we go by edis · · Score: 1

      Sure, it is much more likely, that Tsar-KGB is finally taking a nap.

      --
      Servant of karma
    3. Re:Here we go by Anonymous Coward · · Score: 0

      Found the Alt-Reich apologist!

  15. Just buy our snake oil ... by Anonymous Coward · · Score: 0

    software to monitor for east-west traffic pivot movements and you will be saved.

    Nothing more than a product advertisement wrapped in scary BS ...

  16. Re: Time to have two operational technology system by Anonymous Coward · · Score: 0

    Hardware safety relays are a a thing. Less flexible and maybe less reliable, but they're there.

  17. Re: by korio499 · · Score: 1

    I'm very strange to hear such things in the news. Didn't the loud hacker attacks of recent years teach you anything? Even the simplest avira review can help protect the system to the average user. Why do they forget about elementary network security on such a scale?