By Dragos, Inc

Dragos hosted a webinar for the general industrial control system (ICS) community revealing new ICS-targeting activity focused on US entities and highlighting steps asset owners and operators can take right now to defend against the increasing threat landscape.

Cyberattacks against industrial processes follow conflict escalation almost everywhere. Dragos identified an increase in malicious activity against ICS across the Middle East over the last year likely due to growing conflict in the region. In light of recent escalatory messages and actions between the US, Iran, and Russia, the threat to ICS entities in the US is increasing. This includes reports of offensive cyber operations targeting Russian critical infrastructure and military targets in Iran. Indeed, Dragos is investigating newly observed ongoing activity targeting the oil and gas vertical. Dragos is sharing indicators of compromise currently only with industries and specific entities affected to preserve the investigation. ICS asset owners and operators should be aware of heightened tensions and the potential increase in malicious activity including phishing attempts, strategic website compromise, and brute force password spraying attempts to gain initial access to ICS targets.

Dragos encourages asset owners and operators to review and practice response and recovery in the event of a cyberattack and practice active threat hunting to identify potential malicious activity already within a compromised network. Today, Dragos provided guidelines for hunting and responding to ICS threats with details provided by Dragos threat operations team and a recording of the webinar is available here:

 

The slides can be viewed here:

 

Webinar attendees asked the following questions. For additional questions or feedback, please email intel@dragos.com.

Q: Does the ICS community cross post TLP appropriate IOCs to other verticals, or sharing groups for comparison?

A: Dragos works with corporate partners to distribute IOCs to affected entities. We also work with information sharing organizations such as the Cyber Threat Alliance and E-ISAC to distribute timely, TLP-appropriate information for asset owners and operators.

Q: The slide summarizing the three threat groups depicted XENOTIME as the oldest of the three, going back to 2014. Is the tie to 2014 based on the testing of Cryptcat binaries or other XENOTIME activity independent to TRISIS?

A: It is tied to testing of Cryptcat binaries, along with XENOTIME testing other tools used in intrusions and submitting them to online scanning services that can identify malicious documents, malware, etc. Other public reporting also ties XENOTIME activity to that time period.

Q: What is the strategy with stand-alone cyber attacks when you are not engaged in a physical conflict? At this point, they seem to be only irritations. Disrupting a missile launch system when no launch is underway seems to be “wasting ammunition.”  It would seem that you would want to save the launch of a cyber attack as an aid to the effectiveness of a physical attack. To launch it now, and to announce it, would seem like telling a joke — you can’t tell that joke again because your audience now knows the punchline. Now you have to think of new jokes, and they are primed to expect them.  It would seem to be better to gain access, remain hidden, extract information while waiting, and then launch the cyber attack when it is least expected and in support of meaningful, strategic targets.

A: It’s worth noting we do not have insight into the decisions made by the US government. However, signaling to other countries via a cyber event using a weaker capability is a method of deterrence in a geopolitical/sociopolitical situation. More destructive cyber capabilities that are valuable in strategic war-fighting — such as those that could cause physical damage or potentially harm civilians or civilian infrastructure — would likely not be deployed as merely a demonstration of force.

Q: Does the Dragos team recommend any books or blogs that may be related to active threat hunting methods? Are there any military books that relate to the above?

A: Dragos has three whitepapers that may be of interest:

Hunting with Rigor: Quantifying the Breadth, Depth and Threat Intelligence Coverage of a Threat Hunt in Industrial Control System Environmentsby Principal Threat Analyst Dan Gunter

The Four Types of Threat Detection With Case-Studies in Industrial Control Systems (ICS)by CEO Robert M. Lee and VP of Threat Intelligence Sergio Caltagirone

Collection Management Frameworks – Beyond Asset Inventories for Preparing for and Responding to Cyber Threatsby CEO Robert M. Lee, VP of Threat Operations Ben Miller, and Principal Threat Analyst Mark Stacey

Adversary Hunter Casey Brooks recommends the paper “Russia’s Approach to Cyber Warfare“ by CNA, a nonprofit research and analysis organization, and the paper “Putin’s Hydra” by the European Council on Foreign Relations.

For people interested in a training class, Dragos offers an in-person training program Assessing, Hunting and Monitoring Industrial Control System Networks, which is an intensive 5-day, hands-on course that covers ICS basics and security best practices, assessing industrial environments, ICS threat hunting, and industrial network monitoring.

 

Contact Us for a Demo