The 2024 Malware Protection Guide
*(based on the NCSC report: Cyber Essentials: Requirements for IT infrastructure v3.1)
7 min read
Editor 09-May-2024 22:42:52
*(Information courtesy of the NCSC: https://www.ncsc.gov.uk/news/heightened-threat-of-state-aligned-groups
Fact sheet available here: https://www.cisa.gov/resources-tools/resources/defending-ot-operations-against-ongoing-pro-russia-hacktivist-activity)
The Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI, NSA, EPA, DOE, USDA, FDA, MS-ISAC, CCCS, and the UK's National Cyber Security Centre (NCSC-UK)—collectively known as “the authoring organisations”—have issued a fact sheet to raise awareness and protect against ongoing malicious cyber activities. These are primarily conducted by pro-Russia hacktivists targeting operational technology (OT) devices across North America and Europe.
The threat involves these hacktivists aiming at small-scale OT systems in sectors like Water and Wastewater Systems (WWS), Dams, Energy, and Food and Agriculture. They typically compromise internet-facing industrial control systems (ICS) and their software components, such as human machine interfaces (HMIs). They exploit weaknesses like virtual network computing (VNC) remote access software and default passwords.
Since first noticed in 2022 and as recently as April 2024, these malicious activities have persisted. To combat these threats, the authoring organisations are sharing this information and recommend immediate actions. If you’re operating within critical infrastructure sectors—including WWS, Dams, Energy, and Food and Agriculture—it's crucial to implement the mitigations listed in this fact sheet to defend against these cyber threats.
Actions To Take Immediately
Overview of Threat Actor Activity
Pro-Russia hacktivists targeting various sectors tend to use relatively unsophisticated methods that tamper with ICS equipment, mainly causing annoying disruptions. However, deeper investigations reveal that these actors are also capable of actions that could physically threaten insecure and poorly configured OT environments. They typically gain remote access by exploiting publicly exposed internet connections and outdated VNC software. Additionally, they often use factory default passwords or weak passwords on HMIs, usually without the security of multifactor authentication.
Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity
It's important to note that historically, these hacktivists have tended to overstate their capabilities and the impact of their attacks on targets. Since 2022, they've claimed on social media to have carried out cyber operations—including distributed denial of service attacks, data leaks, and data wiping—against a range of North American and international organizations. However, according to reports from those affected, the actual disruption caused by these activities has been relatively minor.
2024 Year-to-Date Activity
Since the start of 2024, the authoring organizations have noticed pro-Russia hacktivists focusing on vulnerable industrial control systems across North America and Europe. In response, CISA and the FBI have been actively assisting several U.S.-based Water and Wastewater Systems (WWS) that were disrupted by unauthorized users remotely tampering with Human Machine Interfaces (HMIs). Specifically, these hacktivists have tweaked HMIs to push water pumps and blower equipment beyond their usual limits. They've cranked up set points, altered various settings, switched off alarm systems, and changed administrative passwords to lock out the operators of these systems.
Although some affected facilities reported minor tank overflow incidents, the majority managed to switch to manual controls quickly after these breaches and restored normal operations without significant delays.
Remote Access to HMIs
The authoring organizations have noted that pro-Russia hacktivists employ a range of techniques to gain remote access to Human Machine Interfaces (HMIs) and alter the operations of the underlying Operational Technology (OT). These techniques include:
It's important to highlight that several HMIs compromised in these attacks were outdated, unsupported legacy devices or foreign-manufactured devices that had been rebranded as U.S. products.
MITIGATIONS
To guard against the described cyber threats, the authoring organizations urge critical infrastructure organizations to adopt specific mitigations. These recommended actions are in line with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs offer a foundational set of practices and protections that CISA and NIST advise all organizations to implement. These guidelines are derived from established cybersecurity frameworks and guidance, aimed at shielding against the most prevalent and harmful cyber threats, tactics, techniques, and procedures. For further details on the CPGs, including additional recommended baseline protections, visit CISA’s Cross-Sector Cybersecurity Performance Goals website.
Network Defenders
Pro-Russia hacktivists have been exploiting cybersecurity vulnerabilities, such as weak password security and excessive exposure to the internet. To protect against these threats, the authoring organizations recommend organizations take the following actions:
Harden HMI Remote Access
To strengthen the security of Human Machine Interfaces (HMIs), such as touchscreens used to monitor or alter systems, or programmable logic controllers (PLCs), the authoring organizations advise taking the following steps:
Note: An allowlist is not a complete security solution on its own but can make it more difficult for a threat actor to compromise a device.
Strengthen Security Posture
To enhance the security measures for your Operational Technology (OT) systems, consider these strategic steps:
These steps can significantly bolster your organization’s defenses against sophisticated cyber threats and ensure resilience in the face of potential cyber attacks.
Limit Adversarial Use of Common Vulnerabilities
To minimize the risks posed by common vulnerabilities, organizations can take several proactive steps:
These measures are designed to limit adversaries' ability to exploit common vulnerabilities effectively and ensure a robust defensive stance against cyber threats.
OT Device Manufacturers
While critical infrastructure organizations play a key role in mitigating risks, the primary responsibility for ensuring the security of OT devices rests with the manufacturers. These devices should be secure by design and default. The authoring organizations strongly encourage device manufacturers to take responsibility for the security outcomes of their customers, in accordance with the principles outlined in the joint guide "Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software" and on CISA’s Secure by Design webpage.
Recommended Actions for Manufacturers:
For further guidance, manufacturers can refer to CISA’s Secure by Design Alert, which includes advice on how software manufacturers can protect web management interfaces from cyber threats. By employing secure by design principles, manufacturers can ensure their products are secure right out of the box, reducing the need for customers to make extensive configuration changes, purchase additional security software, or engage in constant monitoring and updates.
REPORTING
Organizations are urged to report any suspicious or criminal activity related to the information in this fact sheet through the following channels:
US Organizations:
UK Organizations:
This collective effort in reporting helps enhance security responses and mitigates further risks across various sectors.
*(based on the NCSC report: Cyber Essentials: Requirements for IT infrastructure v3.1)
Responding to Increased Cyber Threats Following the Ukraine Invasion Thu 30th June 2022Virtual networking event ...
Following the distressing news of Russia’s invasion of Ukraine, Lindy Cameron, CEO of the National Cyber Security Centre (NCSC) has advised all UK...