Stuxnet malware was reportedly a US-Israel joint enterprise against a critical infrastructure target. The main payload was allegedly introduced on a USB device by an insider threat working for the AVID, via supply-chain compromise. Stuxnet was an original malware tailored to cause ICS (Industrial Control System) connected systems to malfunction, contributing to physical destruction. The malware was code-signed and had worm capabilities. The current implications that similar threats have to public safety and geopolitics warrant further examination and review.
EclecticIQ analysts examined Stuxnet ten years after its discovery to address:
- Similar threats to ICS demonstrated in attacks since Stuxnet.
- Changes in threat actor capability and motivation.
- Vulnerability assessment of ICS environments
ICS Attacks Are Still Resource Intensive to Develop and Are Likely to Remain Within the Realm of Nation-State Actors
EclecticIQ analysts conclude targeted destructive ICS attacks remain tailored, often requiring physical facility access, with low probability of widespread adoption by unsophisticated threat actors. At the same time, ICS attacks are of greater concern because of expanded adoption of ICS infrastructure globally and more nations demonstrating cyber-military capability.
Risk is highlighted by further attacks since Stuxnet, using similar malware deployments that include:
- Flame (2012, 2014-2016)
- GreyEnergy and BlackEnergy (2015, 2018)
- Industroyer (2017)
- Triton (2017)
In 2015 and 2020 there were separate attacks on water supply facilities in Israel that were not reported to be successful.
Each attack was highly specific and targeted, using custom malware to achieve its objective. Malware contained significant hardcoding of target-exclusive assets showing that the code was developed only after considerable reconnaissance of the target environment. Threat actors spend substantial time tailoring exploits, malware, and delivery vectors for each attack. EclecticIQ analysts have previously referenced this type of operational preparation of the environment.
Reports of Vulnerabilities Are Increasing, But ICS Are Not Necessarily More Vulnerable
Growing connectivity of Internet-of-Things in ICS environments and increase in legacy systems, as a function of time, drive an increase in reported vulnerabilities. Infrastructure standards at ICS organizations are subject to stricter government oversight and focus, helping to mitigate security vulnerabilities.
Dragos notes attacks specific to electric-utility ICS has been increasing since 2018, but does not support meaningful change to risk of attack. Attack vectors are narrow even for sophisticated threat actors and operational technology systems connected to ICS are gaining increased regulatory visibility and continue to be held to very high, State-directed security standards. However, the demonstration of increased activity within the report possibly indicates Nation States are actively seeking to acquire additional capabilities to attack ICS systems.
Nations Are Increasing Development of Military Cyber Divisions And Will Seek Further ICS Attack Capabilities
Many nations are increasing adoption of a formal cyber military division. These divisions necessarily involve rich IT system knowledge to support offensive capabilities. As nations formalize these divisions with increasing capacity, they are very likely to attempt to develop or acquire ICS exploits or specialized knowledge of ICS systems as a deterrence capability against cyberattacks that other nations have already demonstrated.
ICS Attack Delivery Vectors to Introduce Malware Remain Narrow
Legacy system exploitation and supply-chain compromise are the two areas of greatest risk. Legacy systems used in ICS environments are of concern and usage is generally growing as organizations respond to new ways of working. Legacy systems supporting ICS continue to experience upgrade issues because of gaps in documentation, coupled with highly customized builds relying on older coding practices that are difficult to integrate with security. There remains a major disconnect between IT Security and legacy Operational Technology systems which greatly impacts potential attack and presents growing opportunity for attackers targeting ICS.
Supply-chain compromise remains one of the highest risks for delivery of attacks on ICS and connected ICS-related systems. A report analyzing ICS vulnerabilities does not show a clear pattern in further vulnerabilities affecting ICS systems year-on-year that could be used to deliver malware. ICS vulnerability exploitation is restricted to specific software versions and vendors that require more time and expertise to research and reverse engineer.
An EclecticIQ report on supply-chain attacks published in June 2018 concluded, “ICS-tailored attacks have yet to be a widely-exhibited attack pattern.” “Given the small number of victims in each campaign, it is very likely that the attackers targeted victims directly [...] we are unlikely to see a general increase in supply-chain attacks due to the effort and risk/reward required.” EclecticIQ analysts evaluate that the conclusion from 2018 is still valid today.
Examples Of Malicious Traffic Directed at ICS-configured Honeypots Provides a Strong Indication That Probing ICS Systems Remains of High-interest
In May 2019, Trend Micro launched a handful of custom-configured honeypots designed to look like ICS systems of a gas plant, water plant, and general engineering ICS. During seven months of testing the honeypots detected increasing activity. Every honeypot experienced a wide variety of activity determined to be malicious that included scanners, cryptominers and ransomware that may further expose systems to further malware, and probing beacons typically used in compromising additional systems.
A larger ICS honeypot study over 13 months between 2018 and 2019 produced attack activity that was small in volume compared to other malicious activities but, validated malicious activities typically involved “skilled, targeted exploits previously unknown to the ICS community”.
Malware Observed Attacking ICS Systems Remains Highly Customized
Commodity-type malware is not gaining significant capability to target ICS devices. Targeting ICS requires malware highly customized to the target systems, including in many cases hardware controllers demanding physical access to effectively manipulate. Successful ICS attacks are typically additionally dependent on multiple major lapses in security best-practices.
EKANS ransomware was observed in the wild earlier this year designed to kill ICS-related processes based on a hardcoded discovery list, suggesting that the malware authors were possibly interested in infecting OT (operational technology) systems attached to ICS environments. The EKANS malware did not employ further TTPs specific to ICS environments, indicating the threat was finite.
APT Group Rankings Have Not Changed Significantly in Terms of Capability to Attack ICS
ICS threats remain niche and repeatedly observed threat actors are likely to threaten ICS systems. Less sophisticated threat actors are not likely to be involved in attacks. The Belfast Center, National Cyber Power Index for 2020 has consistently ranked and grouped the same groups of threat actors in the top tier in terms of capabilities. The list has undergone minor changes over the past few years. Past intelligence reporting indicates the same nation-state actors are repeatedly conducting ICS attacks:
- In 2012 and 2015 threat actors associated with Duqu, established persistent remote access on systems that may have included the Iran nuclear program. The consensus of the security community is that the operation required Nation-State support due to its highly complex TTPs.
- In 2016-2017 an APT group reportedly associated with Russia used Dragonfly malware and publicly available tools to allegedly conduct reconnaissance on ICS systems globally and in the United States, leading to the release of an unusual advisory by the US-CERT.
- In 2019 according to an article from the New York Times: "Since at least 2012, current and former officials say, the United States has put reconnaissance probes into the control systems of the Russian electric grid."
Due to the delicate nature of these covert operations, public acknowledgement by either the offender or the victim is very rare. Confirmed intelligence reporting likely underrepresents the true scope of similar attacks. However, the activities reported above all involve APT groups competing within a similar geopolitical sphere.
EclecticIQ Analysts Assess That Capabilities And Risk of Threat Actors And Their Malware Have Increased, But Risk of Similar Attacks Remain Low
ICS attack reporting is restricted and very likely under-represents true activity. Potential delivery paths for ICS malware remain constrained due to strict security controls relative to other industries, but overall vulnerability detection is rising and more systems are configured with remote connections to ICS environments. Malware activities against ICS remain customized and highly tailored. ICS attack capabilities remain primarily with nation-states and more nations are developing similar cyber capabilities. Malware TTPs and the operational capabilities of threat actors to attack ICS remain restricted due to the tailored exploitation necessary for each victim. Activity remains highly specific and targeted to each victim, but attack activities overall are likely growing.
