New cyber threat capabilities are leaving critical infrastructure vulnerable to increasingly disruptive attacks. Diego Betancur from Nozomi Networks explores.
A recent joint Cybersecurity Advisory (CSA) warned that certain advanced persistent threat (APT) actors have exhibited the capability to manipulate and disrupt industrial processes, and Australia’s critical infrastructure is at risk.
The newest threat comes from a custom malware dubbed ‘INCONTROLLER’. Analysis by Mandiant indicates that INCONTROLLER was developed by a sophisticated nation state threat actor to maliciously manipulate industrial control systems (ICS) environments.
At present, INCONTROLLER is not tied to any incident, nor to a specific threat actor. However, the level of complexity observed in the malware should be a warning to Australian industry to prepare for more advanced threats.
The malware impacts multiple supervisory control and data acquisition (SCADA) and other ICS. Attackers are then able to leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.
INCONTROLLER largely seems to be implementing the protocols understood by the targeted controllers to provide manipulation capabilities to the threat group. At this stage, it has not been disclosed where INCONTROLLER was retrieved, but it’s extremely likely that the threat actor had a very thorough understanding of the targeted environments.
The discovery of INCONTROLLER sends a message to critical infrastructure that not only are threat actors adapting their means of gaining entry, but they are also adapting their motives. Extortion is commonplace in cyber attacks, and many businesses fear the potential losses from ransomware and phishing attacks.
But these new developments in APT actors are opening the door to even more disruptive attacks. INCONTROLLER has the capacity for physical destruction.
The rise of automation
The threat of INCONTROLLER comes as the ICS market is expected to reach circa AU$245 billion by 2026, signalling a growing trend of critical infrastructure adopting automated processes. ICS are critical to increased efficiency, but the controls increase the surface for cyber invasions and the industry is generally underprepared for the level of sophistication being exhibited.
The Department of Home Affairs reported that 35 per cent of cyber attacks are directed at critical infrastructure and this number is rising.
The recent conflict in Ukraine also highlights further weaknesses to CI security, as Russian and non-government groups seek to infiltrate Ukrainian systems in order to gain a military advantage. As Australia has provided materiel support to Ukraine, Australian CI have been warned to expect infiltration from these malicious actors, and to further secure their systems.
What should critical infrastructure do to increase protection?
Environments which operate the above stated devices should immediately look for both intrusion indicators and anomalous behaviour in their operational technology (OT) networks and consider network segmentation if not already implemented.
Real-time network visibility, monitoring, and anomaly detection tools will significantly reduce the likelihood of a threat actor successfully gaining remote access to these devices.
If end users do not have visibility into their OT networks, other mitigations listed in the CSA should be top priority such as: isolating affected devices, changing ICS/SCADA passwords, maintaining off-line backups, and implementing an incident response plan to increase network security and resiliency in the event of a cyber attack.
Security of Critical Infrastructure Act 2018
Cyber security has been a growing concern among policy makers for years; as businesses, governments, and critical infrastructure digitise and transform work practices to remote and online work, the opportunities for cyber attacks increase.
The Australian government’s recent Security Legislation Amendment (Critical Infrastructure) Bill 2021 represents an important step in protecting critical infrastructure, by recognising that threats to CI are threats to national security.
SOCI requires certain classes of CI to report cyber incidents, register critical assets, and develop and implement risk management plans. There is currently a specialist skills shortage in cyber security, particularly in CI.
By expanding the government’s role in defending CI, SOCI is intended to alleviate this skills gap. SOCI is an enhancement of existing cyber security obligations and demonstrates just how critical protecting CI is.
INCONTROLLER continues the concerning trend of malware designed with critical infrastructure specifically in mind. Clearly, cyber criminals are eying our most prized societal assets to maximise impact and their potential reward, and we need to be more vigilant than ever.
Diego Betancur is the director of technical sales APAC at Nozomi Networks.