Category Archives: ICS-SCADA

UK won the Military Cyberwarfare exercise Defence Cyber Marvel 2 (DCM2)

Defence Cyber Marvel 2 (DCM2) is the largest Western Europe-led cyber exercise that took place in Tallinn with 34 teams from 11 countries.

The Defence Cyber Marvel 2 (DCM2) is the largest training exercise organised by the Army Cyber Association to allow personnel from across the Armed Forces to build their skills within the cyber and electromagnetic domain.

This year, 750 cyber specialists have participated in the military cyberwarfare exercise. 34 teams from 11 countries, including India, Italy, Ghana, Japan, US, Ukraine, Kenya, and Oman, have taken part in a live-fire cyber battle that lasted seven days.

“Organised by a team of cyber specialists from the British Army, Defence Cyber Marvel 2 (DCM2) was the culmination of more than 12 months of training for more than 750 cyber specialists, including Defence personnel, government agencies, industry partners, and other nations.” reads the press release published by the UK Ministry of Defence.

The exercise was hosted in Tallinn, Estonia, participant teams were involved in common and complex simulations of attacks against IT and OT networks, and unmanned robotic systems. The exercise also simulated some of the tactics Russia used to disrupt Ukrainian cyberspace amid the beginning of the invasion one year ago.

Many teams took part in the exercise remotely, they connected to a cyber range controlled in Tallinn, Estonia.

“The Army Cyber Association was set up by Royal Signals officers, prior to the formation of 13 Signal Regiment, as a cyber operations professional development network. It is volunteer run and entirely inclusive for any Service person who wants to develop their cyberspace knowledge and skills.” said Colonel Ian Hargreaves Chair of the Army Cyber Association. “Our focus has always been talent identification, recognition and development with a big wraparound of innovation. We must innovate to stay ahead of those that would wish us harm and Defence Cyber Marvel 2 is the next evolution of our pioneering collective education.”

Britain’s 7 Military Intelligence team, who competed remotely from Italy, won the exercise, followed by te Tallinn-based 5 Military Intelligence

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Defence Cyber Marvel 2 (DCM2))

Pro-Palestine hackers threaten Israeli chemical companies

Threat actors are targeting Israeli chemical companies operating in the occupied territories, security experts warn.

Threat actors have launched a massive hacking campaign aimed at Israeli chemical companies operating in the occupied territories. A group, named Electronic Quds Force, is threatening companies’ engineers and workers and are inviting them to resign from their positions.

The attacks are retaliation against the Israeli government and its policy against Palestinians, the hackers accuse Tel Aviv of violence.

“Our advice to scientists working in the chemical plants is to quit their job, hunt for a new one, and find sanctuary in a location where we are not present,” the message sent by the Electronic Quds Force. “Leave their employment. Look for a new one.” “This is while we have a strong presence anyplace,”

“We confirm that your job in chemical factories presents a threat to your life; but, we will never hesitate to melt your bodies with chemicals the next time an act of violence is performed against Palestinians.”

The message is clear and hackers claim to be able to interfere with the operations at the plant operated by the chemical companies potentially causing the loss of human lives.

The tension is very high during this period, the Palestinian Ministry of Health said that January is “the bloodiest month in the West Bank since 2015, during which, to date, 35 martyrs were killed by the Israeli occupation army and settlers, including 8 children, in addition to an elderly woman.”

“Jenin Governorate recorded the highest number Of the martyrs since the beginning of this year, 20 martyrs.” he added.

The messages were published on the Telegram channel of the group along with images of Industrial Control Systems (ICSs) allegedly belonging to one of the chemical companies that are targets of the cyber attacks.

The number of operations conducted by the Israeli military in the Palestinian villages is reportedly increased in the last week, according to the United Nations, 2022 was the deadliest year for Palestinians living in the West Bank in the previous 16 years’ worth of data.

The cyber attacks on both sides are increasing, in September 2022, Pro-Palestinian Hacking Group GhostSec claimed to have compromised 55 Berghof programmable logic controllers (PLCs) used by Israeli organizations as part of a Free Palestine campaign.

GhostSec also published a video demonstrating a successful log-in to the PLC’s admin panel along with screenshots of an HMI screen showing some phases of the attack, including the block of the PLC.

The group also shared other screenshots, claiming to have gained access to another control panel that can be used to modify the level of chlorine and pH levels in the water.

In August 2022, the hacking group ALtahrea Team knocked down the websites of the ports of Jaffa, Haifa, Acre, and Eilat.

The group also targeted hundreds of Israeli websites, including the website of the municipality of the city of Sderot.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Israeli chemical companies)

Pro-Palestinian group GhostSec hacked Berghof PLCs in Israel

The hacktivist collective GhostSec claimed to have compromised 55 Berghof PLCs used by Israeli organizations.

Pro-Palestinian Hacking Group GhostSec claimed to have compromised 55 Berghof programmable logic controllers (PLCs) used by Israeli organizations as part of a Free Palestine campaign.

On September, 4th, 2022, GhostSec announced on social media and its Telegram channel that it has compromised 55 Berghof PLCs used by organizations in Israel.

GhostSec also published a video demonstrating a successful log-in to the PLC’s admin panel along with screenshots of an HMI screen showing some phases of the attack, including the block of the PLC.

“In the message it published, GhostSec attached a video demonstrating a successful log-in to the PLC’s admin panel, together with an image of an HMI screen showing its current state and control of the PLC process, and another image showing that the PLC had been stopped. In the following message (inset) the group published the dumped data from the breached PLCs.” reported the analysis published by Industrial cybersecurity firm OTORIO.

The analysis of the system dumps published by the collective ( and revealed the public IP addresses of the affected PLCs, OTORIO experts speculate that they were exposed online at the time of the attack.

The leaked archives contained system dumps and HMI screenshots, obtained from the Berghof admin panel of the compromised PLCs.

The experts believe that the threat actors gained access to the admin panel of the PLCs by using default and common credentials.

The experts pointed out that although access to the admin panel provides full control over some of the PLC’s functionality, it does allow operators to directly control the industrial process.

“It is possible to affect the process to some extent, but the actual process configuration itself isn’t available solely from the admin panel.” continues the experts.

The researchers explained that even if the attack was not sophisticated, the compromise of an OT infrastructure can be extremely dangerous. They added that GhostSec likely hasn’t capabilities to conduct cyber attacks in the OT domain.

“Unlike cyber attacks on IT infrastructure, OT security breaches can be extremely dangerous since they can affect physical processes and, in some cases, even lead to life-threatening situations.” concludes the report. “While GhostSec’s claims are of a sophisticated cyber attack, the incident reviewed here is simply an unfortunate case where easily overlooked misconfigurations of industrial systems led to an extremely unsophisticated attempt to breach the systems themselves. The fact that the HMI probably wasn’t accessed, nor manipulated by GhostSec, and the hackers were not exploiting the Modbus interface, shows an unfamiliarity with the OT domain. To the best of our knowledge, GhostSec hadn’t brought critical damage to the affected systems, but only sought to draw attention to the hacktivist group and its activities.

GhostSec also published other screenshots, claiming to have gained access to another control panel that can be used to modify the level of chlorine and pH levels in the water.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, PLCs)

[adrotate banner=”5″]

[adrotate banner=”13″]

Clop gang targeted UK drinking water supplier South Staffordshire Water

A cyber attack disrupted the IT operations of South Staffordshire Water, a company supplying drinking water to 1.6M consumers daily.

South Staffordshire Water has issued a statement confirming the security breach, the company pointed out that the attack did not impact the safety and water distribution systems.

South Staffordshire Water plc known as South Staffs Water is a UK water supply company owned by a privately owned utilities company serving parts of Staffordshire the West Midlands as well as small areas of surrounding counties in England. South Staffordshire Water plc is part of South Staffordshire plc.

Thanks to security systems in place, the company was able to supply safe water to its customers or those of its subsidiaries, Cambridge Water and South Staffs Water.

“This incident has not affected our ability to supply safe water and we can confirm we are still supplying safe water to all of our Cambridge Water and South Staffs Water customers.” reads a statement published by the company. “This is thanks to the robust systems and controls over water supply and quality we have in place at all times, as well as the quick work of our teams to respond to this incident and implement the additional measures we have put in place on a precautionary basis.”

South Staffordshire Water reassures customers that the cyber attack will not cause an extended outage.

The company is investigating the incident and is working closely with the relevant government and regulatory authorities.

The Clop ransomware gang claimed responsibility for the attack and added the name of the utility to its Tor leak site.

The ransomware gang claims to be able to impact the operations and the safety of the water supply.

The gang also claims to have stolen 5TB of data from the company.

The ransomware group has already published a sample of stolen data that includes passports, ID Cards, and images of SCADA systems.

Thames Water has denied that the Clop has breached its network and excluded any risk for its customers due to the attack.

“We are aware of reports in the media that Thames Water is facing a cyber attack. We want to reassure you that this is not the case and we are sorry if the reports have caused distress.” reads the statement from Thames Water. “As providers of an essential service, we take the security of our networks and systems very seriously and are focused on protecting them, so that we can continue to provide you with the services and support you need from us.”

BleepingComputer noticed that sample data published by Clop operators include usernames and passwords, which refer South Staff Water and South Staffordshire email addresses.

One of the leaked documents sent to the targeted firm is explicitly addressed to South Staffordshire PLC.

This circumstance suggests that Clop misidentified the victim.

Cybercriminals don’t pick their targets randomly, as hitting water suppliers during harsh drought periods could apply insurmountable pressure to pay the demanded ransom.

For this to happen, though, Clop has to redirect its threats to the correct entity, but considering the publicity the matter has taken, it’s probably too late for that.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, South Staffordshire Water)

[adrotate banner=”5″]

[adrotate banner=”13″]

VNC instances exposed to Internet pose critical infrastructures at risk

Researchers from threat intelligence firm Cyble reported a surge in attacks targeting virtual network computing (VNC).

Virtual Network Computing (VNC) is a graphical desktop-sharing system that leverages the Remote Frame Buffer (RFB) protocol to control another machine remotely. It transmits the keyboard and mouse input from one computer to another, relaying the graphical-screen updates, over a network.

Researchers from Cyber looked for VNC exposed over the internet and discovered over 8000 VNC instances with authentication disabled, most of them in China, Sweden, and the United States.

Cyble observed a surge in attacks on the default port for VNC, port 5900, most of them originated from the Netherlands, Russia, and Ukraine. Exposing VNCs to the internet, increases the likelihood of a cyberattack.

Threat actors could use the access through VNC to carry out a broad range of malicious activities, such as deploying ransomware, malware, or spy on the victims.

The researchers discovered multiple Human Machine Interface (HMI) systems, Supervisory Control And Data Acquisition Systems (SCADA), Workstations, etc., connected via VNC and exposed over the internet

Cyble also reported that threat actors are selling access to systems exposed on the Internet via VNC on cybercrime forums.

“Our investigation found that selling, buying, and distributing exposed assets connected via VNCs are frequently on cybercrime forums and markets. A few examples of the same can be seen in the figures below.” Cyble states.

The experts pointed out that even if the count of exposed VNCs is low compared to previous years, some of the exposed VNCs belong to various organizations in the Critical Infrastructures sector such as water treatment plants, manufacturing plants, research facilities, etc.

“Remotely accessing the IT/OT infrastructure assets is pretty handy and has been widely adopted due to the COVID-19 Pandemic and work-from-home policies. However, if organizations do not have the appropriate safety measures and security checks in place, this situation can lead to severe monetary loss for an organization. Leaving VNCs exposed over the internet without any authentication makes it fairly easy for intruders to penetrate the victim’s network and create havoc.” Cyble concludes. “Attackers might also try to exploit the VNC service by using various vulnerabilities and techniques, allowing them to connect with the exposed asset(s).”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, VNC)

[adrotate banner=”5″]

[adrotate banner=”13″]

Tainted password-cracking software for industrial systems used to spread P2P Sality bot

Dragos researchers uncovered a small-scale campaign targeting industrial engineers and operators with Sality malware.

During a routine vulnerability assessment, Dragos researchers discovered a campaign targeting industrial engineers and operators with Sality malware.

Threat actors behind the campaign used multiple accounts across several social media platforms to advertise password-cracking software for Programmable Logic Controller (PLC), Human-Machine Interface (HMI), and project files.

The password recovery software is advertised as working against industrial systems from ABB, Allen Bradley, Automation Direct, Fuji Electric, LG, Vigor, Mitsubishi, Omron, Panasonic, Pro-Face, Siemens, and Weintek.

The attackers are attempting to infect industrial control systems (ICS) and create a botnet.

Dragos experts investigated an infection of DirectLogic PLCs from Automation Direct, they performed reverse engineering of the password cracking tool and discovered it did not crack the password at all, rather, it exploited a vulnerability in the firmware to retrieve the password on command. The password cracking software also acts as a dropper for the Sality P2P bot.

According to the experts, the tool successfully recovers Automation Direct’s DirectLogic 06 PLC password by connecting a Windows machine to the PLC over a serial connection.

Dragos researchers were also able to recover the password using the exploit over Ethernet, significantly increasing the severity of the flaw, tracked as CVE-2022-2003.

The CVE-2022-2003 was responsibly disclosed to Automation Direct and the vendor addressed it with the release of a firmware update.

The Sality P2P botnet is known to be involved in password cracking and cryptocurrency mining activities.

“Dragos assesses with moderate confidence the adversary, while having the capability to disrupt industrial processes, has financial motivation and may not directly impact Operational Technology (OT) processes.” reads the advisory published by Dragos. “Sality employs process injection and file infection to maintain persistence on the host. It abuses Window’s autorun functionality to spread copies of itself over Universal Serial Bus (USB), network shares, and external storage drives.”

The sample of the Sality malware employed in the attack analyzed by Dragos also drops clipboard hijacking malware, which checks the clipboard to hijack cryptocurrency wallet addresses.

The Sality malware uses a kernel driver to avoid detection, it also starts a service to identify processes associated with potential security products, and kill them.

“Dragos only tested the DirectLogic-targeting malware. However, initial dynamic analysis of a couple of other samples indicate they also contain malware. In general, it appears there is an ecosystem for this type of software. Several websites and multiple social media accounts exist all touting their password “crackers.”” concludes the report. “Trojanized software is a common delivery technique for malware and has been proven effective for gaining initial access to a network.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Sality malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Microsoft seized 41 domains used by Iran-linked Bohrium APT

Microsoft’s Digital Crimes Unit (DCU) announced the seizure of domains used by Iran-linked APT Bohrium in spear-phishing campaigns.

Microsoft’s Digital Crimes Unit (DCU) announced to have taken legal action to disrupt a spear-phishing operation linked to Iran-linked APT Bohrium. The IT giant has seized the domains used by the threat actors employed in its attacks aimed at organizations in tech, transportation, government, and education sectors located in the U.S., Middle East, and India.

Microsoft seized 41 websites, including “.com,” “.info,” “.live,” “.me,” “.net,” “.org,” and “.xyz” domains that were employed in the attacks.

The APT group created fake social media profiles, often posing as recruiters, then used them to trick targets into providing personal information. Once obtained this information from the victims, Bohrium sent phishing emails to the victims containing links that once clicked have started the infection process for the target’s computers.

The threat actors’ spear-phishing attacks were aimed at gathering intelligence over the targets.

Early this month, Microsoft announced it has blocked a series of attacks targeting Israeli organizations that have been conducted by a previously unknown Lebanon-based hacking group tracked as POLONIUM. POLONIUM has targeted or compromised more than 20 Israeli organizations and one intergovernmental organization with operations in Lebanon over the past three months. Since February, the attacks targeted organizations in critical manufacturing, IT, and Israel’s defense industry. 

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit:

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Bohrium)

[adrotate banner=”5″]

[adrotate banner=”13″]

US gov agencies e private firms warn nation-state actors are targeting ICS & SCADA devices

The US government agencies warned of threat actors that are targeting ICS and SCADA systems from various vendors.

The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) published a joint Cybersecurity Advisory (CSA) to warn of offensive capabilities developed by APT actors that could allow them to compromise multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including:

  • Schneider Electric programmable logic controllers (PLCs),
  • OMRON Sysmac NEX PLCs, and
  • Open Platform Communications Unified Architecture (OPC UA) servers.

According to the advisory that was issued with the help of leading cybersecurity firms (Dragos, Mandiant, Microsoft, Palo Alto Networks, and Schneider Electric), nation-state hacking groups were able to hack multiple industrial systems using a new ICS-focused malware toolkit dubbed PIPEDREAM that was discovered in early 2022.

“APT actors have developed custom-made tools that, once they have established initial access in an OT network, enables them to scan for, compromise, and control certain ICS/SCADA devices” reads the advisory.

“The APT actors’ tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities.”

The toolkit could allow to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters. 

Threat actors can also leverage a tool to install and exploit a known-vulnerable ASRock-signed motherboard driver (“AsrDrv103.sys“) by triggering the CVE-2020-15368 flaw to execute malicious code in the Windows kernel. The tool could be used to perform lateral movements within an IT or OT environment and interfere with devices’ operation.

Researchers from Dragos shared a detailed analysis of the new PIPEDREAM toolkit confirming that it has yet to be employed in attacks in the wild.

“PIPEDREAM is the seventh known ICS-specific malware. The CHERNOVITE Activity Group (AG) developed PIPEDREAM. PIPEDREAM is a modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment.” reads the report published by Dragos. “Dragos assesses with high confidence that PIPEDREAM has not yet been employed in the wild for destructive effects. This is a rare case of accessing and analyzing malicious capabilities developed by adversaries before their deployment and gives defenders a unique opportunity to prepare in advance.”

Mandiant, which tack the toolkit as INCONTROLLER, also published a detailed analysis warning of its dangerous cyber attack capability.

“The tools can interact with specific industrial equipment embedded in different types of machinery leveraged across multiple industries. While the targeting of any operational environments using this toolset is unclear, the malware poses a critical risk to organizations leveraging the targeted equipment. INCONTROLLER is very likely state sponsored and contains capabilities related to disruption, sabotage, and potentially physical destruction.” reads the analysis published by Mandiant. “INCONTROLLER represents an exceptionally rare and dangerous cyber attack capability. It is comparable to TRITON, which attempted to disable an industrial safety system in 2017;”

The joint report also included the following recommendations for all organizations with ICS/SCADA devices:

  • Isolate ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters. 
  • Enforce multifactor authentication for all remote access to ICS networks and devices whenever possible.
  • Have a cyber incident response plan, and exercise it regularly with stakeholders in IT, cybersecurity, and operations.
  • Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks and to give defender monitoring systems opportunities to detect common attacks.
  • Maintain known-good offline backups for faster recovery upon a disruptive attack, and conduct hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups. 
  • Limit ICS/SCADA systems’ network connections to only specifically allowed management and engineering workstations.
  • Robustly protect management systems by configuring Device Guard, Credential Guard, and Hypervisor Code Integrity (HVCI). Install Endpoint Detection and Response (EDR) solutions on these subnets and ensure strong anti-virus file reputation settings are configured.
  • Implement robust log collection and retention from ICS/SCADA systems and management subnets.
  • Leverage a continuous OT monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions and lateral movement. For enhanced network visibility to potentially identify abnormal traffic, consider using CISA’s open-source Industrial Control Systems Network Protocol Parsers (ICSNPP).
  • Ensure all applications are only installed when necessary for operation. 
  • Enforce principle of least privilege. Only use admin accounts when required for tasks, such as installing software updates. 
  • Investigate symptoms of a denial of service or connection severing, which exhibit as delays in communications processing, loss of function requiring a reboot, and delayed actions to operator comments as signs of potential malicious activity.
  • Monitor systems for loading of unusual drivers, especially for ASRock driver if no ASRock driver is normally used on the system. 

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit:  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, PIPEDREAM)

[adrotate banner=”5″]

[adrotate banner=”13″]

Russia-linked Sandworm APT targets energy facilities in Ukraine with wipers

Russia-linked Sandworm APT group targeted energy facilities in Ukraine with INDUSTROYER2 and CADDYWIPER wipers.

Russia-linked Sandworm threat actors targeted energy facilities in Ukraine with a new strain of the Industroyer ICS malware (INDUSTROYER2) and a new version of the CaddyWiper wiper.

According to the CERT-UA, nation-state actors targeted high-voltage electrical substations with INDUSTROYER2, the variant analyzed by the researchers were customized to target respective substations.

The attackers also employed the CADDYWIPER wiper to target Windows-based systems, while hit server equipment running Linux operating systems with ORCSHRED, SOLOSHRED, AWFULSHRED desruptive scripts.

“Centralized distribution and launch of CADDYWIPER is implemented through the Group Policy Mechanism (GPO). The POWERGAP PowerShell script was used to add a Group Policy that downloads file destructor components from a domain controller and creates a scheduled task on a computer.” reads the advisory published by the Ukrainian CERT. “The ability to move horizontally between segments of the local area network is provided by creating chains of SSH tunnels. IMPACKET is used for remote execution of commands.”

CERT-UA states that the APT groups launched at least two waves of attacks against the energy facilities. The initial compromise took place no later than February 2022. It is interesting to note that the disconnection of electrical substations and the decommissioning of the company’s infrastructure was scheduled for Friday evening, April 8, 2022. 

The good news is that the attacks were detected and neutralized by government experts with the help of cybersecurity firms ESET and Microsoft.

The CERT-UA collected indicators of compromise for these attacks and shared them, along with Yara rules, with a limited number of international partners and Ukrainian energy companies.

Security firm ESET, which helped the Ukrainian government, published a detailed report on the Industroyer2 wiper used to target a Ukrainian energy company.

The researchers confirmed that the attacks were scheduled for 2022-04-08, but artifacts suggest that the attack had been planned for at least two weeks.

“We assess with high confidence that the attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine” reads the report published by ESET. “We assess with high confidence that the APT group Sandworm is responsible for this new attack.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)
To nominate, please visit:

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

[adrotate banner=”5″]

[adrotate banner=”13″]

US indicted 4 Russian government employees for attacks on critical infrastructure

The U.S. has indicted four Russian government employees for their involvement in attacks on entities in critical infrastructure.

The U.S. has indicted four Russian government employees for their role in cyberattacks targeting hundreds of companies and organizations in the energy sector worldwide between 2012 and 2018.

“The Department of Justice unsealed two indictments today charging four defendants, all Russian nationals who worked for the Russian government, with attempting, supporting and conducting computer intrusions that together, in two separate conspiracies, targeted the global energy sector between 2012 and 2018.” reads a press release published by DoJ. “In total, these hacking campaigns targeted thousands of computers, at hundreds of companies and organizations, in approximately 135 countries.”

The two indictments, one from June 2021 and one from August 2021, are charging one employee of the Russian Federation Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) and three officers of Russia’s Federal Security Service (FSB).

According to the June 2021 indictment, an employee of the Russian Ministry of Defense research institute, Evgeny Viktorovich Gladkikh, and his co-conspirators attempted to damage critical infrastructure outside the US. The attacks caused two separate emergency shutdowns at a foreign targeted facility. The group also attempted to hack the systems of a US company operating critical infrastructure in the United States.

“According to the indictment, between May and September 2017, the defendant and co-conspirators hacked the systems of a foreign refinery and installed malware, which cyber security researchers have referred to as “Triton” or “Trisis,” on a safety system produced by Schneider Electric, a multinational corporation. The conspirators designed the Triton malware to prevent the refinery’s safety systems from functioning (i.e., by causing the ICS to operate in an unsafe manner while appearing to be operating normally), granting the defendant and his co-conspirators the ability to cause damage to the refinery, injury to anyone nearby, and economic harm.” continues the DoJ. “However, when the defendant deployed the Triton malware, it caused a fault that led the refinery’s Schneider Electric safety systems to initiate two automatic emergency shutdowns of the refinery’s operations.”

On August 2021, the US DoJ charged three FSB officers (Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov), working in Military Unit 71330 or ‘Center 16.’ (aka Dragonfly, Berzerk Bear, Energetic Bear, and Crouching Yeti).

Between 2012 and 2017, the Dragonfly APT conducted multiple attacks targeting ICS or Supervisory Control and Data Acquisition (SCADA) systems used in the energy industry, including oil and gas firms, nuclear power plants, as well as utility and power transmission companies.

According to the indictment, the campaigns against the energy sector campaign involved two phases. In the first phase, which took place between 2012 and 2014, the nation-state actor was tracked as “Dragonfly” or “Havex” and engaged in a supply chain attack, compromising OT networks system manufacturers and software providers deploying the “Havex” implant.

The attackers also launched spear-phishing and “watering hole” attacks that allowed them to instal malware on more than 17,000 unique devices in the United States and abroad, including ICS/SCADA controllers used by power and energy companies.

In the second phase, which took place between 2014 and 2017, the APT group tracked as “Dragonfly 2.0” focused on more targeted attacks on specific energy sector entities and individuals and engineers who worked with ICS/SCADA systems. The group targeted more than 3,300 users at more than 500 U.S. and international companies and entities, in addition to U.S. government agencies such as the Nuclear Regulatory Commission.

“In some cases, the spearphishing attacks were successful, including in the compromise of the business network (i.e., involving computers not directly connected to ICS/SCADA equipment) of the Wolf Creek Nuclear Operating Corporation (Wolf Creek) in Burlington, Kansas, which operates a nuclear power plant. Moreover, after establishing an illegal foothold in a particular network, the conspirators typically used that foothold to penetrate further into the network by obtaining access to other computers and networks at the victim entity.” states the DoJ.

DoJ warns of attacks from Russia-linked APT groups against critical infrastructure on a global scale.

CISA, the FBI, and the U.S. Department of Energy also published a joint cybersecurity advisory detailing tactics, techniques, and procedures (TTPs) of indicted state-sponsored Russia-lineìked threat actors.

“This joint Cybersecurity Advisory (CSA)—coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE)—provides information on multiple intrusion campaigns conducted by state-sponsored Russian cyber actors from 2011 to 2018 and targeted U.S. and international Energy Sector organizations. CISA, the FBI, and DOE responded to these campaigns with appropriate action in and around the time that they occurred.” reads the joint advisory.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Russian government employees)

[adrotate banner=”5″]

[adrotate banner=”13″]