In the last two weeks, several U.S. government agencies issued multiple joint alerts warning businesses and critical infrastructure operators about the discovery of malicious cyber tools that could be used to gain access to industrial control systems.
While the important alert from the Energy Department, the Homeland Security Department, the FBI, and the National Security Agency (NSA) did not specifically identify the actor behind the malware, what has caught the attention of these agencies is the sheer sophistication of the malware involved. The APT group behind the malware created it specifically to target liquified petroleum gas and electric power targets in the USA.
Operating in the background
In the last decade, APT groups have managed to gain Gigabytes of data on critical infrastructure operators across the globe through reconnaissance attacks. Such attacks have either gone unnoticed or have not been taken up for action or analysis by the impacted cybersecurity teams. This has resulted in a situation where bad actors have gained tons of data that could be used in an actual cyberattack or for the development of crafted malware.
This includes data relating to:
- Security frameworks and incident response depths and capabilities related to critical facilities
- Supply chain entry points for loading malware to target entities downstream
- Ways to keep malware latent for prolonged periods of time. This includes periods of facility shut down, renovation, change of components, etc.
- Methods to infiltrate malware through non-conventional means including designating specific CI employees as targets for multi-stage phishing campaigns
- Identifying disgruntled employees who could be targeted more easily
Further, through contaminated firmware residing in less than complex IoT systems such as smart surveillance, data and credentials have either been exfiltrated or copied onto other systems for exfiltration.
The data gleaned is then used for creating modified malware variants that are often more effective in breaching the target networks than non-modified variants. Such malware are then deployed through the same route used during the reconnaissance attack (if the malware loader is still available or if the exploit is still unattended to).
What does this translate into for cybersecurity teams?
- More targeted attacks and breaches that could lead to more loss of information or a huge ransom demand
- Malware evolution cycles have shrunk to months and weeks from years
- Malware can be repeatedly tweaked for improving its effectiveness by evading defenses
- This would increase the success rate for malware developers and bad actors who can then build on this success
- IoT deployments and OT-based critical infrastructure face an immediate threat
Want to learn more on how to deflect targeted attacks? Learn more about our adaptive cybersecurity solutions today.
Try our threat intelligence feeds for free and block over 18 million cyberattacks each day.
Talk to our cybersecurity experts today to get to know more about our IT-IoT-OT cybersecurity solutions and threat intelligence. Book here.
We invite all cybersecurity leaders across verticals and countries to participate in this survey. Your participation will enable us to turn the survey into a more participative and comprehensive effort: CISO survey 2022
Try our threat intelligence feeds for free for the next two weeks.