A hacker homecoming at S4, conference highlights and a surge in 0-days
The theme for last week’s S4 industrial cybersecurity conference was “no limits.” Blake Sobczak/README
Welcome to Changelog for 4/24/22, published by Synack! It’s me, Blake, and if you missed the Atlantic Council panel I moderated Friday on the new industrial control system (ICS) focused Pipedream malware, you can check it out here. Panelists discussed everything from the geopolitical ramifications of the global energy transition to the alarming proliferation of cyber/physical malware like Pipedream and Industroyer2. It’s no coincidence that all five participants also attended last week’s S4x22 industrial cybersecurity conference, a goldmine of cutting-edge info for critical infrastructure defenders. For this week’s newsletter, I’ll recap the action for those who couldn’t make it to Miami Beach:
The payload
Call it an ICS hacker homecoming. After the S4 conference was canceled in 2021 due to the coronavirus pandemic and this year’s conference had to be delayed from January due to Omicron, the industrial cybersecurity gathering finally got off the ground last week in Miami Beach.
I was along for the ride there, from the breezy, seaside “cabana sessions” on Tuesday to Thursday afternoon’s groggy wait for a food truck lunch on the scorching sidewalk.
It was heartening to see such a tight-knit community together again, and the conference drew a record 797 participants from 30 countries, according to S4 founder Dale Peterson. (One prominent speaker likened it to a high school reunion.) An opening networking event reserved for women in ICS security — who comprised 20% of the S4 audience this year, Peterson said — was a hit with attendees including Sherry Hunyadi, chief security architect at Chevron, who pointed out that it was an excellent opportunity to engage in cyber intelligence and engineering conversations. “Believe it or not… for IT and OT combined, half of my leadership team is female, so the world is changing,” Hunyadi said on Thursday ahead of S4’s closing panel. Peterson said the Women in ICS Security event will return for next year’s conference, slated for mid-February 2023.
The conference also coincided with the high-stakes “Pwn2Own” hacking competition, in which 2 Dutch participants took home top honors (and a $40,000 bounty) for finding a critical vulnerability in the ubiquitous OPC UA industrial communications protocol, as Patrick Howell O’Neill reported for the MIT Technology Review. All the “really cool research” unearthed 26 unique zero-day flaws for a total of $400,000 in prizes, said Dustin Childs, communications manager for the Zero Day Initiative that runs the contest.
Finally, ICS security pros Chris Sistrunk and Maggie Morganti took the stage during the “unsolicited response” portion of the conference — giving any attendee a 5-minute window to rant or rave — to deliver a merciless deluge of groan-inducing cybersecurity “dad jokes.” My personal favorite?
“I love the F5 key. It’s just so refreshing.”
The week, compiled
Jokes aside, S4 speakers tackled a range of heady topics, from the new Russia-nexus Pipedream malware to cybersecurity challenges in the maritime industry and the importance of a “software bill of materials” for ICS vendors.
Robert Lipovsky, principal threat intelligence researcher at Slovakia-based cybersecurity firm ESET, cut his vacation to Panama short to deliver a talk on the Industroyer2 malware, which cropped up in Ukraine’s grid recently as suspected Russian hackers tried to trigger another blackout.
The April 8 attempted cyberattack on a Ukrainian Oblenergo energy provider failed, unlike two previous Russia-linked hacks in 2015 and 2016 that succeeded in briefly cutting off electricity to several hundred thousand Ukrainian citizens.
Industroyer2 borrows much of its functionality from 2016’s Industroyer malware (also tracked as CrashOverride), though the latest version doesn’t really add any sophisticated new twists.
“Honestly, what surprised me the most is that we didn’t see it earlier than this,” Lipovsky told me and cybersecurity journalist Kim Zetter on the sidelines of S4. “And that was one of the puzzling things since Industroyer1, with such a powerful piece of malware… that we haven’t seen it afterwards for five years.”
In fact, Industroyer2 represents “a step backwards” in many ways compared to its predecessor, Lipovsky said. Its core functionality remained the same: to open/close circuit breakers or produce a strobing effect with the devices to disrupting the grid. But while Industroyer2 incorporated a new wiper tool in keeping with Russia’s modus operandi in its hybrid war with Ukraine, it shed its ability to communicate using several protocols specific to grid ICS, emerging from years of disuse with some freezer burn.
“Why shrink the capability and make something slimmer compared to the capabilities of the original version?” Lipovsky said.
Still, he added, “At this time, we haven’t identified any coding errors per se; I would say it’s too early to actually judge the efficacy of the malware and the level to which it was rushed.”
And as Ukrainian cybersecurity authorities warn of wave after wave of cyberattacks on their electricity networks, I’d be wary of declaring victory over Industroyer2.
Here’s a dose of non-S4 news from last week:
README: T-Mobile saw some of its source code siphoned off by the Lapsus$ Group recently, according to new reporting last week. Experts worry the criminal crew’s tactics may be copied by others looking to wreak havoc on Big Tech and telecom victims.
Wired: Google’s “Project Zero” registered a record uptick in 0-day vulnerabilities found in the wild last year, and Mandiant also reported that the powerful, previously undisclosed software vulnerabilities are being increasingly used by attackers ranging from state-backed spies to run-of-the-mill ransomware criminals.
A message from Synack
Does your penetration testing meet compliance requirements? Synack recently announced it received Moderate “In Process” status from FedRAMP, meaning even more US departments, agencies and contractors can utilize its global network of elite ethical hackers for on-demand, around-the-clock pentesting. Find out more here.
Flash memory
I attended my first S4 conference in January 2016, when the previous month’s unprecedented cyberattack on Ukraine’s power grid was still under active investigation and the ICS security community was abuzz over how the the Department of Homeland Security’s National Protection and Programs Directorate — the Soviet-sounding predecessor to CISA — would respond.
One memorable session onstage was Peterson’s interview of Marty Edwards, who then headed the Industrial Control Systems Cyber Emergency Response Team at NPPD.
“Dale and I planned that so it looked like an interrogation… so for me it was the table, two chairs and the lone light bulb dangling above,” Edwards, now vice president of operational technology security at cybersecurity firm Tenable, told me. “I always respected Dale’s perspective and thought in sessions like that he always pushed industry and government to do more.”
In this year’s S4, Peterson sat down with CISA director Jen Easterly— though he spared her the interrogation room lighting.
Local files
The New Yorker: Israeli spyware vendor NSO Group’s powerful Pegasus malware was deployed against dozens of activists, lawyers and officials in Catalonia, as well as against a device linked to the office of U.K. Prime Minister Boris Johnson, according to new research from Citizen Lab.
The New York Times: Though all but impossible to verify, Ukrainian-aligned hackers are pushing out troves of allegedly stolen data revealing details about Russian spies, even as Moscow has stepped up attempted cyberattacks on Ukraine’s power grid and critical infrastructure during the ongoing ground war.
Off-script
You may have heard of the Financial Services Information Sharing and Analysis Center (FS-ISAC), a Reston, Va.-based hub for getting the word out about cyberthreats to major banking institutions or global financial networks. Or maybe you know about the E-ISAC, which takes on hacking risks facing North American electric utilities. Or perhaps you’ve met the newest ISAC on the block, the MFG-ISAC, which launched last month to help manufacturers parry IoT threats to their systems.
But what about the BEER-ISAC? Brewed in 2016 on the sidelines of S4, the ISAC has more than quadrupel-ed in size since then, offering a refreshing venue for infosec pros to share unfiltered thoughts on high-gravity threats from lager-4j to the bitter hacking group Cloud Hopper. Membership is a bit hazy, but many in the BEER-ISAC work for pub-licly traded cybersecurity companies or are exploring an IPA. Still, its founders bock at the notion of corporate sponsorship, instead preferring to preserve the laid-back, Bohemian atmosphere of the group.
That’s ale for this week — please send any story ideas, feedback or café cubano brewing tips to bsobczak@synack.com. Until next Sunday!