Industrial malware, an unusual botnet breakup and a culprit for a record crypto heist

A liquefied natural gas plant in Peru. Unido/Flickr

Welcome to Changelog for 4/17/22, published by Synack! I’m your Miami-bound host, Blake, and I’m excited to deliver you news from the S4x22 industrial cybersecurity conference this week. From the latest grid cyberthreats facing Ukraine to the discovery of an alarming new industrial control system-focused malware framework, there will be plenty to discuss. Drop me a line if you’ll be there, and if not, you can follow along on Twitter. Now, here’s your weekly recap:

 

The payload

I understand why the North Korean government would resort to hacking cryptocurrency networks to make a quick buck while circumventing sanctions. And I see the appeal for China of hacking managed service providers, which can open the door to a buffet of cyberespionage targets.

But what does a nation-state hope to achieve by hacking Schneider Electric and Omron programmable logic controllers — specialized industrial devices that can be found in oil and gas sites and power grids worldwide? One state-backed hacking group nicknamed Chernovite is developing malware to do just that, as I reported for README last week. The group’s Pipedream framework could put “lives, livelihoods, and communities at risk” by threatening the core infrastructure services we all rely on, according to a Dragos blog post.

Cybersecurity firm Mandiant, which tracks the new cyberattack tool as Incontroller, noted that it “poses a critical risk to organizations with compatible devices,” even though the threat was unmasked before the malware could be triggered in any victim’s networks. Mandiant also cited “largely circumstantial” evidence of Russia’s involvement, given the destructive potential of the hacking tool and the proliferation of cyberthreats tied to the war in Ukraine.

But we don’t know if the intended victim was in Ukraine or the U.S. for that matter. Dragos CEO Robert M. Lee claimed on Twitter that the “‘how/where’ is probably not as exciting as you’re imagining.” That may be true — and Lee would certainly be in a position to know — but for a cyberthreat this rare and dangerous, I’d appreciate more clarity.

The week, compiled

Microsoft took a page from the U.S. government’s “name and shame” playbook for combatting global cybercrime and identified Denis Malikov as the alleged perpetrator behind a criminal botnet called ZLoader. The resident of the Russia-occupied Crimean Peninsula saw his botnet pulled out from under him after the U.S. District Court for the Northern District of Georgia authorized Microsoft to seize 65 malicious domains used to control the network of hacked devices.

 1_sYQINrzD4s1Z9gMvvdsDGQ
Microsoft said Malikov lives in Simferopol on the Crimean Peninsula, pictured here in 2007. Paul Pod/Flickr

“We chose to name an individual in connection with this case to make clear that cybercriminals will not be allowed to hide behind the anonymity of the internet to commit their crimes,” Microsoft said in a statement reminiscent of recent Justice Department announcements unsealing criminal charges against global ransomware operators.

Getting out ahead of DOJ by naming an alleged cybercriminal is a surprisingly aggressive tactic for a massive, risk-averse tech company like Microsoft. There’s some danger it could inspire cybersecurity companies with less technical acumen to make unfounded accusations against innocent individuals who may be unable to defend their reputations from half a world away. But if naming and shaming can scare would-be cybercriminals away from launching ransomware attacks on hospitals or selling stolen credit card data, I’m all for it.

Here’s a slice of my browsing history last week:

CyberScoop: The Justice Department unveiled yet another takedown of a cybercriminal emporium, revealing authorities had seized the RaidForum site one week after announcing the dissolution of the sprawling Hydra Market darknet hub.

Vice: A North Korean hacking group was behind a record-breaking hack of the Ronin Bridge cryptocurrency network, according to the FBI and U.S. Treasury Department, which sanctioned an Ethereum address housing hundreds of millions of dollars of stolen funds.

Axios: Craigslist founder Craig Newmark has announced a $50 million philanthropic initiative to boost U.S. cybersecurity awareness and defenses.

The Wall Street Journal: Neurodiverse cybersecurity professionals are thriving in an era of remote work, helping to fill a dire shortage of cybersecurity professionals.

A message from Synack

Does your penetration testing meet compliance requirements? Synack recently announced it received Moderate “In Process” status from FedRAMP, meaning even more US departments, agencies and contractors can utilize its global network of elite ethical hackers for on-demand, around-the-clock pentesting. Find out more here.

Flash memory

VirusTotal rang in its 10th anniversary under the Google umbrella on Thursday, the team announced on Twitter. The acquisition of the scrappy anti-malware service, first disclosed in September 2012, put a powerful but fledgling anti-virus resource in the hands of a much more powerful global company.

Infosec pros broadly welcomed the move at the time, citing the vast infrastructure Google could bring to bear to support VirusTotal, which broadly scans files for anything suspicious, running each user upload through dozens of popular antivirus products for a holistic take.

 1_IUoFAPw0tcghWTBshSoq0g
VirusTotal in its Terms of Service warns users in ALL CAPS not to upload anything sensitive. There have been more than a few “oopsies” over the years.

For researchers, VirusTotal also serves as a sprawling, living library of malware samples — and occasionally of sensitive files that really shouldn’t have been shared there in the first place.

Local files

The Honolulu Star-Advertiser: Homeland security officials said they foiled an attempted cyberattack on an undersea communications cable. “We live in paradise, but that does not mean there is a diminished threat, particularly in the cyber world,” Homeland Security Investigations Special Agent in Charge John F. Tobon said.

The Washington Post: A local push to allow mobile voting in Washington, D.C., has faltered amid concerns about cybersecurity and the heightened potential for disinformation campaigns centered on the technology.

Decipher: Two different threat groups compromised the networks of an unnamed regional U.S. government agency and lurked there for months. LockBit ransomware was eventually triggered earlier this year in what one Sophos researcher called a “very messy attack.”

Off-script

It’s often said that squirrels pose a greater risk to the power grid than hackers. But what about turkeys?

Ben Franklin’s favorite bird flew into a power line outside the Y-12 National Security Complex in Oak Ridge, Tenn., as Defense Daily reported, causing a brief power outage to parts of the sprawling nuclear site last month.

 1_-YCL6cR1ZQ04Ee6sitksEg
A uranium processing facility under construction at the Y-12 National Security Complex. @y12nsc/Twitter

Luckily, backup power kicked in at a uranium processing facility affected by the outage, and nobody was hurt. I’ll be grateful for that next Thanksgiving.

That’s all for this week — please send any tips, feedback and S4 karaoke requests to bsobczak@synack.com. See you next Sunday, and Happy Easter to those who celebrate!