Triton malware indictments, more Lapsus$ chaos and ShmooCon’s revival
The U.S. has accused hackers affiliated with Russian research institute CNIIHM of carrying out one of the riskiest cyberattacks in history. A building once affiliated with CNIIHM is shown via Google Maps.
Welcome to Changelog for 3/27/22, published by Synack! It’s me, Blake, your loyal ShmooCon correspondent. The celebrated D.C. cybersecurity conference played out over the last three days, with presenters taking on everything from reverse engineering Pokémon Snap stations to “chaos patching” to prevent the next SolarWinds-style breach. I wrote a rundown of what you may have missed. But there was plenty of other news:
The payload
The Justice Department unsealed indictments against four Russian nationals on Thursday for allegedly orchestrating some of the most dangerous cyberattacks of all time.
One name stood out in the DOJ documents: Evgeny Viktorovich Gladkikh. The Russian citizen is accused of working with co-conspirators at a research institute known by its Russian acronym CNIIHM to undermine safety-critical control networks at energy facilities in the U.S. and abroad.
His attempt to hack a U.S. refinery in 2018 failed, DOJ said. But the year before that, Gladkikh is accused of breaching an unnamed foreign refinery, causing a series of outages in summer 2017 via malware (later dubbed “Triton”) designed to override Schneider Electric safety backstops.
“The methods and tools Gladkikh and co-conspirators used demonstrate that, rather than seeking to simply cause a shutdown, they intended to gain the capability to prevent safety systems from functioning and to cause physical damage to the refinery, with potentially catastrophic effects,” DOJ said in an indictment handed down by a grand jury in June 2021 and made public Thursday.
In short, Gladkikh could have killed people with malware.
DOJ didn’t identify the foreign refinery, but I reported in 2019 that it was the Petro Rabigh facility along Saudi Arabia’s Red Sea coast. Looking back on that story, I’m glad I reported on the identity of the refinery due to the newsworthiness of the 2017 cyberattack, but I’m also glad I opted against naming any individuals with potential ties to CNIIHM and the first-of-its-kind Triton malware. One person I had zeroed in on through my reporting was not named in the latest indictments, and I’m sure DOJ would have unveiled charges yesterday against him, too, if it had enough evidence.
The week, compiled
Part chaos brokers, part data extortionists, and evidently a bunch of teenagers, the Lapsus$ group piled on the pandemonium last week by announcing breaches of Microsoft and Okta.
It started with screenshots: The Lapsus$ data extortion crew posted images from an internal dashboard at cybersecurity and identity management provider Okta, claiming on their Telegram channel that they had compromised the authentication company. They also shared an image indicating they had accessed a Microsoft server with source code for the Bing search engine and a few other products.
Okta brushed off the incident, characterizing it as an “attempt to compromise” a third-party customer support engineer whose company “contained” the issue. But Okta changed its tune in a matter of hours, releasing increasingly detailed (and alarming) statements on the extent of the January breach.
Lapsus$ had already made a name for itself leaking source companies from tech giants like NVIDIA and Samsung, as Kim Crawley reported for README earlier this month. But the Okta breach upped the ante: Here was a Silicon Valley darling with thousands of high-profile clients, plunged into crisis by a hacking group cheeky enough to run online polls about which victim to tear down next.
Adding insult to injury, Bloomberg reported that the mastermind behind Lapsus$ is allegedly a teenaged U.K.-based hacker who uses the moniker “breachbase” while operating from his mom and dad’s house.
Microsoft, which saw some of its source code leaked by Lapsus$, released a deep dive into the hacking crew’s tactics, noting that the group “doesn’t seem to cover its tracks.” That approach may be catching up with the criminal hackers: London police announced they had arrested several people between the ages of 16 and 21 in connection with the hacking spree, as Gizmodo reported Friday, though the seven individuals haven’t formally been charged with any crimes. We’ll have to wait and see if the arrests can slow Lapsus$ down.
Here’s what else came down the pike last week:
README: Infosec practitioner Jackie Singh urged other cybersecurity pros to put aside their Web3 grievances and seize the opportunity to secure the burgeoning blockchain-backed internet ecosystem.
CNN: The White House issued a warning on the potential for Russian hackers to target U.S. critical infrastructure, as five energy companies were reportedly scanned as part of malicious “preparatory activity.”
The Washington Post: U.S. officials pinned a recent hack affecting some European satellite networks to Russia, adding to a string of quick-turnaround cases of attributing cyber activity to Moscow.
CyberScoop: The FBI released its annual internet crime report, with reported incidents up 7% in 2021 compared to the previous year. Business email compromise again topped the list of costliest cybercrimes disclosed to U.S. authorities.
A message from Synack
Does your penetration testing meet compliance requirements? Synack recently announced it received Moderate “In Process” status from FedRAMP, meaning even more US departments, agencies and contractors can utilize its global network of elite ethical hackers for on-demand, around-the-clock pentesting. Find out more here.
Flash memory
The Havex malware, named after a snippet of code in a PHP server tied to a Remote Access Trojan, started appearing uninvited in the networks of industrial control system companies in spring 2014.
The group behind the RAT, tracked variously as “Dragonfly” or “Energetic Bear” at the time, compromised the networks of at least three European ICS equipment and software providers in an early example of a supply chain attack.
Seven years later, the U.S. government would formally accuse the Russian government of being responsible for the Havex, which presaged other, more advanced tools with ICS-specific capabilities.
In an indictment unsealed Thursday, DOJ linked Havex to three alleged FSB officers: Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov and Marat Valeryevich Tyukov. They wielded Havex and other tools to successfully install malware on more than 17,000 unique devices, “including ICS/SCADA controllers used by power and energy companies,” DOJ said.
The Havex campaign stands out as one of the first examples of Russia’s focus on breaching the core ICS networks that underpin critical infrastructure. It would not be the last.
Local files
README: ShmooCon staged a comeback over the weekend in D.C. as the Washington Hilton hosted another sold-out crowd, several hacking contests and plenty of talks on pressing (plus a few not-so-pressing) cybersecurity topics.
FSB’s National Coordination Center for Computer Incidents (.ru link): Russia’s version of CISA issued an alert to companies there urging them to minimize their networks’ exposure to foreign software supply chains and roll back open-source updates to before Feb. 24, 2022 — the day Russia invaded Ukraine. The move comes after at least one prominent open-source developer issued malicious updates to sabotage Russian and Belarusian systems.
Off-script
Don’t miss this GQ profile of Nicolas Cage. As if starring in the undisputed greatest film of all time wasn’t enough, he also has a talking crow. And the photos are just <chef’s kiss>.
That’s it for this week — send any tips or feedback to bsobczak@synack.com. See you next Sunday!