Global Weekly Executive Summary, 3 August 2018

VPNFilter

In July 2018, the VPNFilter malware reportedly tied to a Russian military intelligence agency infected a chlorine station connected to Ukrainian water treatment and sewage plants. This intrusion is the latest in a string of disruptive Russian cyberattacks to target critical infrastructure in the past three years.

VPNFilter also made news in the US in May 2018 when 500,000 routers and other devices for small office/home office use were discovered to be infected by the malware.

The Aulska Chlorine Station

On July 11th 2018, the Security Service of Ukraine (SBU) released a statement that they detected the VPNFilter malware on the systems of the Aulska chlorine station in central Ukraine. The SBU says that “within a few minutes,” the technological processes and safety systems at the station were affected by the “computer virus VPNFilter from the territory of the Russian Federation.” The statement went on to say, “the continuation of the cyberattack could have led to a breakdown of technological processes and possible crash.”

According to the statement, the goal of the cyberattack was to block the functioning of the overflow station “which provides liquid chlorine to clean water from water supply and sewerage enterprises throughout the territory of Ukraine.”

VPNFilter in the US

In May 2018, alerts and news releases from US-CERT, the US Department of Justice, and the Federal Bureau of Investigations warned that the VPNFilter malware had infected 500,000 routers and other devices in 54 countries.

A US-CERT technical alert warned that infected devices like routers and network-attached storage (NAS) devices were vulnerable to network traffic collection, the monitoring of Modbus supervisory control and data acquisition (SCADA) protocols, and that the malware included “a destructive capability that can make the affected device unusable.”

This means that many of the most popular routers and data storage devices often used in homes or small office settings were vulnerable to infection by malware that allowed for snooping. VPNFilter also had a “kill function” that would render these infected devices inoperable. A kill command sent out to all infected devices could have led to half a million homes or small offices losing internet access or saved files. It is also notable that VPNFilter was so modular and adaptable that malware perhaps originally used to monitor network traffic and steal the website sign in information of home users also had the capability to monitor Modbus packets which are used in industrial settings and not in homes or small offices.

A May 2018 blog post by Talos suggested that because of a spike in VPNFilter victims located in Ukraine and code similarities between VPNFilter and the BlackEnergy malware responsible for power outages in Ukraine in 2015, they suspected that devices infected by VPNFilter might be used as a botnet for a future cyberattack against Ukraine.

In a May 2018 press release, the US Department of Justice (DOJ) announced that they had seized control of a command and control server used to support VPNFilter and attributed the malware to Sofacy Group, also known as APT28 or Fancy Bear. This group is believed to be tied to the Russian foreign military intelligence agency, called the Main Intelligence Directorate or GRU. In July 2018, the US Department of Justice announced indictments for twelve GRU officers “for hacking offenses related to the 2016 [US presidential] election.”

Connections to Previous Cyberattacks

Ukraine and its critical infrastructure has been targeted by cyberattacks in the past.

The NotPetya and Bad Rabbit ransomware attacks in June and October of 2017 affected critical infrastructure organizations in energy, communications, transportation, manufacturing, banks, and the Chernobyl radiation monitoring system. The BlackEnergy attack in December 2015 and the CrashOverride/ Industroyer attack December 2016 both targeted the power grid, leading to power outages. Russia is suspected of being the source of the cyberattacks targeting or affecting Ukraine’s critical infrastructure that have occured since the 2014 Russian annexation of Crimea.

The US government warned of ongoing critical infrastructure attacks in the US as recently as March 2018. The Department of Homeland Security (DHS) and the Federal Bureau of Investigations (FBI) issued a joint Technical Alert “on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.” During a DHS Awareness Briefing in July 2018, Jonathan Homer of the DHS’s National Cybersecurity & Communications Integration Center (NCCIC) stated that although there was no evidence of efforts to shut down the electrical grid, “They got access into systems. They did not push the button.” The activity was described as an “ongoing campaign.”

ANALYSIS

We have reached a new stage in which nation-state cyber operations no longer only affect powerful, high level targets like government agencies, the military, political leaders, and huge corporations. Nation-state sponsored cyber operations are now affecting the safety of regular people.

With VPNFilter, home users and small business owners and the devices in our homes were the target. Critical Infrastructure providers that offer water treatment, electricity, and other critical services to the general public are now targets.

In the case of the Aulska Chlorine Station, the goal of this cyber intrusion appears to have been to affect the functioning of the station which would in turn affect the water and sewage treatment facilities across Ukraine. If this attack had not been averted, a cyberattack launched by one country would have, in effect, tampered with the water supply of a neighboring country.

As nation-state sponsored cyber activity moves beyond espionage and cyberattacks begin to have physical results that affect human safety, events like the targeting of the Aulska Chlorine Station should rouse governments around the world to come together and decide which types of cyberattacks might be considered an act of war comparable to a physical armed attack that would warrant exercising the rights of self-defense in response (as discussed in the United Nations Charter, Chapter VII, Article 51).

For a more in-depth technical discussion, please see the article by our Vulnerabilities Analyst.

For more information on how to prevent and mitigate VPNFilter infections, please see the article by our Best Practices Analyst.

Appendix:

US Critical Infrastructure Sectors

as defined by the Department of Homeland Security

“There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”

Chemical Sector

Commercial Facilities Sector

Communications Sector

Critical Manufacturing Sector

Dams Sector

Defense Industrial Base Sector

Emergency Services Sector

Energy Sector

Financial Services Sector

Food and Agriculture Sector

Government Facilities Sector

Healthcare and Public Health Sector

Information Technology Sector

Nuclear Reactors, Materials, and Waste Sector

Sector-Specific Agencies

Transportation Systems Sector

Water and Wastewater Systems Sector

Sources:

Security Service of Ukraine, In the Dnipropetrovsk region, the SBU warned the cyberattack of Russian special services on the critical infrastructure object, 11 July 2018

Interfax Ukraine, SBU thwarts cyber attack from Russia against chlorine station in Dnipropetrovsk region, 11 July 2018

SecurityWeek, VPNFilter Malware Hits Critical Infrastructure in Ukraine,13 July 2018

Cyberscoop, Researchers uncover sophisticated botnet aimed at possible attack inside Ukraine, 23 May 2018

Wired, UNPRECEDENTED MALWARE TARGETS INDUSTRIAL SAFETY SYSTEMS IN THE MIDDLE EAST , 14 December 2017

Washington Post, Why the FBI says rebooting your router can weaken a global malware attack, 30 May 2018

Reuters, German intelligence sees Russia behind hack of energy firms: media report, 20 June 2018

Securityweek, Hackers Target Control Systems in U.S. Energy Firms: Symantec

Technical Reports

Cisco, Talos, New VPNFilter malware targets at least 500K networking devices worldwide, 23 May 2018

Cisco, Talos, VPNFilter Update – VPNFilter exploits endpoints, targets new devices, 6 June 2018

US/Federal Alerts

US-CERT, VPNFilter Destructive Malware, 23 May 2018

US Department of Justice, Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices, 23 May 2018

Internet Crime Complaint Center (IC3), Public Service Announcement, FOREIGN CYBER ACTORS TARGET HOME AND OFFICE ROUTERS AND NETWORKED DEVICES WORLDWIDE, 25 May 2018

US-CERT, Alert (TA18-074A), Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors,15 March 2018

Resources:

Cyber Threat Alliance, CTA ACTIONS AROUND VPNFILTER

Whitehouse.gov, Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, 11 May 2017

Department of Homeland Security, Critical Infrastructure Resources

Lawfare, Cyber Strategy & Policy: International Law Dimensions, 1 March 2017

United Nations, CHAPTER VII: ACTION WITH RESPECT TO THREATS TO THE PEACE, BREACHES OF THE PEACE, AND ACTS OF AGGRESSION

Books:

Schmitt, M. N., & Vihul, L. (2017). Tallinn manual 2.0 on the international law applicable to cyber operations: Prepared by the International Group of Experts at the invitation of the NATO Cooperative Cyber Defence Centre of Excellence. Cambridge: Cambridge Press.