Filtering the Facts on VPNFilter

Just recently an attack known as VPNFilter hit the news. One of the locations affected by VPNFilter was a chlorine plant known as “Aul Chlorotransfer Station” in the Dnipropetrovsk region in Ukraine. Why there? It could have been a site that the hackers chose to test their attack, but then again an industrial accident caused by an OT security failure at a chemical plant could have dire health and environmental consequences. 

Early investigations by the U.S. Department of Justice attributed VPNFilter to Sofacy, a Russian cyber-espionage group also known as APT28, Sandworm, X-agent, Pawn Storm, Fancy Bear and Sednit. One of the interesting facets of this particular attack is that VPNFilter is a documented case of general purpose malware which is often and almost exclusively carries a payload aimed against ICS specific targets. VPNFilter lives on routers. This is an interesting location for malware to live but it is not completely surprising as (a) it is harder for many security products to spot malware residing on a router and (b) there isn't enough memory for malware to reside in an industrial controllers.

Further, the ability for hackers to get from a router in an OT environment to the crown jewels of it – the industrial controllers themselves is virtually unimpeded, as these devices often require no authentication and have no no security on them whatsoever

 Download the Ebook:   'Are You Minding The IT/OT Gap?'

Routers have recently become a launching point for an increasing number of attacks. In fact, as of 24 May 2018, VPNFilter is estimated to have infected approximately 500,000 routers worldwide. So why have we only seen limited outbreaks of VPNFilter? In many cases, the attacker is seeking “red button” functionality which is essentially gaining the ability, and then launching the attack at the time of their choosing. As a result, attackers are "biding their time" - listening to modbus traffic specifically and performing reconnaissance before the actual attack takes place. Indicators point to the fact that the reason modbus traffic data was collected is that the attack was likely “tailored” on a per plant basis, taking the plant’s specific operational parameters and configuration into account.

Some manufacturers suggest the best mitigation plan for VPNFilter is to factory reset the network routers, but is that practical in an industrial production environment? VPNFilter is yet another wake-up call to the OT community that nefarious activity puts industrial operations in the crosshairs of hacker activity. There has never been a greater time or need to secure the OT network and the devices on it before the red button is pressed.