From a Rural Texas ICS to MITRE, Hackers Unleash Aggressive Strikes Signaling No One Is Immune

An assorted wave of industrial compromises and successful attacks against even the most well-prepared organizations, underscores the need for a robust approach toward cybersecurity. Industrial organizations need to prepare for the inevitability of these attacks by adopting a holistic approach to cybersecurity that assumes cyberattacks are certain. In a recent attack against Industrial Control Systems (ICSs) in the United States, alleged Russian state-sponsored hackers caused water systems in the small Texas town of Muleshoe to overflow. The attackers were able to access Human-Machine Interfaces (HMIs) and turn on water pumps, causing the plant’s tank water levels to overflow. In the nearby town of Hale Center, hackers stormed the city’s firewalls 37,000 times, prompting city officials to operate water systems manually. A third attack targeted the small town of Lockney, Texas, but was blocked before hackers could gain access to physical water systems. Cybersecurity firm Mandiant attributed the attacks to Russian hackers linked to Moscow. Mandiant has stressed that Russian hacking groups “present one of the widest and highest severity cyber threats globally.”

In another incident, cybersecurity firm Claroty noted that Ukrainian hackers deployed remote ICS malware to target industrial sensors in Russia. The malware dubbed “Fuxnet” was deployed by Ukrainian hacker group Blackjack and targeted Russian infrastructure and utilities companies. Blackjack claimed last week that it attacked Russia’s Moscollector company that is active in the areas of underground infrastructure, including water, sewage, and communication systems. In a statement, the group claimed to have destroyed 87,000 sensors and controls using Fuxnet malware, which is claimed to be a form of the notorious Stuxnet malware, but on steroids.

To make matters worse in the world of cybersecurity, the renowned MITRE corporation, author of the ATT&CK open-source knowledge base of adversary cyber tactics, conceded that its Research and Development (R&D) network was compromised by a foreign nation-state threat actor back in January. Last week, MITRE announced that the hack happened in January, but it only became aware of the infiltration this month after threat actors leveraged a zero-day vulnerability via MITRE’s Ivanti Virtual Private Networks (VPNs). The hack affected other parties that were using MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE), a collaborative network used for R&D. In a video posted online, MITRE Chief Technology Officer (CTO) Charles Clancy declared that it had taken all the recommended actions by the appliance vendor and the U.S. government, but “they were clearly not enough,” to avoid the breach.

The Texas and Ukraine-linked hacks signify the vulnerability of critical infrastructure to cyberattacks. Sophisticated threat actors will increasingly engage in ill-intentioned activity that will gain them access to physical controls so that they can effectively control hacked assets. The ability of a hacker to impose real-world consequences on organizations is the zenith of malicious activity and we can reasonably assume that these types of attacks will increase, unless widespread adoption of appropriate defense mechanisms occurs. With ongoing geopolitical tensions in Europe and the Middle East prompting nations to take sides in these conflicts, there is heightened potential for retaliation and the escalation of hacking activities between rival nation-states. Even sophisticated organizations such as MITRE that provide cybersecurity guidance for a variety of stakeholders show vulnerability to threats, revealing the sophistication and fluid nature of threats. The zero-day MITRE attack via exploiting VPNs and then bypassing MITRE’s Multi-Factor Authentication (MFA) indicates that the usual best practices will not mitigate advanced attacks. Furthermore, the hackers in the MITRE case were able to laterally move deep into the network using a compromised administrator account, while maintaining their presence by a combination of backdoors and harvesting credentials. The incident is a wakeup call for organizations. Not only are they susceptible to compromise, but threats can be persistent before they are revealed, potentially leading to severe reputational and financial damage.

Industrial organizations need to move beyond in-house cybersecurity solutions to deploying the expertise of highly skilled and experienced cybersecurity vendors. With the help of these vendors, they need to harden ICSs by implementing strong authentication mechanisms and disabling unused ports on ICS and Supervisory Control and Data Acquisition (SCADA) systems, therefore reducing the attack surface. Regularly patching and updating ICS software and industrial firmware helps mitigate exploitation, while implementing network segmentation limits damage in case of a breach. In the case of the MITRE attack, micro-segmentation strategies could have limited lateral movement. Although MITRE and others are still investigating the incident, there are lessons to learn. These include deploying strategies to minimize threats, including anomaly detection, network behavioral analysis using advanced Artificial Intelligence (AI) and Machine Learning (ML) tactics, and adversary engagement via honeypots that lure hackers and reveal their strategies. Deploying least privilege and Zero-Trust strategies also limit the impact of a compromised credential.