Root Causes 307: OT Red Teaming Leads to Malware Attack

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  We have a news item. This is from May 25, 2023, I’m looking a blog post from Mandiant. And here’s the headline. I’m just going to read it. “Cosmic Energy. New OT Malware Possibly Related to Russian Emergency Response Exercises.” So, Jason, maybe for starters, what is, when we say OT Malware, what does OT mean?

• 

  Jason Soroko

  Operational technology. So a lot of people everybody who probably is listening to this podcast, is obviously familiar with the term “IT,” information technology. That “o” is OT is operational technology and typically these are cyber physical, and of course, I know a lot of people cringe when they hear that word “cyber,” and maybe I do too sometimes. But really, OT really does relate to things like manufacturing plants, water plants, nuclear plants, you name it. Whenever you have information systems that are happening in a mission critical operational sense we typically talk about OT environments. And those environments definitely have their own series of threat factors, and we worry about those things, and we talk about that on this podcast.

  And this article from Mandiant is very interesting about a new variant on OT malware.

• 

  Tim Callan

  So, this is things like make the power grid stop working, shut off the gas pipeline, screw up the traffic lights, stuff along those lines.

• 

  Jason Soroko

  Exactly right. It’s real-world stuff that – it’s not just about the typical kinds of malware that are involved in fraud or other things. These kinds of things can put human lives at risk. That’s the reality of this.

• 

  Tim Callan

  It’s about disrupting things in meet space. So, alright. So, in this one, cosmic energy in particular I think is unusual. In what way is it unusual?

• 

  Jason Soroko

  I tell you, it unusual. We’ve seen OT malware before. We’ve reported on that on this podcast. And I think what is interesting here, Tim – the reason why I wanted to bring it up today was because whenever you think about these operational environments, you’re thinking about environments, Tim, that are very, very different than say, the Microsoft stack of technologies, which are very homogenous. Think about a network stack, an operating system stack with an enterprise. And that’s one of the reasons why they’re so easy pickings for some bad guys, is that once you’ve figured out that stack and how to exploit it, well, any enterprise that maybe leaks some credentials is all of a sudden at a lot of risk. That homogenous environment is a good thing for the bad guys, which makes it harder to defend. So a lot of people in operational technology environments really have tended to think, well, my stuff is very obscure. It’s very difficult to get your hands on some of these equipments and technologies that are involved in these plants. How in the world would just the average person who is not an absolute insider be able to get access to these things and build malware for them, and create what is usually some sort of very, very elaborate Rube Goldberg-type effect within a plant. In order to pull off whatever cyber physical event that you want to cause - and unfortunately what we’re seeing here and Mandiant’s making this pretty clear is that the barrier to entry for writing this type of malware is becoming less and less. And so, I’d like to explain myself to you, Tim, in terms of what is new about that?

  And that is this. We know that in the enterprise world, we have script kiddies who we use that term because of the fact that the technology pipeline of the bad guys, in the enterprise world especially, when enterprises are the target, that homogenous set of technologies – there’s all kinds of open source research malware that’s out there that people can look at and utilize and start doing things like keylogging. Keylogging is not that hard because the code for it is available. You and I have talked quite a bit before about various other kinds of fraudulent malware that can help you to do fraud events with money when the source code for the Zeus virus – this is going way back now - was made available, a lot of people realized, oh geez, hooking the memory space within the Windows operating system is not that difficult, I can actually hook the memory space of a browser and start to do man-in-the-browser-type event whenever you’re doing your banking or other things like that. And so that kinds of techniques became pretty ubiquitous amongst people who might not have figured out those kinds of clever techniques on their own. Well, obviously, OT-type of malware requires a whole lot of inside knowledge and a whole lot of innovative clever-type of events like that. So, the problem here is that what we’re seeing, and this is Mandiant saying this, they think the source of this malware, and I’m not really as much interested in the Russian attribution of this at the moment.

  As I say, I’m not as interested in the Russian attribution of this malware as I am interested in the fact that this malware seems to have been sourced from a, probably a legitimate, operation of red teaming. So in other words, the penetration testers that were hired by OT industry within a country - like Russia - to basically test out their security posture. And some of these tools are making their way out of those hands and into the hands of people who are going to do bad things.

• 

  Tim Callan

  Which is incredibly ironic.

• 

  Jason Soroko

  And so, this is something, this is a pattern, if we’re calling out this story, we’re calling out this story from Mandiant because I think it really highlights, oh my God, this is not good. But, we’ve seen this now enough times that I wanted to call it out in this podcast, which is, we have talked about on this podcast, a number of different ways that the bad guys learn. And, we’ve talked about the underground economy, Tim. It’s an interesting topic you and I have covered - how do the bad guys get their technology pipeline. And it turns out now that red teaming tools have been either breached from companies that are specialists in this. They build those kinds of tools legitimately in order to test security postures, but it’s especially worrying when you’re dealing with OT environments because that whole problem of security through obscurity, security through obfuscation of complicated protocols and very, very not homogenous, heterogeneous environments of various types of stacks technologies that are very difficult for the average hacker to get into, all of a sudden these red teaming tools have a lot of the answers all spelled out for you. And that’s especially scary, Tim.

• 

  Tim Callan

  I mean, they make a whole project of it and they quite possibly have access to information that would be incredibly hard to get another way, and if it’s just handed to you by a red teaming exercise, then that’s pretty terrible. I mean, the exercise that’s supposed to make you safer is the thing that actually opens up the vulnerability.

• 

  Jason Soroko

  Exactly right. And so, like I say, I’m not as interested in the Russian attribution because I happen to anybody following any of these kinds of OT cyber exercises might have heard about in a World Economic Forum Project Polygon and/or things like this, where a lot of people are being organized into red teaming, things that are very critical, and I think it’s important that we are really, really trying to be careful about the types of tools that are being developed and making sure these things don’t get into the general public’s hands. The stories about a specific Russian contractor, when in reality we know that there have been public exercises of red teaming such as the one I just mentioned where those tools that are being developed, if they start to become ubiquitous within the bad guys’ hands, my goodness, Tim, food, food plants, the ways that we get water, things that are fundamental to what we consider to be a modern life, whether it’s in Europe, North America, anywhere in the world, it’s kind of scary that - we know that these systems are vulnerable because of how open they are, we know that air gaps are myths with regard to security. I think really just the scariness of these systems being down and the discipline of the attackers is the reason why you don’t hear a ton about these events. But in reality, just like this Mandiant report specifies, in a very well-tucked away sentence, there’s a lot of these attacks that happen, and we don’t hear about them. And it would be terrifying if these kinds of things happened more often, and we just weren’t aware that this was the source of what was going on. And I’m really, really just calling this out, the technology pipeline of the bad guys was also robust, and now I think for systems that are even - the stakes are even higher when it’s these cyber physical systems, these OT systems where the barrier to entry, and these are now Mandiant’s words, the barrier to entry to doing those kinds of attacks just gets lower and lower.

• 

  Tim Callan

  Okay. Well, and we’ve talked about that trend. Like this is a thing that you constantly see, where what’s starts as an APT level attack becomes an old-fashioned private hacker attack become a script kiddie attack, and this is just sort of the evolution of these things as they get more motivated and more packaged up and more commercialized. And as that occurs, you watch this trend, and it’s sad. It’s too bad that that is the trend, but that’s the consistent trend, and let’s recognize it, and let’s make our plans to deal with it.

• 

  Jason Soroko

  That’s right, Tim. So, maybe one more thing. And some of the trends that they point out here I think are worth repeating. Abuse of insecure by design protocols, and that is very, very common in OT networks where these OT networks were meant for extreme uptime connectivity, and so therefore, the protocols in the OT world are kind of wide open. And the abuse of them – once you have the tool sets to be able to access these protocols and speak those protocols, the ability to abuse them just becomes worse and worse, and they’re right to call this out. And as well, what’s very interesting is that there are now increasingly, Tim, open source libraries for implementation of those protocols. So, in other words, legitimate usage of these OT protocols – I think the people who are running these open source libraries are basically saying, hey, who else but industry insiders would use this. Nobody else would use this. Well, the bad guys will. And these things are literally open source libraries so that you don’t have to write a code to talk these complicated protocols. And as well, they also call it here the use of Python for malware development and packaging. And I think that what we’re seeing here is kind of the malware languages of choice just because of the ease of usage in Python is really out there, so, powerful script-level toolsets and libraries to be able to allow the attackers to write these things quickly and package them. And, it’s interesting how the gray hat and white hat community is building a lot of tools in Python to help with either red teaming or other types of things that are automating an attack and the bad guys are saying, hey, thanks, thanks for writing that, and Mandiant is finding those kinds of toolsets being used in conjunction with these open source libraries for OT environments and the relative ease of being able to speak these complicated protocols within OT environments and so, there it is. The technology stack for the bad guy, just gets easier and easier, Tim.

• 

  Tim Callan

  Well, there you go. So, once again, “Cosmic Energy. New OT Malware Possibly Related to Russian Emergency Response Exercise.” You can find it on the Mandiant blog if you want to read more about this.