Wiper malware, IoT botnet activity, Russia/Ukraine war impacted threat landscape, Nozomi says

In its latest OT/IoT security report, industrial cybersecurity company Nozomi Networks disclosed that wiper malware, IoT botnet activity, and the Russia/Ukraine war impacted the threat landscape in the first six months of this year. From cyber threat activity incited by the Russia/Ukraine war to hackers obfuscating their malicious activity, attacks can be unpredictable. Cybercriminals have changed their tactics, focused on new targets, and increased their attack frequency. Meanwhile, companies are fighting the endless battle of making industrial processes more efficient without compromising security. 

“Since Russia began its invasion of Ukraine in February 2022, we have seen activity from several types of threat actors, including hacktivists, state-backed APTs, and cyber criminals,” Nozomi said in its report, titled ‘OT/IoT Security Report: Cyber War Insights, Threats and Trends, Recommendations’. “We also saw robust usage of wiper malware, and an Industroyer variant, dubbed Industroyer2, was developed to misuse the IEC-104 protocol, which is commonly used in industrial environments.” 

Nozomi said that the 2022 cyber threat landscape is complex, with multiple factors contributing to breaches or cyber-physical attacks. The factors include the increasing number of connected devices, the growing sophistication of malicious actors, increased reliance on cloud services and data sharing, and escalation in attacks against critical infrastructure and enterprises using industrial control systems (ICS). Organizations must keep pace with technology and new threats to protect their assets as the threat landscape continues to evolve. 

During the period, Nozomi honeypots found that March was the most active month with close to 5,000 unique attacker IP addresses collected. It also discovered that the top attacker IP addresses were associated with China and the U.S., and ‘root’ and ‘admin’ credentials were most often targeted and used in multiple variations as a way for threat actors to access all system commands and user accounts.

On the vulnerability front, manufacturing and energy remain the most vulnerable industries, followed by healthcare and commercial facilities, Nozomi disclosed. In the first six months of 2022, the Cybersecurity and Infrastructure Security Agency (CISA) released 560 Common Vulnerabilities and Exposures (CVEs), down 14 percent from the second half of 2021. Of the reported CVEs, 131 affected multiple sectors.

Critical manufacturing had 109 reported CVEs; the energy sector followed with 40; healthcare and commercial facilities came in third with 26. Additionally, 60 vendors were mentioned in CVE advisories, with 172 associated products. Furthermore, the number of impacted vendors went up 27 percent, and affected products were also up 19 percent from the second half of last year.

Based on this latest analysis, Nozomi predicts that some of the key cybersecurity trends that could be witnessed for the rest of the year include more ICS-related attacks, ransomware hackers will continue to target critical infrastructure companies, and more attacks targeting larger companies. Additionally, it predicts theft of tech source code, and cyber policies and governance increase as private/government initiatives established earlier this year take form. 

“This year’s cyber threat landscape is complex,” Roya Gordon, Nozomi’s  OT/IoT security research evangelist, said in a media statement. “Many factors including increasing numbers of connected devices, the sophistication of malicious actors, and shifts in attack motivations are increasing the risk for a breach or cyber-physical attack. Fortunately, security defenses are evolving too. Solutions are available now to give critical infrastructure organizations the network visibility, dynamic threat detection, and actionable intelligence they need to minimize risk and maximize resilience,” she added.

The first six months this year were marred by Lapsus$ attacks against microchip manufacturer Nvidia, smartphone maker Samsung, and software giant Microsoft. Although Lapsus$ is not necessarily considered a ransomware group, they found a way to monetize their findings by demanding money from victims in exchange for not disclosing or selling their data. The group does not use traditional ransomware nor try to restrict the victim’s access to their files, so victims operate as normal. This is concerning because data breaches take less skill and effort since there is no associated ransomware to deploy on the network to encrypt files. 

The Nozomi report also said that international conflict often incites cyber threat activity, and the Russia/Ukraine war is no exception. “Nation-state actors have been involved in cyber campaigns against Ukraine since 2015, using malware such as BlackEnergy and NotPetya to cause significant disruption to critical infrastructure sectors, including power generation and distribution. In addition, after Russia invaded Ukraine in February 2022, we witnessed an emergence of malicious tools specifically targeting OT technology.”

The emergence of Wiper malware was also highlighted in the Nozomi report. Wipers have become popular among nation-state APTs who are not necessarily financially motivated but want to cause as much destruction as possible. In addition, cyber warfare often uses wipers to cause an enemy to lose access to critical data. A wiper can be seen as self-replicating malware, but it does not need to spread from one machine to another as most viruses do. Instead, wipers typically seek out specific files and delete them from the hard drive completely.

Some of the wiper malware used to target various organizations in Ukraine rendered computer systems inoperable. For instance, the HermeticWiper overwrites the master boot record, rendering the operating system unable to boot. It was used in conjunction with HermeticWizard, which provided worm functionality to spread HermeticWiper across entire networks. In addition, the IsaacWiper combined with Hermetic Wizard overwrites user files with random data, rendering any attached storage disk unusable. 

Furthermore, the CaddyWiper malware works similarly to other wipers. It attempts to replace victim files with ‘null’ data and then attempts to wipe the master boot record (MBR), corrupting the victim’s stored data. In January, Microsoft Threat Intelligence Center (MSTIC) discovered the WhisperGate wiper, which aims to erase data, rendering devices inoperable. 

The Nozomi report also included the​​ Incontroller malware that gave hackers the ability to gain full access to supervisory control and data acquisition (SCADA) and other ICS, including Schneider Electric, OMRON Sysmac NEX PLCs, and vOpen Platform Communications Unified Architecture (OPC UA) servers. It also observed that the Industroyer variant, dubbed Industroyer2, was developed to misuse the IEC-104 protocol, which is commonly used in industrial environments. 

The report points to a growing need to take proactive security measures that different stakeholders can implement within an organization. The actions include IT teams, compliance officers, and risk managers, who may have different perspectives on security issues. Priority security practices should include maintaining an accurate asset inventory, implementing the latest patches on VPN technology, delivering privileged access management, and using strong multi-factor authentication (MFA) that is not susceptible to vishing or SIM swapping.

Organizations can also frequently change passwords and increase employee training on vishing and overall social engineering. To ensure that a ransomware or wiper malware attack does not result in a complete data loss, data must be backed up regularly, the backup system must also be tested, and organizations must ensure that the backup is stored in an off-site location and not on the same network as operational servers. Additionally, threat intelligence, cloud security, threat detection and Software Bill of Materials (SBOM) must also be considered.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.