…and so should we.
At least that’s my take after looking into various reports about a particularly aggressive malware that is targeting specifically energy utilities that operate Windows-based Industrial Control Systems (ICS).
So far, malware of the “Furtim” variety - as analyzed in-depth by IT security vendor Sentinel One - has breached the security perimeters of at least one European energy provider. Add this to the long list of (often web-borne) attacks against ICS that are covered in Booz Allen Hamilton’s recent Industrial Cybersecurity Threat Briefing.
In my recent post Industrial Control Systems Under Attack, I commented on the documented threats that critical infrastructure providers have been exposed to recently, in many cases due to their continued use of regular browsers.
So you could say I’ve thinking about how ill-prepared utilities are to deal with that kind of threat. But the new findings regarding Furtim (Latin, meaning “Stealth”) - and what they could mean for the U.S. utility sector - are prompting me to follow up with a postscript.
Most security researchers agree that this Furtim derivative was developed by state-sponsored actors, most likely from Eastern Europe, who refined a sophisticated “dropper” malware previously deployed in cyber attacks against the banking industry.
The newer version, designed to work its way into utility companies, has been programmed not only to sneak around sandboxing and virtualization hurdles, but also to detect and remove any anti-virus software on the target system, before finally calling in the actual payload - like ransomware, or sabotage code - from a remote command-and-control server.
Researchers at Sentinel One, who inspected the sample, write, it “appears to be targeting facilities that not only have software security in place, but physical security as well”. The exploit works in all Windows versions, and is powerful enough to out-maneuver 400 common AV products.
Not too long ago, scenarios involving cyber attacks against critical infrastructure were considered far-fetched. But now they’ve become a reality, as documented in the Booz Allen Hamilton Industrial Cyber Security Threat Briefing, and now Furtim’s rise to infamy.
The World Energy Council has already put the utility industry on notice to address the threats posed by advanced malware attacks. And it’s not only energy companies, but also local water utilities in the U.S. that face the same threats.
On that note, I’d like to direct your attention to the thoroughly researched post “Water Sector Prepares for Cyber Attacks” on the Circle of Blue site, by infrastructure expert Brett Walton (Twitter: @WaltonWater). The author describes how “security threats evolve as water systems connect to the internet”. Excerpt:
"The basic problem for water utilities today is the convergence of two systems that used to be relatively segregated: information technology (IT) and operational technology (OT)."
And not only for water utilities, as “Furtim” illustrates. Circling back to my last post: More often than not, regular browsers used by IT and OT personnel to access the web serve as the bridge that helps malware jump the gap.
Its fundamental architecture renders the local browser unfit for operational security: to display a page, read an email, or access an app, browsers fetch code from remote servers and execute it locally. Malware like Furtim can enter the system through the same mechanism and spread from the endpoint through the whole ICS infrastructure.
Furtim also serves as a reminder (if we still needed any) that the current mix of firewall configurations, network filtering, and anti-virus / anti-malware products can easily be avoided, overpowered, outmuscled or pushed aside by this new generation of web-borne threats.
AV products: no match for web-borne threats
The fact that 400 Windows-based AV tools aren’t able to keep up with Furtim shouldn’t come as a surprise. It reminds me of the research results published by computer scientists at the Concordia University in Montreal, Canada and presented at the Network and Distributed System Security Symposium 2016.
The group inspected the 14 best-known of those programs. The results, published here [PDF], reveal that the very same AV products that users install to protect local computers and networks against malicious software, can have the opposite effect: they open doors on the system for viruses, ransomware, and other malware to sneak in.
Furtim manages to avoid 400 AV tools? Then so should we.
Only a secure virtual browser that doesn’t allow any web code to reach the local environment can provide complete protection against web-borne threats which, like Furtim, compromise critical industrial control systems.