Cyble-Critical-Infrastructure-Russia-Ukraine-Crisis

Russia-Ukraine Crisis Places Critical Infrastructure At High Risk

Introduction

Critical infrastructure sectors are those assets, systems, and networks, whether physical or virtual, that are perceived so vital to the country that their compromise or destruction would have a crippling effect on national security, national economy, national public health or safety, or any combination of these.

Some of the sectors are mentioned below.

1. Transportation

2. Communication Sector

3. Financial Services 

4. Government facilities

5. Nuclear Reactors, Materials, and Waste center

6. Critical Manufacturing Sectors

Critical infrastructure maintains normalcy in the daily life of every individual. However, people don’t often realize how small, medium, and large-scale industrial equipment provides basic facilities such as clean drinking water, electricity for homes and businesses, railways for connectivity, packaged foods delivered on doorsteps, etc.

Recently attacks on Information technology (IT) networks connected to Operational Technology (OT) components and the devices responsible for controlling plant operations are being attacked by largescale cyber-attacks amid the Russian-Ukraine crisis.

State-sponsored attackers, Advanced Persistence Threat (APT) groups and numerous hackers’ communities have been actively targeting the critical infrastructure of their enemy country. This sudden surge in attacks is due to the geopolitical events of the current Russian – Ukraine conflict.

Computer Emergency Response Teams (CERT) all around the globe are also monitoring the events and releasing alerts, advisories, recommendations for the public and business. These public disclosures made by state authorities include the recent vulnerabilities and patches disclosed by vendors for their products.

The public disclosures also include updates on the malware and threat actors. For example, a few days back, the Cybersecurity and Infrastructure Security Agency (CISA) launched critical advisories that include Interactive Graphical SCADA System of Schneider electric, Engineering software for SICAM RTUs of siemens, Details regarding whisper gate and hermetic malware.

Vulnerabilities in the networks, devices, and software are continuously being exploited by numerous malicious hackers. Hence, critical infrastructures are at high risk of these cyber-attacks because of the vital role these sectors play in countries every aspect. A successful cyber-attack on any of these bodies will result in catastrophic events.

The foremost issue because of which Threat Actors can penetrate these critical sectors is the convergence of IT and OT technologies, The interconnectivity of sensors, networking devices, OT equipment, workstations, etc. has opened a gateway for the attackers.

TimeLine of Recent Cyber Incidents on Critical Infrastructure

Details of the Events

February 25th, 2022

Twitter handle @LiteMods claimed that a DDOS attack was launched on Gazprom, as shown in Figure 1. Gazprom is a Russian energy business that concentrates on upstream and downstream oil and gas operations, and heat and electricity generation. The organization is one of Russia’s top four oil producers. In addition, the corporation holds one of the world’s most significant natural gas reserves.

Figure 1 – Tweet by @LiteMods about DDOS attack on Gazprom

February 27th, 2022

Cyber Partisans, a hacktivist/activist group targeting the Belarusian government, government institutions, and government agencies since 2020, recently claimed that they had attacked the railway network in support of Ukraine. The attack aimed to slow down the Russian troop’s invasion and provide Ukrainians more time against Russian forces.

The claim was made through Twitter handle @cpartisans, as shown in Figure 2.

Figure 2 – Screenshot of the tweet made by @cpartisans

Soon after the first tweet, a second tweet from the same account provided a screenshot of a Belarusian Railways internal computer network monitoring system. The system had an outdated Windows XP application exploited to enter the Belarusian Railway network, as shown in Figure 3.

Figure – 3 Screenshot mentioning the vulnerability

On March 2nd, 2022, one more tweet from the same group showed that is still actively monitoring the situation and are exploiting the vulnerabilities in the Belarus Railway Infrastructure, as shown in Figure 4.

Figure 4 – Tweet claiming that the attack on Railway continues

February 28th, 2022

Cybercriminals attacked an Electric Vehicle (EV) charging station located in Russia near Moscow. The attackers displayed messages on the EV screen that showed support to Ukraine, as shown in Figure 5.

Figure 5 – Compromised EV charging station

March 1st, 2022

Twitter handle @GS_M4F14 claimed access to the Nuclotron-based Ion Collider facility (NICA).  The Twitter handle provided the details on the Vacuum system, temperature, and pressure, as shown in Figures 6-7.

Figure 6 – Tweet claiming access to NICA Booster Control System
Figure 7 – NICA Details

On 6th March 2022, the same Twitter handle claims that they have sensitive data like “SQLI dump, SMB leaks, FTP server dump, Private GitLab’s of JINR and Department of Russia,” as shown in Figure 8.

Figure 8 – Tweet claiming access to JINR Sensitive Files

March 2nd, 2022

Tweets show that the malicious hackers were able to hack the JINR, and the damage done would make it difficult for SCADA operators to work on the plant, as shown in Figure 9.

Figure 9 – Tweet claiming JINR attacked

The importance of SCADA systems increased tremendously. SCADA systems are the heart of every industry dealing with industrial equipment, especially when talking about plants dealing with “Nuclear operations”.

A single manipulation of the predefined operations of the SCADA parameters may start a chain of events that could impact the country. For example, suppose an attacker can bypass the security measures placed for critical nuclear infrastructure. In that case, this event could lead to more severe consequences for the country and the world in general.

March 4th, 2022

A telegram channel operated by an actor called “Against the West” claimed that they had breached Gazprom, as shown in Figure 10.

Figure 10 – Screenshot claiming the breach

On 5th March 2022, the same telegram channel released the data of Gazprom in the public domain. Anonymous groups further shared the links for the same and other Twitter handles, as shown in Figure 11.

Figure 11 – Gazprom data available on Telegram

Further investigation found that Gazprom and other major oil and gas companies are being targeted heavily by DDOS attacks. For example, as shown in Figure 12, researchers found a script launching a DDOS attack on Lukoil and another major state-owned Oil and Gas organization in Russia.

Figure12 – Target List from the Malicious script

Various phishing URLs were found pointing towards Rosneft organization, another giant in Russia’s gas and oil industry, as shown in Figure 13.

Figure – 13 Phishing pages related to Rosneft and Women’s Day

This trend shows that hackers will aggressively target the oil and gas industry to manipulate national exports and economies. Globally, Oil and Gas industries should be on high alert as state-sponsored hackers can make these similar attacks on the organizations directly or indirectly connected to the ongoing Russian-Ukraine conflict.

March 6th, 2022

Twitter handle @JoanneHuggins6 posted that the Russia SCADA systems have been hacked and stopped, as shown in Figure 14. The screenshots shared with the tweet show various pumps and pipes, which indicated that it related to Water supply systems.

Figure 14 – Tweet claiming compromised SCADA

On 7th March 2022, the same handle claimed that they had hacked the water supply systems of Russia, as shown in Figures 15-16.

Figure 15 – Tweet claiming compromised Water Supply Scada System
Figure 16 – Water Supply Scada System

Impact

Cyber-attacks on critical infrastructure can result in loss of life, monetary and economic issues, or reputational damage. Moreover, they can spark significant events within the country that can impact the economy overall.

Due to cyber-attack on assets of critical infrastructure environment, industrial operations can be temporarily or permanently stopped, which can cause trouble in the entire supply chain.

Threat groups can easily inflict chaos among the public if they launch a cyber-attack on critical sectors at times like warfare.

Therefore, a single failure within a critical sector can impact the military operations, and hence these sectors are being actively targeted by state-sponsored actors.

Conclusion

Researchers at Cyble believe that the frequency of incidents concerning critical sectors will rise in the coming months.

The amount of information available in the public domain concerning the techniques used in exploiting the critical infrastructure at this current time will allow numerous attacks by malicious hackers on countries due to geopolitical issues.

Researchers also believe the current security measures kept in place by critical sector organizations still lack some security implementations.

Indicators Of Compromise (IOCs)

IOCIOC TYPEDescription
f79e651507d5930569abf422203b8b72, 54fb1350954756f5c05ef1a5370fa5c16ffffc7b, 28749deace98ea5948fb64b181f558668415c02c3fe112d0b2d7d74b5695faddMD5,SHA- 256,SHA -512HackTool.Script.DDoS

Recommendation

  1. Assessment of firewall and router configurations are important.
  2. Make a list of all the components within ICS environment and check for vulnerabilities in them on granular level.
  3. Keep all the equipment’s like workstations, serial to ethernet devices, routers, sensors etc. of critical sector updated.
  4. Limit exposed device over the internet.
  5. A proper network segmentation can prevent cyber incidents from happening.
  6. Keep a strong password policy.
  7. Restrict assess of assets as per the clearance level of the employee.
  8. Cyber security awareness training is must for employees and management working in critical sector.
Scroll to Top