CyberAv3ngers & Other Threats: Critical Infrastructure Under Attack - Ep 128

Show Notes

In this episode of Reimagining Cyber, Rob Aragao revisits the critical topic of cyber threats to critical infrastructure. Rob shares recent alarming developments involving Iranian state-sponsored hacking group 'CyberAv3ngers' and their targeted attacks on U.S. and Israeli IoT and OT devices. The episode underscores the importance of security hygiene and the latest guidance from U.S. governmental agencies.

Rob also takes time to reflect on significant cybersecurity events and themes from 2024. Stay tuned for next week’s festive episode where past guests share their cybersecurity wish lists for Santa!

Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com

Transcript

[00:00:00] Producer Ben: Hello and welcome to Reimagining Cyber. I'm Ben, producer of the show, and with me is, of course, Rob Arago, our resident expert. How are you doing, Rob? Good, 

[00:00:12] Rob Aragao: Ben, how 

[00:00:13] Producer Ben: are you? Not bad, not bad at all. I'd like you to cast your mind back a few weeks to late October 2024, when our guest was the truly fascinating Eric O'Neill.

[00:00:25] Eric's a former undercover FBI operative, national security attorney, and best selling author, and the key operative in bringing down Robert Hansen, the most damaging spy in US history. It was episode 121 of Reimagining Cyber. It was called Critical Infrastructure Under Siege, Cyber Threats and Counterintelligence.

[00:00:49] Here's a 

[00:00:49] Eric O'Neill: clip. Often I get this question, uh, in different forms. And you know, one of them is what scares you the most? And here it is critical infrastructure attacks. Remember that, uh, I think it's important to note, first of all, that critical infrastructure is a lot more than lights and power. There are 11 sectors defined.

[00:01:09] by the U. S. Government that are critical infrastructure and lights and power is one of them. But it goes to everything from what do you do with your wastewater to actual getting water from your taps to chemicals we need to manufacturing finance communications. What happens when your cell phone doesn't work?

[00:01:26] All of these things are vectors for attack. It makes us very vulnerable because it's very difficult to secure. The full range of, uh, infrastructure that we as a society need to continue to be successful, efficient, and happy. There can be significant repercussions that we don't even think about when power, and then you take it to like what happens in hospitals and people who need care or people who have ventilator machines and people, right.

[00:01:51] A lot of people end up dying. So what's been happening in the U. S. And this isn't a recent occurrence. This is years. Uh, there are significant threat groups, um, primarily coming out of Russia, China, North Korea and Iran. Those are the big four, right? Uh, you know, the big four bad guys. If you're sitting in the West or the United States, uh, and certainly for, uh, cyber threat action, right?

[00:02:18] And they've been launching what's called probe attacks, just seeing how deep they can get into the critical infrastructure, the SCADA networks, the networks that manage the flow of power or water or gasoline from the West Coast to the East Coast, all of those critical networks that allow things to work.

[00:02:38] And the problem here in the US is a lot of it is run by private companies. Some of it is run by the government. Some of it is run by private companies. public private partnerships. It's a little scattershot, which is probably one of the reasons that there hasn't been a large scale critical infrastructure attack yet.

[00:02:54] It's hard to compromise all these different systems and agencies and companies all at the same time, but they're getting close. That was 

[00:03:03] Producer Ben: Eric O'Neill there in Critical Infrastructure Under Siege, Cyber Threats and Counterintelligence, episode 121 of Reimagining Cyber. So Rob, why are we bringing the subject of critical infrastructure attacks up 

[00:03:18] Rob Aragao: once more?

[00:03:19] There's actually some news that was recently released. around examples of what we're seeing out there. And let me kind of just, uh, share it with you and just shine a light further on this, on this topic. So there's a Iranian state sponsored hacking group called Cyber Avengers. And these guys have actually been targeting, uh, and implementing, in essence, their custom built malware into IOT, OT, operational technology devices in the U S as well as Israel.

[00:03:54] Now, now these guys are in a state sponsored Iranian hacking group, um, the malware itself is called IO Control and the group is linked to Iran's Islamic Revolutionary Guard Corps. Now earlier this year, February specifically, 2024, the U. S. government already had seen these guys on their radar. And they were very concerned as to the type of activity they were seeing that they put a 10 million bounty out there for information on them.

[00:04:25] Now this again, as I said, goes back a bit. So around the October or so time frame of last year is when they kind of got on the radar. And we're being monitored and seen through late January or so time frame before the US government put that bounty out there. And what looks like has happened is that in July, maybe August timeframe of this year, 2024, these guys have picked back their actions and have really been trying to go and be very targeted.

[00:04:55] Again, Within the U. S. and Israeli IOT and OT environments. So give me an idea of what kind of thing was done. If you look back, uh, one of the examples that was picked up on is an attack that was targeted at an industrial control system, supporting the water facilities in the state of Pennsylvania. And also in Israel, this is actually tied back to last year when they were initially picked up on the radar, of disrupting over 200 gas pumps.

[00:05:24] And In Israel itself. So again, the, these are folks that are being very targeted in the way they go about, um, their means of disruption, if you will. Now, just a couple of things we've also called out here is, you know, who are some of the vendors that they're going after and targeting the specific devices behind, and so what we're seeing is D Link, uh, Hilkvision.

[00:05:48] Or pack systems to name a few of the vendors. Again, they're developing IoT devices that are being particularly targeted. Now, what's interesting is that, uh, you know, when you think about industrial control systems, a lot of it is tied back into Linux based systems. Uh, and that is exactly what IO control is built around, you know, targeting and taking advantage of and things around simple, simple, you know, default password configuration settings, um, misconfigured systems in general.

[00:06:19] And so it's nothing really truly that sophisticated, but it does provide their inroads for remote control into those environments and then begin lateral movement to start actually, um, you know, taking advantage of those particular devices and some of these different types of scenarios that we've already seen out there happen.

[00:06:37] So again, nothing. Really that sophisticated as we were talking about pretty straightforward, simple stuff that they're taking advantage of. But this goes back to a lot of the conversations we've had in the past on re imagining cyber, it's, it's, it's all about the hygiene, right? Setting up that solid security hygiene, ensuring that the security fundamentals are in place will help prevent a lot of these different types of scenarios from actually.

[00:07:00] Producer Ben: So another talking point I know you wanted to mention is something that came out in just the last few days. The U. S. Cybersecurity and Infrastructure Security Agency, or CISA, and the Environmental Protection Agency, EPA, have joint released a fact sheet offering guidance to water and wastewater systems installations.

[00:07:23] Rob, over to you. 

[00:07:24] Rob Aragao: And a lot of this is really driven on this protection, uh, around human machine interfaces referred to as HMIs in conjunction with SCADA systems. It's all about, again, if it's something that is connected to the internet, it obviously does present itself to be potentially vulnerable to attack, of course.

[00:07:43] And so any of these internet exposed systems, um, obviously they become that much more of an easier target to go after. So a lot of what we've seen and they're being, you know, specifically calling out within their guidance is just the. means of how some of these different systems are being exploited. And, you know, even talking about some of the different work that was done from pro Russian activists themselves and manipulating HMIs and causing operational disruptions.

[00:08:13] Um, but, but as I mentioned, you know, a lot of these things similar to the one I was talking about with the cyber Avengers and targeting systems within the U S and Israel, Taking advantage of those simple hygiene elements of using default credentials, um, and having misconfigured systems or unpatched systems, that's what makes it easy for these guys to get in.

[00:08:36] Producer Ben: So Rob, if a listener is thinking, you know, I'm hearing all these things, I'm seeing all these different areas, what about some ways to go about helping mitigate that? We've talked about obviously, 

[00:08:48] Rob Aragao: you know, elements of changing the passwords, creating strong, unique passwords. Uh, implementing multi factor authentication, something we continuously have talked about on the show in the past, um, but also using network segmentation, right?

[00:09:01] That's an opportunity for us to obviously pull things off where need, where they don't need the internet connection, but when they do just some segmentation and some control mechanisms in place, such as creating, um, a IP addresses to actually be able to get in and block the others, obviously provide visibility into those environments with logging.

[00:09:22] And then also, you know, again, one last thing on this topic is just keeping these systems up to date as best possible. And we've had these conversations in the past, at times it's not that easy, but it's something that obviously is critically important to take advantage of. So I just thought it'd be important to, you know, kind of raise it back up as something because it's, it's obviously out there pretty heavily in the news.

[00:09:44] We're hearing a lot of sidebar conversations. We discussed it not that long ago, but it's a way to shine a light on real world examples that we're seeing out there. And. You know, a lot of these things in many situations are pretty simple to be able to deal with and prevent from happening in the first place, as I just outlined.

[00:10:01] So I just wanted to bring that up as today's kind of focus topic and ensure that people are aware of different paths and how to be able to mitigate these types of situations from actually taking place. That's something to just keep a close eye on. So 

[00:10:13] Producer Ben: undoubtedly, critical infrastructure and threats to it.

[00:10:18] It's very much a key theme of 2024 and also years before that, but reflecting back on Reimagining Cyber over the last 12 months, what are the topics that really left a mark on you? 

[00:10:29] Rob Aragao: You know, we, we started off going into the new year with heavy discussions around regulations, and it just seems like there was just so much coming at us, right?

[00:10:38] We, we, we talked about, what, Dora. Then this two directive, uh, the SEC cyber rule, right? All these additional privacy regulations, uh, the EU AI act spanned so many different areas of looking at, uh, privacy regulations, privacy elements, of course, tied into those things. So that was, that was another kind of area that I just found so interesting to, to watch and see how they continue to expand.

[00:11:05] Um, you know, How heavy those levers were being pulled, how people were, you know, really paying attention to it and acting or kind of doing a wait and see and, and deciding, you know, kind of, would they take the action once it was out there and they saw examples of what penalties really were, right? So that, that's always kind of an interesting, you know, way to balance things out.

[00:11:24] Uh, another area was, you know, just some of the security incidents. The one that really stuck with me was early this year around the, the change healthcare. security incident and the impact, uh, downstream that, that, uh, that cost, right? Where people literally could not get, uh, their prescriptions filled as an example, uh, and how long it took for different systems to be able to come back online.

[00:11:45] So there's the sheer impact. Um, I think that was a major, major eye opener, especially for the healthcare, uh, segment, but also critical infrastructure, you know, across the board and just. People being able to see just how these 30 party relationships could be so kind of negatively impacted by, um, you know, one of the downstream providers.

[00:12:06] Obviously, this was year, the year of, uh, we called securing the vote, right? So many elections happening globally and all of the different concerns relative to, um, cyber security and, you know, how people could go in there and kind of disrupt voting systems, uh, across the globe and especially here in the U.

[00:12:22] S. with the major elections. Um, And also we had the Olympics. Let's not forget the Summer Olympics, right? And just looking at how that could have potentially been a, uh, an opportunity of disruption from a digital perspective too. But again, we didn't really see anything happen, uh, majorly on either front, which is, which is good.

[00:12:40] That's great news for the cyber fighters out there. Um, I will also call out another episode that we had with John Bricky from MasterCard specifically that really stood out to me is, is, you know, I'm a keen proponent of collaboration, not only across, um, you know, within kind of commercial sector, but also into the public sector.

[00:12:59] And I think the great work that they've done there at MasterCard in their cyber defense collaboration efforts with. Um, the, you know, the other sectors within critical infrastructure, as well as cutting across into the federal government, um, support in true, again, working relationships, running through exercises together, um, and just, again, going through kind of back and playing his episode that, that was really a, a night opener for me as a very positive outcome.

[00:13:26] Something that, um, again, I've been a major proponent of, especially like the information sharing analysis centers across different verticals. This was a great example of, uh, The reality of, of what it can actually provide, you know, another one, Ben, that was really intriguing to me was our conversations, um, as related to cybercrime and Interpol, I think things, those are, those are pretty eyeopening and, um, a great, you know, set of conversations actually had, um, back then with Craig Jones.

[00:13:54] And, um, we also went out of space, right, Ben? We, we, we actually went and talked to folks from NASA, uh, Tiffany Schneider specifically, and some great discussions there about, you know, yeah, the elements of what you have to, um, secure, probably protect that are part of the ground control systems. Um, but how about that?

[00:14:16] Um, level of communication into the outer space, um, components, the ways that we within the U S need to work with other nations and, um, you know, again, collaborate, but yeah, what information you're sharing. And, and so again, just shining the light on that side of that, that was really interesting. So Ben, you know, that's, that's what I would kind of look at as some key reflections of this past year.

[00:14:39] Some of the key themes I kind of pulled back from when I reviewed the different guests. Topics episodes, you know, as a whole for the year 2024. It was just a great year, a great set of guests, so many awesome discussions and looking forward to so many more going into 2025. 

[00:14:57] Producer Ben: Rob, that was fantastic. A tour de force, a fine review of 2024.

[00:15:02] Looking forward then, next week on Reimagining Cyber we have a special festive treat for you. We've given some previous guests a rather bizarre seasonal scenario. We've asked them to imagine that they've written to Santa Claus, or Father Christmas, whatever you call him, to ask for a cyber security wish list.

[00:15:22] And if they've been good boys and girls, we're Maybe that wish will be wrapped up and left under their tree. So join us for the unwrapping ceremony next week. Not only will you be filled with festive cheer, you'll also be getting some top quality advice on steps that you should be taking in 2025. Thanks so much for listening to Reimagining Cyber.

[00:15:45] Here's an idea for you. Keep an eye on the Open Text Cybersecurity LinkedIn page and you will see posts about the podcast from time to time. When you do, take the opportunity to leave us some feedback in the comments or even ideas for themes on future shows. It would be thoroughly appreciated. Goodbye.