The North American electric grid remains under threat from “capable adversaries” around the world, staff from the Electricity Information Sharing and Analysis Center (E-ISAC) told a forum hosted by the Texas Reliability Entity on Thursday.
“I think it’s important to consider that in the season of Easter, Passover and Ramadan that there’ll be a number of guardians of the grid watching over us all, making sure the lights stay on and those holidays can proceed peacefully, because suffice to stay, the threat landscape is quite active,” E-ISAC Director Matthew Duncan said during the Talk with Texas RE webinar.
Duncan’s presentation focused on the rise of malware variants, often connected with state-sponsored hacking groups, that target an organization’s operational technology networks, potentially allowing them to affect the target’s physical infrastructure. While most of the malware strains seen in the past could only interfere with entities’ information technology systems, which don’t typically interface with operations, an attack on electric utilities with OT-targeting malware could pose a grave threat to grid reliability.
Among the latest of these new threats is the Bad VIB(E)s malware, detected and named last year by security firm Mandiant. The company describes it as a “malware ecosystem” primarily targeting virtual machines — that is, when a computer is used to provide the functionality of a different architecture — and the computers that control them, also called hypervisors.
Duncan warned that Bad VIB(E)s, which Mandiant has attributed “with low confidence … to a China-linked actor,” seems to target hypervisors “that are prevalent in IT and OT environments,” and that detecting it may be more challenging than other attacks.
“This type of malware was designed to avoid detection, to avoid your EDR [endpoint detection and response] solutions,” Duncan said. “So you can see the adversaries are evolving to counter the defenses that we put out there to stop them and detect them.”
The good news, Duncan said, is that Bad VIB(E)s does not seem to have been used in any attacks against the U.S. energy sector based on information gathered by the E-ISAC. In this regard it is like another OT-targeting malware strain identified last year by security firm Dragos and dubbed Pipedream, which appeared designed to attack industrial infrastructure. (See E-ISAC Warns of Escalating Russian Cyber Threats.) Mandiant has attributed Pipedream to Russia-sponsored actors; Dragos, as a matter of policy, does not link malware to specific nations.
Also like Pipedream, Duncan noted, the attacker needs access to the target machine to deploy Bad VIB(E)s. However, he said, this does not mean there is no danger; utilities must ensure their staff are vigilant against any potential infiltration attempts while also preparing backup solutions for those times when something gets through.
“I know we all think about cyber hygiene as a very basic and obvious thing to do, but those phishing drills, having your software and hardware enumerated, is really important because you’re essentially protecting the front and the back door,” Duncan said. “Still, mitigations need to be in place inside the house, as it were, on the off chance that they get through those initial screenings.”
Ransomware also continues to be a concern for utilities, Duncan added. While statistics from the FBI’s 2022 internet crime report showed that the energy sector accounted for relatively few victims of ransomware attacks last year, an incident in which the Royal ransomware affected a utility’s supervisory control and data acquisition (SCADA) network provided clear evidence of the seriousness of the threat.
“I think it is important to make the community aware that the adversaries are no longer coming after OT in the abstract,” Duncan said. “It is really important to get … the east-west mitigations inside company networks and utility networks to keep an eye on what might be traversing, so that we can stop adversaries from gaining access and stopping critical operational processes.”