Ukrainian law enforcement personnel thwarted a digital attack that targeted equipment owned and operated by a chlorine station.
According to Interfax, the Security Service of Ukraine (SUB) detected an attempt to attack the LLC Aulska chlorine station. Located in the village of Auly in the Dnipropetrovsk region, the station functions as critical infrastructure in providing chlorine for the treatment of water and sewage across the country.
Agents with the government security agency determined that the attack had originated from Russian special forces. Those attackers’ purpose, reported Interfax, was to undermine the stability of the station’s operations using VPNFilter.
Similar to Mirai, VPNFilter is a type of botnet that targets Internet of Things (IoT) devices like routers and network access storage (NAS) devices. Security researchers spent months investigating the threat in 2018 and determined that it likely operates under the control of a sophisticated threat actor that goes by the names APT28, Pawn Storm, Sandworm, Fancy Bear and Sofacy. They also discovered that VPNFilter had infected half a million IoT products in what Ukrainian officials believe were Russia’s preparations for a digital attack.
It didn’t take long for SUB to figure out what had happened at the LLC Aulska chlorine station. As quoted from a post on SUB’s Facebook page:
Specialists of the cyber security service established minutes after [the incident] that the enterprise’s process control system and system for detecting signs of emergencies had deliberately been infected by the VPNFilter computer virus originating from Russia. The continuation of the cyber attack could have led to a breakdown in technological processes and a possible accident.
As of this writing, the exact details of the attackers’ infiltration into the chlorine station are unclear.
Craig Young, a computer security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT), has some questions about the attack’s specifics in the meantime.
Consumer routers show up in very unexpected places at times but critical infrastructure is certainly the last place I’d expect to find them. Due to the lack of details provided by Ukranian Secret Service, it is not possible to know which devices may have been compromised with VPNFilter malware and what they were being used for in this plant. It is possible that the infected systems were routers in the homes of employees who remotely access the facility or that the plant may have had some affected network storage devices.
Another big question is when this attack took place and whether this means that VPNFilter has already evolved since the recent FBI shutdown of the botnet’s command and control system. It is possible that VPNFilter has been revived with a more robust operation targeting a wider range of devices including more enterprise-centric devices.
This attempted attack demonstrates how critical infrastructure organizations need to protect their industrial control systems and other computer equipment against digital attacks. For insight into how your organization can defend its industrial systems, click here.