Specialists of the cyber security service established minutes after [the incident] that the enterprise's process control system and system for detecting signs of emergencies had deliberately been infected by the VPNFilter computer virus originating from Russia. The continuation of the cyber attack could have led to a breakdown in technological processes and a possible accident.As of this writing, the exact details of the attackers' infiltration into the chlorine station are unclear. Craig Young, a computer security researcher with Tripwire's Vulnerability and Exposures Research Team (VERT), has some questions about the attack's specifics in the meantime.
Consumer routers show up in very unexpected places at times but critical infrastructure is certainly the last place I’d expect to find them. Due to the lack of details provided by Ukranian Secret Service, it is not possible to know which devices may have been compromised with VPNFilter malware and what they were being used for in this plant. It is possible that the infected systems were routers in the homes of employees who remotely access the facility or that the plant may have had some affected network storage devices. Another big question is when this attack took place and whether this means that VPNFilter has already evolved since the recent FBI shutdown of the botnet’s command and control system. It is possible that VPNFilter has been revived with a more robust operation targeting a wider range of devices including more enterprise-centric devices.This attempted attack demonstrates how critical infrastructure organizations need to protect their industrial control systems and other computer equipment against digital attacks. For insight into how your organization can defend its industrial systems, click here.