Industrial Control System Firms In Dragonfly Attack Identified

chicksdaddy (814965) writes Two of the three industrial control system (ICS) software companies that were victims of the so-called "Dragonfly" malware have been identified. ... Dale Peterson of the firm Digitalbond identified the vendors as MB Connect Line, a German maker of industrial routers and remote access appliances and eWon, a Belgian firm that makes virtual private network (VPN) software that is used to access industrial control devices like programmable logic controllers. Peterson has also identified the third vendor, identified by F-Secure as a Swiss company, but told The Security Ledger that he cannot share the name of that firm.

The three firms, which serve customers in industry, including owners of critical infrastructure, were the subject of a warning from the Department of Homeland Security. DHS's ICS CERT said it was alerted to compromises of the vendors' by researchers at the security firms Symantec and F-Secure. DHS said it is analyzing malware associated with the attacks. The malicious software, dubbed "Havex" was being spread by way of so-called "watering hole" attacks that involved compromises of vendors web sites. According to Symantec, the malware targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers. Most of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland.

Watering Hole Attacks

[Guano_Jim]

I hadda look this one up. [wikipedia.org]

Re:

[Nkwe]

Doing so is really hard if you need to move power between grids - which you probably do.

OLE for Process Control (OPC)

[Anonymous Coward]

Good luck with securing that as a protocol. Might as well tape a 'kick me' sign on your back. When you are controling things that can kill people why is ease of use/development even a consideration?

Why can't the Swiss company be named?

[rduke15]

So the Belgian and German companies can be named, but not the Swiss one? That seems strange.

Re:Why can't the Swiss company be named?

[Dale Peterson]

We found the Belgian and German companies independently. The name of the Swiss company was shared in confidence, primarily to confirm our contention it was another small company with actually less of an impact than eWON or MB Connect. We are in the process of getting the name from additional sources without restrictions and will publish it when we can. It should be out as should the ICS and energy sites that were redirecting. Of course, it still is a mystery why US-CERT/ICS-CERT and the European CERTs don't mention any of the company names. The names would certainly be helpful if they wanted to alert asset owners that they may be compromised. eWON, to their credit, posted an updated notice on their home page of the website breach. MB Connect and the Swiss vendor sites are still silent on the issue. Dale Peterson @digitalbond

Re:

[plover]

I was watching a TV show about Alaska, where some small town had their generator go out and they needed to fly in an engineer. In those tiny villages, the kind where an engineering degree means you can get a job somewhere else that can afford to pay you, remote monitoring and diagnosis is the only option they have. They had one guy in the town who had the keys to the building, knew to keep the fuel tanks filled, and could do some minor mechanical repairs to the system, but that was pretty much the limit o

Re:

[ThatsNotPudding]

Of course, it still is a mystery why US-CERT/ICS-CERT and the European CERTs don't mention any of the company names. The names would certainly be helpful if they wanted to alert asset owners that they may be compromised.

It's no mystery at all.

diz gun be gud!

[snemarch]

Peterson has also identified the third vendor, identified by F-Secure as a Swiss company, but told The Security Ledger that he cannot share the name of that firm.

Well, HELLO there, internets!

It'll be interesting to see why that company could not be named. Banking, perhaps?

Boy

[Billly Gates]

It's a good thing none of these industrial controls require IE 6 with an unsupported OS with updates turned off requiring a live internet connection or anything stupid. For a minute that would imply mass incompetence

Water Treatment Plant

[tquasar]

My employer had SCADA sent via a telephone line to some engineer at another location Walt had no idea how the plant operated or what the info he could see meant and could have started or stopped some equipment remotely. One of the telemetry techs allowed a contractor to shut down a 9 million gallon/day lake pump, not a good thing. There wasn't even a password.

Against man's stupidity...

[folderol]

... the gods themselves, contend in vain. The first time I heard of this, my instant thought was that it was utter stupidity to connect any industrial process to the Internet. Since then, every comment I've heard or seen from every source follows the same idea, so why is anyone still doing it?

The cost argument really doesn't fly. Can you imagine the firestorm of compensation claims when (not if) the first major disaster takes place?

Re:

[EETech1]

I use the eWon, and MBConnect devices all the time, one or the other goes in to every machine we build. They are VPN gateways with secure login so we can remotely work on a machine instead of having to immediately travel to it to check the slightest thing.

None of our customers leave the internet side of the device plugged in. Unless we are on the phone with them, and they are by the machine, it is unplugged. As an additional level of security, the device has a keyswitch connected to it that must be turned