July 30, 2018 | By Caleb Purcell
The Security Service of Ukraine (SBU) claims to have thwarted an attempted cyberattack on a chemical station that provides chlorine for water and sewage treatment plants throughout Ukraine. The station represents the only one of its kind in Ukraine, making this chlorine plant a prime target for critical infrastructure attacks. The SBU’s strongly worded press release blamed the infamous malware VPNFilter for the event and accused Russia of intentionally orchestrating the infection. The full technical details pertaining to the incident remain unknown.
IISP Analyst Caleb Purcell: "With the lack of technical detail represented, the interpretation of these events is left largely to the imagination of the reader. The press release makes the case that the 'process control system and system for detecting signs of emergencies' were directly and intentionally infected by VPNFilter, implying the existence of the malware on industrial control system (ICS) – not just networking – equipment. Taken at face value, this statement signifies a drastic change in what we currently know about VPNFilter and its capabilities.
The most recent Cisco Talos report maintains that VPNFilter has only been known to infect networking gear and utilizes a module with limited ICS-specific capability, specifically the ability to view – but not modify – Modbus network traffic. In addition to viewing Modbus traffic, the module records limited relevant data – ignoring payloads and instead logging the associated connection metadata (i.e., IPs and ports). Given what we know from this research, the most likely explanation is that VPNFilter was discovered on the chlorine plant’s network, but that the malware did not directly impact any ICS equipment. Regardless, the information gleaned from such an infection could be harnessed by attackers for future, more destructive attacks on this or other similar ICS environments. Perhaps this event is indicative of a new role VPNFilter is destined to play as part of an ever-growing threat to critical infrastructure. With that possibility in mind, we can only hope for the release of the crucial technical details necessary for taking preventative measures."
For further reading
- Bleeping Computer: https://www.bleepingcomputer.com/news/security/ukraine-says-it-stopped-a-vpnfilter-attack-on-a-chlorine-distillation-station/
- Dragos: https://dragos.com/blog/20180716UkraineChemicalPlantEvent.html
- Cisco Talos report: https://blog.talosintelligence.com/2018/06/vpnfilter-update.html