SolarFlare Affects Robotron ICS Installations
This morning the Critical Infrastructure Security Operations Center announced that it had detected a new attack mode associated with the SUNBURST vulnerabilities. According to General Buck Turgidson, Director of CI-SOC, it has been determined that a new class of malware had been detected at SUNBURST affected facilities that were using equipment from Robotron. The SolarFlare malware set up a separate backdoor in ICS servers that communicated with the attacker via a compromised server in the Robotron maintenance monitoring system.
The CI-SOC SolarFlare report notes that it appears that in all known instances of the SolarWind compromise, a search was made for Robotron control system equipment on all reachable networks. Where Robotron equipment was found SolarFlare was installed on the associated server and large amounts of data were exfiltrated from the system through the compromised Robotron server.
Turgidson told reporters this morning that it does not appear at this time that any changes had been made to any of the Robotron equipment at any of the affected installations. “At this point it looks as if the purpose of the attack was to acquire information about the status and operation of Robotron control system equipment,” Turgidson said.
Robotron President Erich Mielke confirms that the Robotron server had been compromised during the SUNBURST attack on the company. “When the SUNBURST vulnerabilities were reported earlier this month, we started our internal investigation of its potential impact on our organization since we use the affected Orion software,” Mielke said in a prepared statement; “We had just identified that this server had been impacted when the authorities from CI-SOC contacted us. We have taken the affected server off-line and are cooperating with authorities in both the EU and the United States in their investigations.”
Dade Murphy, the CTO of Dragonfire Cyber, said in a video feed from Germany where he is working with the investigation at Robotron: “We have identified the specific information exfiltrated from one of the companies that was affected by SolarFlare. It contained detailed programming information for various PLC’s at the affected facility as well as process safety files from the facility.”
When asked why there was only information on the one facility, Murphy explained: “Once the server sends the information on to its command-and-control device, all records about the information are erased from the infected Robotron server. The data we saw had not yet been forwarded to the attacker when Robotron took the server off-line.”
Turgidson closed today’s news conference by stating that:
“At this point we do not know the purpose of the SolarFlare attacks. It appears that this was just a data collection effort at this time. The scope of the information that appears to have been obtained, however, is more than a little disconcerting. The information could be used to develop sophisticated attacks on industrial control systems at a wide variety of critical infrastructure facilities. Effective attacks on facilities such as these require a great deal of information and understanding of the interactions between a variety of systems. That level of information now appears to be available to the attackers behind the SUNBURST attacks.”
No comments:
Post a Comment