The past few days have been filled with the heartbreaking news, images, and devastation of Russia’s escalation from cyber warfare against Ukrainian financial firms and critical infrastructure assets to an unprecedented ground invasion and attack on the nation’s capital. Our hearts are with the health and welfare of the people of Ukraine. Unfortunately, we believe that this is just the beginning of cyber aggression from Russian nation state actors. In particular, we have reason to believe that critical infrastructure and financial institutions within the US and other NATO countries may become collateral damage of these efforts, if not direct targets of such attacks.

Actionably, the initial hacking efforts show an emphasis on firmware level compromises that persist against reboot and firmware upgrade attempts, and enable persistent compromise even after the initial infection is resolved. Organizations must take steps to ensure continual protection of these lower levels of code that are not ordinarily monitored or protected by endpoint detection and response tools.

In less than two weeks at CERAweek 2022 in Houston, the world’s premier energy conference, I will be sharing publicly, for the first time, some results of the last three years of work at Gradient: the deployment of a technology called Cybersecurity Mesh to continually protect OT and IIoT critical infrastructure assets of Fortune 500 enterprises against advanced persistent threats like these, down to the silicon itself, effectively eliminating the threat vectors used by Russia and other evildoers to mount advanced malware and credential exfiltration attacks, while enabling seamless, secure connectivity from edge to cloud.

U.S. Officials Believe We Must Prepare for Collateral Damage

Last week officials from multiple US agencies met privately with banking sector executives to discuss responses to potential Russian hacking attempts against the US and our NATO allies. At the beginning of the week, the Department of Homeland Security’s (DHS) Cyber and Infrastructure Security Agency (CISA) followed suit, issuing a “Shields Up” advisory that Russia’s conflicts with Ukraine might lead to cyber attacks on critical infrastructure in the United States.Then, just before Wednesday’s invasion, UK’s National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) published a joint alert about new malware, designated Cyclops Blink and attributed to the sophisticated hacker group known as Sandworm.

Whether or not Cyclops Blink is itself an existential threat, we would be wise to be wary of subsequent iterations: Sandworm, linked to the Russian military intelligence unit GRU (nicknamed “Fancy Bear,” not to their amusement), is the same group responsible for several attacks on critical infrastructure including: Ukraine’s power grid in 2015, Industroyer in 2016, and NotPetya in 2017, the most devastating cyber attack in history. NotPetya initially targeted Ukraine but ultimately caused more than $10B in damages globally. The path of its destruction included crippling shipping operations around the globe, paralyzing US hospitals and government agencies, and wiping out entire corporate data centers. Moreover Sandworm appears to have focused consistently on enabling attacks against Industrial Control System (ICS) networks.

Thus, even though more recent attacks like Solarwinds, Kaseya, and Colonial Pipeline are in our memories, Sandworm is equally capable of global economic devastation, even outside the context of an invasion and associated sanctions. And, they’re active now. Companies need to be responsive to this ‘shields up’ alert – and, in particular, need to focus on eliminating the root causes of malware injection and credential compromises that underlie the tactics, techniques, and procedures being used to inflict damage today.

Cyclops Blink

Cyclops Blink is a new malware initially discovered in firewall devices sold by networking company Watchguard, dating back to at least June 2019. The malware enables encrypted connectivity back to a command-and-control (C2) server via TLS. Once connected, it enables exfiltration of data from the compromised network, files to be downloaded and executed remotely on the target device, and new modules to be added while running. The malware deploys as a firmware update, enabling persistence on reboot and making remediation more difficult. A detailed analysis has been published by NCSC, here.

Given these capabilities, while the initial infection may be modest (according to Watchguard , only a small percent of its devices were infected), this malware could be used to mount secondary attacks, including on other networks, and install secondary backdoors that ensure the attacker can maintain network compromise even after the initial malware is removed (as was the case for the SolarWinds backdoor, SUNBURST, which is known to have released at least one successor, SUNSHUTTLE). Cyclops Blink is known to be the successor to VPNfilter, which infected half a million routers leading to the formation of a global botnet in 2018, and the monitoring of Modbus SCADA protocols in cyberphysical systems. Trendmicro noted that more than a third of the original first-stage infected systems are still compomised two years later.

Further, NCSC and CISA warn that “Sandworm would be capable of compiling the malware for other architectures and firmware,” and that its deployment is “indiscriminate and widespread.” These are disconcerting statements: NotPetya, for example, also attributed to Sandworm, was originally designed to target tax preparation software used only within Ukraine, yet left a trail of damage globally. It is clear that there is a history of both under-estimating the scope of damage and overestimating the specificity that these weapons can achieve.

While it does not appear to rise to the level of a Solarwinds or Kaseya, Cyclops Blink highlights that advanced malware injection often attacks firmware, which readily escapes detection by most of today’s detection and response tools. It is therefore critical to monitor the integrity of software from low level firmware through application code. And, we hope it drives a focus and priority on implementing tools and capabilities that make these types of attacks irrelevant.

Again, we must move from detection and response to protection and prevention. We have a lot to say about how to do this. Here are some initial takes from this alert:

  • Software integrity matters. And that includes firmware.
    • All software needs to be signed and measured.
    • Trustworthy measurements depend on secure boot and hardware roots of trust — think technologies such as measured boot, TPM 2.0, and integrity measurement architecture (IMA).
    • Measurements should include the complete security posture of every platform, all the way from the legitimacy of the hardware to the firmware (UEFI BIOS), kernel, kernel packages and more, to establish a dynamic, security posture fingerprint — and should be continual.
    • Measurements needs to be independently checked (via “remote attestation”) that they are correct — and the ability for a system to operate should be tied to correct attestation.
    • Communications with other systems should be predicated on these dynamic security posture fingerprints.
  • Software supply chains matter. Software must be built on the foundation of a trustworthy environment that signs its outputs. For a future post, we’ll touch on the many steps we take at Gradient for our own software to be deterministically created, auditable, and trustworthy. Things like image attestations, software bill of materials (BOM), infra as code, measurements, and more.