Until now, the use of malware specifically designed to attack industrial control systems has been confined to fairly rare high-level nation-state attacks such as those which targeted nuclear enrichment centrifuges in Iran and caused blackouts in Ukraine.
But a new form of OT ransomware specifically designed to attack industrial controls has been identified. Since the start of 2020, cybersecurity researchers across a number of firms have identified a brand new piece of code called “Snake” or EKANS. In addition to encrypting existing data and demanding a ransom in Bitcoin, EKANS also appears to have been created to terminate a total of 64 separate software processes on the victim organization’s computers. Crucially, many of these are specifically designed to attack industrial control systems. It is believed that the Megacortex malware which appeared in the spring of last year could have been an early variant of EKANS.
Researchers are far from clear on whether EKANS has been developed by financially-motivated cyber criminals or by nation-states. An organization that has been breached by EKANS may see this distinction as academic and in no way immediately relevant to blocking and containing the breach. However, understanding the motive behind an attack can be vital in knowing how to proceed in the crucial hours or days following an initially successful ransomware breach.
There is a growing fear in the US and Europe that potentially hostile nation states such as Iran, are planning to cause significant economic damage by attacking critical infrastructures and manufacturing plants with malware specifically designed to compromise industrial control systems. Some researchers believe that the emergence of the EKANS malware in recent weeks could be evidence of this strategy now being executed by a hostile nation state.
The fact that the perpetrators demand a ransom, does not preclude they’re being state actors. A primary advantage of a cyber attack for a power such as China and Russia is its plausible deniability. If the downtime and data loss caused by an attack can be disguised as a ransomware attack that went wrong, the nation-state responsible can claim that the threat actors behind the attack were common criminals motivated purely by financial gain. Even if the attack can be traced to a server inside a potentially hostile nation state, the government concerned has a good case for denying responsibility and claiming it is doing everything it can to bring the perpetrators to justice. If the intention behind the attack is to cause maximum disruption and damage, then meeting the ransom demand may not prevent the attackers from wiping crucial data.
Bahrain’s national oil company, Bapco, is currently refusing to comment on industry rumors that it has been hit by an EKANS malware attack. It appears likely that Bapco may have been the victim of a nation-state backed attack posing as a criminal act. This would not be the first time neighboring Iran has tried to damage Bahrain’s infrastructure through cyber attacks; Iran is known to have recently hacked into the Bapco system using “Dustman” malware.
It is highly likely, however, that many other targets worldwide have also been hit. Manufacturing companies and utilities who have suffered a sophisticated ransomware attack such as EKANS should lose little time in calling in a specialist OT security company to contain the damage and identify the source of the attack. The earlier this is done, the shorter the downtime will be.
The OT security company must be one with a thorough understanding and experience of the complexity of modern OT networks, which can now include thousands of assets with a high traffic rate and diverse and complex communication patterns. Once the cybersecurity researchers have carried out a thorough and comprehensive inspection of the entire network and discovered the location of the attack and identified the type of malware used, steps can immediately be taken to minimize the damage. Infected assets can be backed up and quarantined while all access points that have been exploited can be quickly sealed. Any delay at this stage would, at the very least, cause significant downtime and possibly lasting damage.