The massive WannaCry ransomware attack wreaked havoc, encrypting files on Windows endpoints and servers and impacting individuals and organizations around the globe.
While WannaCry was not specifically targeting industrial systems, it has been widely reported and we have confirmation that manufacturing plants were impacted. In some cases, Windows systems running industrial control software were encrypted-causing failures that impacted production. In other instances, companies halted production lines to investigate or fix systems–a decision often driven by an abundance of caution for personnel safety and concerns about potential damage to expensive assets.
This blog summarizes what happened, with a focus on the impact WannaCry and potential future variants may have on ICS environments. We also provide specific recommendations for ICS Asset owners/operators.
We hope you find this information helpful and welcome feedback.
In response to the WannaCry outbreak, cybersecurity researchers worldwide jumped into action and have analyzed and documented the attack and how it was conducted.
A summary of events to date:
The speed at which the WannaCry virus spread sets this attack apart from previous ransomware campaigns. As discussed, the malware leveraged multiple techniques to infect systems including:
This self-propagation technique leveraged a vulnerability in Microsoft Windows dubbed EternalBlue (CVE-2017-0144). The WannaCry malware exploited the vulnerability present in Microsoft Server Message Block (SMB). We have numerous reports of the WannaCry infection originating directly through the internet. A quick search of the Shodan search engine shows that many organizations had SMB ports open to the internet. Therefore, opening phishing emails was not required for the infections to spread.
EternalBlue was leaked by Shadow Brokers who have been leaking tools attributed to the U.S. National Security Agency since 2016. This is very important to ICS assets owners because there were multiple exploits and vulnerabilities leaked by Shadow Brokers that impact Microsoft products common in ICS environments. ICS security teams need to pay attention to developments. Given the difficulty many asset owners have with quickly patching windows and other systems underpinning their ICS environments, it is important to remain vigilant and up-to-date with the latest threat intelligence so that patches or other countermeasures can be implemented as necessary.
As Claroty and others have been warning, nation-state level tools and capabilities are now widely available, enabling less skilled attackers to execute campaigns that can have a significant impact.
Without being hyperbolic, WannaCry should serve as an important a wake-up call to ICS asset owners. The release of these tools and capabilities into the wild lowers the bar for threat actors ranging from criminals, to less sophisticated nation-states, to hacktivists and terrorists. This reality will likely lead to other attacks that will unintentionally impact industrial systems and also provide adversaries wanting to target ICS systems with improved tools and methods to do so.
There are many excellent blogs explaining how the attack worked, why it propagated so rapidly, and what organizations should to do to protect themselves. We suggest the following:
Customer Guidance for WannaCrypt attacks (Microsoft)
Player 3 Has Entered the Game: Say Hello to 'WannaCry' (Talos/CISCO)
How to Accidentally Stop a Global Cyber Attacks (MalwareTech)
The confluence of inherent weaknesses in ICS networks and the distinctive propagation features in WannaCry made industrial environments particularly susceptible to WannaCry and future variants of the malware.
Key weaknesses include:
WannaCry clearly demonstrates an uptick in the level of cyber risk faced by industrial asset owners and operators. It demonstrates a perfectly reasonable scenario in which an ICS network is heavily damaged, not by a targeted attack, but as unintended collateral damage. Prominent ICS attacks such as Stuxnet and BlackEnergy directly targeted specific organizations, leading many ICS stakeholders to ask ‘who would want to attack our network?’ The answer often played a prominent role in the risk calculus–bringing into question the likelihood of an attack and prompting too many organizations to downplay the importance of ICS network security.
WannaCry turns the tables and compels us to embrace the notion that material harm can be inflicted on any ICS network, even without specific targeting or apparent motive, by “overspray” from an attack targeted elsewhere. Further, the availability of “weapons grade” malware on the open market is changing the pool of threat actors that can launch targeted attacks and impact industrial systems. Threat actors can easily manipulate readily available exploit code and add a payload designed to damage ICS systems. Both the “who” and “how” part of the risk equation have changed.