The breach raised concerns at the time that the hackers could have embedded malicious code in the software to infect customer control systems. and Canada, as well as some water control system networks.
Telvent is a division of Schneider Electric that is headquartered in Spain, but its software is used in oil and gas pipelines across the U.S. In 2012, hackers believed to be from China breached an OEM called Telvent and stole engineering drawings and accessed files used to program industrial control systems. It’s not the first time an OEM in the industrial control system has been hacked. Potential Operations Against a “Pretty Resilient” U.S. “And this is an adversary that burrows in deep and is very very hard to root out.” He says all of the infected companies are “doing the necessary hunting and assuming they are compromised.” But without logging to catch the infection and track the hackers’ movements through the network, the companies have to hunt for what looks like malicious behavior. “So they might determine if they are compromised, but … almost none of them have network logs to … determine if there is follow-on activity. “In these ICS networks, most organizations don’t have the data and visibility to actually look for the breach,” says Lee. But Lee notes that it may not be possible to uncover such activity if the attackers did access them and burrow further into the industrial control networks, because critical infrastructure entities generally don’t do extensive logging and monitoring of their control system networks. There is currently no evidence, however, that the hackers used the backdoor in the SolarWinds software to gain access into the 15 electric, oil, gas, and manufacturing entities that were infected with the software. Lee said the infections in the critical infrastructure sector occurred not just on companies’ IT networks but also sometimes on actual industrial control system networks that manage critical functions. Kevin Mandia, CEO of FireEye, has said the attackers only entered about 50 of the thousands of entities that were infected with the backdoor.
Once inside an infected system, the hackers could download more malicious tools and steal employee credentials to gain access to more critical parts of the network - collecting information or altering data or processes there. The hackers would have used that information to determine which targets they wanted to burrow into further. The backdoor, which security researchers at cybersecurity company FireEye have dubbed SUNBURST, gathers information about the infected network, then waits about two weeks before sending a beacon to a server owned by the hackers, along with information about the infected network, to signal that the infected system is open for them to surreptitiously enter. Government officials have linked the hack to Russia. SolarWinds was compromised in March, modified with a so-called “backdoor” to provide an attacker access to the network of anyone who downloaded it. Lee wouldn’t identify the OEMs and doesn’t know if the SolarWinds hackers took an interest in them. That’s because some of them use SolarWinds not just on their own networks, but also have installed it on customer networks to manage and monitor those, sometimes without the customers being aware this was done. Lee notes that in some cases the OEMs don’t just have access to customer networks - they actually directly infected their customers with the SolarWinds software. “Two of the … OEMs that have been compromised … have access to hundreds of ICS networks around the world.” “t’s particularly concerning because … compromising one OEM, depending on where you compromise them, could lead to access to thousands of organizations,” said Lee, a former critical infrastructure threat intelligence analyst for the NSA.
It doesn’t mean they can then flip off the lights they have to do more after that.”īut compromising an OEM does magnify the potential risks to infrastructure.
“But just because you have access doesn’t mean you know what to do or how to do it. “If an OEM has access to a network, and it’s bi-directional, it’s usually for more sensitive equipment like turbine control, and you could actually do disruptive actions,” Lee told The Intercept. This means that hackers who breached the OEMs could potentially use their credentials to control critical customer processes.
They sometimes have remote access to critical parts of customer networks, as well as privileges that let them make changes to those networks, install new software, or even control critical operations. The service companies are known within the industry as original equipment manufacturers, or OEMs.