Attack Methods on Air-Gapped or Network-Isolated ICS Systems
Take action: Start educating your organization on the risks of using USBs to transfer data to and from the air-gapped systems in the organization. And make sure that only a few, well controlled and well protected computers (usually linux, with full antimalware active and strict access controls) are the source of USB devices that are used to transfer data to and from the air-gapped systems. If possible disable use of USB on the other parts of the IT network.
For decades now the golden standard of system isolation in industrial control systems (ICS) environments is the air-gapped system.
The ultimate trust in air-gap as a security control
An air-gapped system is a computer or network that is physically isolated from external networks and the internet, making it inaccessible to unauthorized or remote connections. This isolation is implemented to enhance security and prevent potential cyberattacks or data breaches that could be executed through online channels.
The seeming isolation of the ICS systems via the air-gap has put a lot of organizations in a false sense of security about their air-gapped system - Even to a point where such systems don't require a password to log in.
Air-gap is no longer enough
Now there is a cyber threat specifically designed to bypass air-gapped defenses. This threat was brought to light by researchers from Kaspersky ICS-CERT while investigating cyberattacks targeting ICS and critical infrastructure in Eastern Europe.
The attackers were found to be using a second-stage malware that manages to circumvent the typical data security measures provided by an air-gapped system.
A second-stage malware, also known as secondary or payload malware, is a type of malicious software that is deployed after an initial infection has occurred on a target system. The primary purpose of second-stage malware is to stablish a permanent presence on the target networks, enabling them to exfiltrate sensitive data.
How does malware circumvent the air-gap?
As usual, the malware make deliberate efforts to obfuscate it's actions, utilizing encrypted payloads, memory injections, and DLL hijacking. These tactics demonstrate the sophistication of their approach, making detection and prevention more challenging.
It's not enough enter a system, the value is in data theft
In addition to the main malware another two set of second-stage tools are present in the malware that facilitate the transmission of stolen data from a local computer. In essence, they await the infected USB to be returned to the IT network after it's been inserted into an air-gapped computer and has copied data.
After they detect a USB with copied data, they package the data and via instructions from a Command and Control Server (C2) they exfiltrate the data to a cloud storage like Dropbox.
It's a very patient malware.
Since all these actions depend on human actions, the malware must remain invisible, patient and dormant for a long time - days, weeks, even months. This indicates a high level of sophistication and targeting specifically for ICS systems, whether they be in manufacturing, utilities, energy or even military.