Industrial cybersecurity company Dragos noted a significant increase in cyber threats across the Nordic countries, including Denmark, Finland, Iceland, Norway, and Sweden, as well as the autonomous territories of the Faroe Islands, Greenland, and the Åland region. The interconnectivity essential to their economies and societies also presents a substantial vulnerability for industrial infrastructure. Furthermore, the Nordic renewable energy sector has proven to be a lucrative target because of its critical importance to the region’s energy security.
“The renewable energy sector across the Nordic region is a primary target for cyber operations, with adversaries focusing on wind, solar, nuclear, hydroelectric, and biofuels infrastructure,” Dragos highlighted in a recent blog post. “The critical importance of these assets for the region’s energy security makes them lucrative targets for cyber adversaries seeking to disrupt operations and cause economic harm.”
Data revealed that in 2023, Sweden witnessed a 30 percent increase in cyber incidents compared to the previous year, with similar trends observed across the region. It also hosts about 57 percent of the region’s internet-connected ICS (industrial control systems).
The report detailed that ICS/OT assets that are directly connected to the internet are trivial targets for adversaries intent on impacting OT systems. “These ICS/OT assets are at a high risk of disruptions to availability from DDoS and are often targeted by adversaries during the testing and development of offensive OT capabilities. Additionally, publicly connected ICS/OT assets are often targeted by hacktivists due to the high media coverage that ensues after an attack (whether successful or not),” it added.
As of June 22, 2023, Dragos identified a total of 3960 connected ICS/OT assets in the Nordic region, that is internet-connected hosts that are running industrial protocols. A small portion of these may represent active honeypots within the region. Approximately 87 percent of the publicly connected ICS/OT assets in the Nordic region are running an exposed HTTP service and 62 percent are running an exposed MODBUS service.
Over the past year, DDoS (Distributed Denial of Service) attacks have surged by 40 percent, targeting critical infrastructures such as transportation and public services, significantly disrupting daily operations. DDOS via hacktivism is prolific in the Nordic Region. While hacktivism is generally a superficial threat to OT systems, the hacktivists operating in the Nordic region have some concerning ties to larger threats. Anonymous Sudan is reported to be a subgroup of the pro-Russian threat actor Killnet. This relationship increases the likelihood that the hacktivist groups will receive strategic tasking to aid Russian state objectives or even serve as distraction operations that benefit Russian operations.
Dragos revealed that two principal hacktivist groups have conducted prominent operations in the Nordic Region. Anonymous Sudan targeted and disrupted the websites of Swedish Railways and Scandinavian Airlines via DDoS attacks in February 2023. NoName057(16), using the crowdsourced DDoS tool DDosia9, targeted Swedish postal and telecommunication services in 2023. Additionally, SocRadar reported that 18.4 percent of NoName057(16) attacks were directed at Sweden in January 2023.
Analysis shows that 54 percent of VPN appliances in the Nordic renewable energy sector are outdated Cisco SSL VPNs, vulnerable to exploitation. This figure starkly highlights the region’s exposure to cyber-attacks. Additionally, the company’s engagements on hydroelectric dams, wind farms, and solar farms identified many critical findings that elevated levels of risks for those customers including vendor-managed control systems, lack of ICS/OT network segmentation, insecure file transfer protocols, internet-connected OT systems, limited security control for remote access, and use of insecure protocols and credentials.
Dragos also pointed to the growing threat of wiper malware in the Nordic region, which parallels previous disruptions seen in Ukraine. This type of malware poses a serious risk to the digital infrastructure of the Nordics, particularly affecting critical systems indirectly through their interconnected networks.
Wiper malware has been deployed against satellite communications provider ViaSat, in Ukraine and had impacts spread over into windfarms in Germany. While the wiper malware did not infect the windfarm OT processes, the satellite communications capabilities of the wind turbines were disrupted because of the attack on the satellite communications provider. The AcidRain operators achieved initial access into the target environments by exploiting VPN devices.
Lateral movement to the trust management segment of the Viasat KA-SAT network facilitated the deployment of the wiper malware. There have been at least six wipers deployed in Ukraine since the beginning of the Russian invasion including WhisperKill, WhisperGate, HermeticWiper, IsaacWIper, CaddyWIper, and Double Zero.
Headquartered in Hanover, Maryland, Dragos has found that with the changing cybersecurity landscape, several pressing challenges arise within the Nordic region. These also include the protection of renewable energy infrastructure that will strongly require cybersecurity as changing to sustainable energy becomes very important. Also, enhanced regional and international cooperation is required. Deeper defense collaboration among the Nordic countries with European allies, more intelligence sharing, and joint cybersecurity practices will reduce the prevalent threats to a great extent.
The report also addresses the security of emerging technologies, highlighting that the rise of 5G and the Internet of Things (IoT) introduces new vulnerabilities to cyber threats. Prioritizing the security of these technologies is crucial, given their growing importance in the Nordic critical infrastructure.
Dragos OT threat groups such as Kostovite, Kamacite, and Bentovite have a demonstrated history of rapidly tooling and exploiting ‘known exploited vulnerabilities’ (KEV). KEVs on VPN and remote access devices are a target of choice for threat actors to gain initial access into industrial asset owner networks. Dragos sampled 30 publicly facing VPN devices from Renewable Energy asset owners in the Nordic Region and found that 54 percent of the enterprise VPNs in use are Cisco SSL VPNs and 27 percent are Citrix remote access solutions.
While Dragos does not assert that one VPN solution is more secure than the other, exploits for Cisco and Citrix remote access solutions regularly appear on the CISA KEV list, highlighting that Cisco SSL VPN and Citrix VPN exploits will have a proportionally larger risk in the Nordic region renewable energy space.
Drawing on the 2023 ODNI Threat Assessment and alleged contracts between Russian company NTC Vulkan and the Russian Ministry of Defense, Dragos assesses, with low confidence, that owners of ICS/OT assets in the Nordic Region should be prepared for Russia to continue using energy as a foreign policy tool to pressure and destabilize Western Ukraine. Furthermore, Dragos, with moderate confidence, suggests that Nordic Renewable Energy systems may be vulnerable to cyber threats, particularly through DDoS attacks, as a favored method by threat actors.
The 2023 ODNI Threat Assessment indicates that Russia may target ports to control or threaten exports in the region. Dragos, with low confidence, assesses that Nordic port operations could be targeted to influence regional exports. Given that many Nordic ports have a public-facing internet presence, there is a risk that their networks could be targeted for operational disruptions.
Dragos assesses with low confidence that Nordic critical infrastructure entities may be targeted with malware that utilizes ‘living off the land (LOTL)’ techniques. According to the NTC Vulkan Files, the development of malware that utilizes LOTL is favored. LSASS Dumping for privilege escalation and credential harvesting has been a commonly reported technique in a recent threat actor’s TTPs from Microsoft (Cadet Blizzard).
In conclusion, Dragos identified that the SANS 5 Critical Controls for World-Class OT Cybersecurity serve as a vital framework for addressing the unique cyber threats to the Nordic region’s OT landscape. These controls are essential for strengthening the region’s defenses against OT cyber threats.
This post was originally published on the 3rd party site mentioned in the title of this this site