Hsinchu, Taiwan – Nov 3, 2021 – It is very surprisingly that FBI, CISA (Cybersecurity and Infrastructure Security Agency), EPA (Environmental Protection Agency) and NSA (National Security Agency) of the United States of America issued a joint alert on October 14, 2021 - “Alert (AA21-287A) Ongoing Cyber Threats to U.S. Water and Wastewater Systems”. This joint alert mentioned that three previously unreported ransomware attacks that impacted ICS (industrial control systems) at water facilities. Precisely speaking, the SCADA (supervisory control and data acquisition) Systems were attacked by ransomware in these three water facilities.
For decades, we have referred to computers and data networks as IT (information technology); the operation and program control of ICS (industrial control system) is usually referred to as OT (operational technology). IT and OT have different focuses. The focus of OT is the stable and smooth operation in a long time. OT was usually operated in an isolated network before and thus is very safe.
However, IT and OT are usually integrated nowadays for convenience and efficiency. This exposes the OT network to the large amount of malicious content from IT network. Furthermore, there are some malware which is targeting or just sent to industrial systems like nuclear power plant, oil company or other public facilities. The OT network is as dangerous as the IT network now.
The “Alert (AA21-287A) Ongoing Cyber Threats to U.S. Water and Wastewater Systems” joint alert mentioned that Ghost and ZuCaNo variant ransomware are two of the three assassins which cyber-attacked the water facilities. The third assassin is an unknown ransomware. Actually the Ghost and ZuCaNo ransomware are quite old and have many variants. Ghost is also known as Farfli and ZuCaNo is derived from the Xorist virus.
Lionic has been watching out these Ghost/Farfli and ZuCaNo/Xorist families long time ago. So far, Lionic has collected roughly three thousands of Ghost/Farfli variant ransomware and roughly one thousand of ZuCaNo/Xorist variant ransomware. Their amounts are still keeping growing. Due to these large amounts, Lionic Anti-Virus technology based products should enable the cloud based scan to obtain the full protection against the Ghost/ZuCaNo families of ransomware.
Partial list of Cloud Anti-Virus rules for Ghost/Farfli variant ransomware:
|Rule ID||Virus Name||Release Date|
Partial list of Cloud Anti-Virus rules for ZuCaNo/Xorist variant ransomware:
|Rule ID||Virus Name||Release Date|
Once the OT network connected to IT network, the OT network should watch out the malware and cyber-intrusions both. Some OT network security devices have Anti-Intrusion ability only and no Anti-Virus ability. It is not enough for all the possible cyber-threats now.
This water facilities ransomware event serves as a powerful reminder of how important it is to install one Pico-UTM 100 for one important machine in OT network. Pico-UTM 100 has full protection including Anti-Virus, Anti-Intrusion, Anti-WebThreat and Firewall features. Also, the operating systems of equipment in OT network are very old Windows, Linux or other operating systems usually. There are many known vulnerabilities in these old operating systems. And these old operating systems are very hard to upgrade usually. Pico-UTM 100 also has Anti-Virus and Anti-Intrusion rules especially for protecting the old MS-Windows and other OS just like “Virtual Bug Fixes” or “Virtual Patch”.
It is highly possible that those water facilities can minimize the impact of the ransomware catastrophe if they deploy large amount of Pico-UTM 100 in their OT network. We recommend the managers of OT networks can think about deploying one Pico-UTM 100 for one important machine to block the ransomware and old vulnerabilities attacks in advance.
- Alert (AA21-287A) Ongoing Cyber Threats to U.S. Water and Wastewater Systems, https://us-cert.cisa.gov/ncas/alerts/aa21-287a
- Ransomware Hit SCADA Systems at 3 Water Facilities in U.S., https://www.securityweek.com/ransomware-hit-scada-systems-3-water-facilities-us
- SCADA, https://en.wikipedia.org/wiki/SCADA
- Stuxnet, https://en.wikipedia.org/wiki/Stuxnet
- Hackers Breached Colonial Pipeline Using Compromised Password, https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password
About Lionic Corporation
Lionic Corporation is a worldwide provider of innovative Deep Packet Inspection solutions. The technologies of Lionic include the complete DPI-based software engine and related management software which offer the Security Solutions that addresses anti-virus, anti-intrusion, anti-webthreat; and the Content Management Solutions that addresses application identification, device identification, application based QoS, web content filtering, parental control.
Lionic’s security and content management solutions, cloud-based scan services and signature subscription service are widely deployed in the world already. They help service providers, network appliance manufacturers, semiconductor companies, etc. to enable the next generation of business routers, residential gateways, SD WAN edges and cloud gateways, advanced firewalls, UTMs, Smart NICs and mobile devices. Those products powered by Lionic provide better network management and protect the world’s networks from an ever increasing level of security threats.