Clouds of Dangerous TLStorm Appear on the Horizon

Probably everyone has heard of zero-day attacks. These are attacks that take advantage of previously unknown software or hardware vulnerabilities to accomplish their goals. However, these attacks are rare, generally coming from well-funded government or private hacking groups. Most serious cyberattacks occur when hackers exploit unpatched but known vulnerabilities. These attacks succeed in proportion to the number of devices that contain the vulnerability. Again, it only takes one unpatched device for good hackers to move into a network and wreak havoc.

Not all vulnerabilities are created equal. Some vulnerabilities are more serious than others. Such is the case with a new vulnerability discovered in APC Smart-UPS devices. This will take some explaining and I’ll risk oversimplifying to make this vulnerability understandable because I believe it is one of the most serious vulnerabilities I’ve run across in some time.

APC (formerly American Power Conversion Corporation) is a subsidiary of Schneider Electric, a large global energy management corporation. Schneider is connected to governments and large industries throughout the world. APC produces uninterruptible power supply (UPS) devices. These devices are designed to supply backup power to equipment that cannot withstand any interruption in their power supply. In many cases, there is a time lag between the loss in power and the kicking in of the backup power source. A UPS device fills in this gap. Without such protection, expensive equipment could be destroyed or perform in a way that could even cause explosions that could lead to injuries and loss of life. The world’s largest UPS powers the entire city of Fairbanks, Alaska during a blackout. According to Armis, the company that found the vulnerability in these UPS devices, 20 million have been sold worldwide with almost 8 out of 10 companies exposed to the vulnerability they discovered and named, TLStorm.

Current APC Smart-UPS devices are controlled remotely through cloud connections. This means that an attacker could, using these vulnerabilities, take over these devices through the internet. Once the device is compromised, hackers would have a variety of actions they could take. They could reset the devices’ parameters causing them to malfunction which could destroy any infrastructure they were meant to protect. They could also be used to bring down an entire network. Entire companies could be brought down, or, in the most extreme case, the power grid could be disrupted.

The destruction that would result from attacking these devices would depend on the industries they were used in. Armis gives a breakdown of the use of UPS devices in various sectors. It is apparent from the outset just how extensively they are used.

The vulnerabilities would allow attackers to connect to the Schneider cloud or offer a compromised firmware update. SCADA networks (supervisory control and data acquisition) connected to these devices would be in danger of manipulation. SCADA devices are those that control machinery and general operations. Stuxnet was the first such attack to manipulate these networks but, since that time, there have been numerous attacks using this vector, some of which, had they been successful, would have been devastating. This chart from FirstPoint shows which sectors have been most attacked.

One look at these attack targets shows how important these networks are to protect. This is especially the case in relation to the current world political situation wherein Russia has been making efforts to destabilize nations that support Ukraine.

All Western nations are aware of the seriousness of this threat, so much so that, on April, 20th, the so-called 5-Eyes Nations, released a joint advisory on the Russian cyber threat. They usually don’t do this unless the threat has, in some form, already been realized. The report links to a previous report warning that, “Russia continues to target critical infrastructure, including underwater cables and industrial control systems, in the United States and in allied and partner countries, as compromising such infrastructure improves—and in some cases can demonstrate—its ability to damage infrastructure during a crisis.” On this note, Armis points out that “the fact that UPS devices regulate high voltage power, combined with their Internet connectivity—makes them a high-value cyber-physical target.” This is one step short of saying that Russian government-affiliated hackers have been eagerly awaiting such vulnerabilities to appear, and they are completely aware of the fact that of the tens of millions of devices needing patching, many will not be. Government hackers may be motivated by disrupting major sections of an opponent’s infrastructure while financially motivated private hacking groups may use the same vulnerabilities to launch ransomware attacks. In fact, the Russian-based ransomware group, Conti, released information that they have attacked Real Time Consultants, a company that manages IT services for HP Enterprise, HP Inc., Microsoft, VMWare, Fortinet, Lenovo, and IBM. Hmm, you don’t suppose the Russian government would be interested in this connection, do you?

The specific naming of Russia as the culprit in these advisories is somewhat unusual unless these intelligence agencies have proof that such attacks have already occurred and have been traced to one of Russia’s APT groups. On April 14th, a joint cybersecurity advisory noted that “certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including:  Schneider Electric programmable logic controllers (PLCs),  OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers.” However, Russian wasn’t specifically named.

Vulnerable devices are listed in the Armis post. The main advice for those having such devices is to inastall the patches available on the Schneider Electric website. There is just one problem. Patches for many of the devices don’t yet exist. Therefore, Schneider advices those with unpatchable devices to, basically, turn them off, which, I suppose accomplishes much the same thing that an attack would; take down a network.

In short, the stage is set for a serious cyber attack on U.S. infrastructure. This being the case, it will not be long before you hear about such stories in the news.

One thought on “Clouds of Dangerous TLStorm Appear on the Horizon

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s