Cybersecurity

Siemens Energy Investigating Dark Web Ransomware Claim

Siemens Energy and Schneider Electric, two industrial control system (ICS) vendors for critical infrastructure industries, have been reportedly listed as ransomware victims by cybercrime gang CL0P, though any targeted attacks are yet unconfirmed.

The ransomware gang, also known as TA505, began exploiting a vulnerability in MOVEit Transfer, an internet-facing automated file transfer web application, starting on May 27, 2023, and it has reportedly listed hundreds of companies worldwide. The group reportedly listed Siemens Energy, Schneider Electric, and a batch of other entities as new victims in its dark web leak site, threat cybersecurity intelligence platform FalconFeeds reported in a tweet on June 27.

CL0P #ransomware group has added five new victims:

– https://t.co/b5TXXSO3oi
– Schneider Electric (https://t.co/icrsZ9CAwB)
– Siemens Energy (https://t.co/89TbkQ3YMn)
– UCLA (https://t.co/hoy9JuoHTT)
– Abbie (https://t.co/AtFS3GFSGi)#MOVEIT #Cl0p #DarkWeb #DeepWeb #CyberRisk pic.twitter.com/mTpLZdCzbW

— FalconFeedsio (@FalconFeedsio) June 27, 2023

Siemens Energy told POWER in a statement that it is aware of the notification, and it is continuing to work closely with government partners and customers to determine if the claims are factual or not. “We have a world-class incident response team, and we have a ProductCERT organization that is responsible for disclosing vulnerabilities or incident breaches as they occur,” a company official noted.

CL0P’s Insidious Approach

CL0P has garnered federal scrutiny in the U.S. for its capabilities to infect MOVEit Transfer web applications with specific malware, which is then used to steal data from underlying MOVEit Transfer databases. The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) in a joint Cybersecurity Advisory (CSA) issued on June 7 recommended actions and mitigations to protect against the previously unknown structured query language (SQL) injection vulnerability (CVE-2023-34362).

“Appearing in February 2019, and evolving from the CryptoMix ransomware variant, CL0P was leveraged as a Ransomware as a Service (RaaS) in large-scale spear-phishing campaigns that used a verified and digitally signed binary to bypass system defenses,” CISA said.

Among the steps CISA recommends to prevent or mitigate impacts are that entities perform an asset and data inventory, grant only specific administrative privileges, and activate security configurations on network infrastructure devices such as firewalls and routers.

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) in a joint Cybersecurity Advisory (CSA) issued on June 7 recommended actions and mitigations to protect against the previously unknown structured query language (SQL) injection vulnerability (CVE-2023-34362). Source: CISA

In addition, the U.S. State Department, under its Rewards for Justice mission, on June 16 offered up to a $10 million bounty for tips that link the CL0P ransomware gang or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government.

Advisory from @CISAgov, @FBI: https://t.co/jenKUZRZwt

Do you have info linking CL0P Ransomware Gang or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government?

Send us a tip. You could be eligible for a reward.#StopRansomware pic.twitter.com/fAAeBXgcWA

— Rewards for Justice (@RFJ_USA) June 16, 2023

Siemens Energy Stresses Investigations Are Underway

Siemens Energy, a company vastly invested in industrial cybersecurity, has jumped into action, and investigation teams are working to verify the attack, a company official said. As with most industry entities, the company communicates its official position to the Electricity Information Sharing and Analysis Center (E-ISAC), the North American Electric Reliability Corp.’s (NERC’s) threat intelligence sharing network. Siemens Energy customers also share information through its ProductCERT team, which manages all security-related issues in Siemens Energy products, solutions, and services, the official said.

“As these things evolve in real-time, our ability to describe what happened and how it happened will become more accurate,” the official added. “We are at the point of initial investigation and response to the posting from the CL0P ransomware group.”

The first 48 hours typically involve “a lot of information gathering from internal and external parties to make sure that we’re factually reporting the state of what’s happening,” the official noted. “Likely, over the next several days and weeks, additional information will continue to come out, and behind the scenes, we will continue to work with our industry partners and customers directly,” he said.

Ransomware Threats for OT Environments

NERC in its newly released State of Reliability 2023 report has highlighted ransomware’s growing threats to the power sector. Over 2022, while no customer or bulk power system outages related to cyber attacks were reported, the designated U.S. electric reliability organization (ERO) said it received eight cybersecurity incident reports (CIP-008-6) or compromise attempts.

Ransomware did not affect the bulk power system during 2022, but E-ISAC has warned that threats continue to target critical infrastructure. Federal entities are specifically watching the development of ransomware code that targets information technology (IT) and operational technology (OT) environments.

Ransomware “continued to impact the industry and key vendor suppliers,” NERC noted. “While financial gain is often the primary motive of the transnational ransomware gangs, several of these groups may also operate with the tacit support of nation-state adversaries like Russia and China.”

In 2022, meanwhile, the FBI received more than 800 ransomware criminal complaints from critical infrastructure operators. This included 15 from energy sector entities like electricity asset owners and operators. “The top ransomware variants included LockBit, ALPHV/BlackCat, and Hive. Ransomware gangs also targeted trusted third-party electricity contractors like engineering firms, construction services, and original equipment manufacturers.”

E-ISAC has served a crucial role in providing industry awareness of these events through all-points bulletins, the entity said. E-ISAC is also notably collaborating with industry and government experts to develop the “ICS ‘Shields Up’ Considerations for the Electricity Industry,” a notice for its members to assist entities in improving their response to OT malware and ransomware threats. In addition, CISA recently began a #StopRansomware Campaign to help businesses and infrastructure operators of all sizes in preparing for these types of attacks.

—Sonal Patel is a POWER senior associate editor (@sonalcpatel, @POWERmagazine).

Editor’s Note: This story is currently evolving and subject to change. We encourage you to revisit this article or check our website for the latest updates.