Follow-up: Report of another PLC compromised using cyber means

(cross-posted from the SCADASEC mailing list – posting was reply from Marina Krotofil)

A couple of other friends reached out and asked for more details and more thoughts.
So I wanted to add a couple more things. Note, that I do not have
visibility into the EXACT configuration of LvivTeploEnergo infrastructure,
which is insanely complex as well as has many unique individual engineering
ways of connecting central district heating points and Individual Heating
Elements (IHUs) in the individual apartment buildings. So, here are a few
more bullet points of additional thoughts.

1. I will start with the sample. The discovered sample is a generic modbus
client capable of reading and writing analog outputs (basically 0-100%
values). Full stop. It is not programmed to interact with the digital
inputs/outputs (anything that is ON/OFF, etc.). Next, the only relation to
ENCO devices that can be identified in the sample is the IP address in
Romania, which points to an ENCO device. So this specific client was tested
for its functionality on that device in Romania. We cannot know if the
operator of the modbus client was interested in ENCO or randomly selected
ENCO because <insert random reason>. It is a big stretch to say that the
tester of the malware sample was interested in ENCO devices and that the
sample had something to do with the incident in Ukraine. Giving the fact
that the 324 IHUs in Ukraine simply stopped executing their function
(stopped working) and needed to be restarted manually is not consistent
with the analog capabilities of the discovered sample. Also note, that the
sample developer/tester is not necessarily the executor of the attack. In
state-sponsored campaigns, the tools developers are normally not the same
people who operate the tools later (I saw this in the other large attacks).
However, in the case of hacktivists or autonomously supporting groups, I
could imagine that the same person is attempting to develop a capability to
interact with exposed control devices and then goes on a spray to try and
cause as much havoc as possible.

2. In my previous email I included a link to the tender documentation from
LvivTeploEnergo to purchase ENCO devices. The tender is dated Feb. 2024,
however, we are interested in the overall knowledge of how LvivTeploEnergo
uses this type of devices. And the purpose is to read data from the heat
meters and deliver status data. This is described in the Tech Spec
document

Додаток
2.docx
<https://public.api.openprocurement.org/api/2.5/tenders/aa09ce438c7a4c12a818d97e4607fc47/documents/6290b8571fd84bf6ba5b933a05fc132d?download=97b3bfc02d6047148c98362eceab3dc7>.


The data are sent to the central server (or precisely requested by) and are
displayed in the “dispatcher” (control) room. There is no mention of
supporting modbus protocol but that Mbus could be eventually converted into
modbus (very short sentence). Something like Mbus is used to read the data
from the meters and then the “optimized” data can be further transmitted
via modbus. Not many details are provided but it is clear that if modbus is
used, only to transfer readings. Given what is being sold on the Ukrainian
market for exactly the same purposes mentioned in the tender, the devices
in question are ENCO data loggers: Універсальний контролер eNco DATALOGGER,
концентратор даних ENCO (data logger) з GPRS модемом і антеною (Литва) до
літів СЕНСУС продажів, ціна термінала ENCO в Харкові, GSM / GPRS модем ENCO
від “ЕлМісто, підприємство” — 324662 (elmisto.com.ua)
<https://elmisto.com.ua/ua/p397625295-universalnyj-kontroller-enco.html>.
The control function of the device refers to “data control” and not to
control of physical processes. To conclude, the attack scenario proposed by
Dragos is, in general, not compatible with how the heating system works in
Ukraine and with how ENCO devices are likely used in Lviv. It is also very
important(!) to re-emphasize that we simply don’t know if the ENCO devices
were targeted/affected in the Lviv incident at all! There is no such
evidence. We only speak about ENCO devices because the hard-coded IP
address in the json configuration file on Virus Total points to an ENCO
device in Romania. There are no exposed ENCO devices in Lviv at present (on
Shodan). One can speculate that the devices might have been taken offline.
But it would be a highly stretched speculation. Knowing my native country,
I doubt something like this would happen. It is likely that such devices
were never exposed in Lviv. Again, we will never know.

3. It is hard to tell what exactly has happened in Lviv. Definitely nothing
serious. I lost a link to the page (but I will find it), I saw the
screenshot of job list status where the disconnect of IHUs was registered
as a job task at 8.35 am and already by 9.30 am 175 IHUs were manually
re-started. Without knowing the exact configuration and programming of the
entire related system, it is hard to know what caused IHUs to stop working.
But exactly the stoppage of the IHUs is what caused the interruption in the
heating supply.

4. I am very disappointed in the Wired article and specifically in Andrew
Greenberg. He used to be a thorough journalist who is trusted. This time he
went too far. I don’t know what caused his decision to publish an article
with unverified facts as he clearly stated that “Lvivteploenergo didn’t
respond to WIRED’s request for comment, nor did the SBU. Ukraine’s
cybersecurity agency, the State Services for Special Communication and
Information Protection, declined to comment.” So his only source of “truth”
was Dragos employees. Andrew did not even cross- examined the easily
fundable facts such as the number of affected buildings and the duration of
the heating supply outage. Instead, he chose to dramatize as if a large

amount of the population was left without heating for 48 hrs, whereas 50%
of the heating supply was restored by the time people woke up. And of
course, the very stretched statement of the random Virus Total sample being
related to what has happened in Lviv was not verified at all. Andrew did
not even reach out to anybody in the community for their opinion. This is
not a good journalism. This is more like a “yellow pages” type of
journalism. It is like gossiping. And it gives an impression as if Andrew
“owes something” and is “much obliged” to publish even without strong
evidence. I don’t know. I am speculating. But the optics is not good for
Andrew. The worst is that the Wired article is now republished by Forbes
Ukraine and many other news outlets. This is not helpful for industrial
security and not good in general because people tend to trust reputable
media outlets.

http://scadas.ec

SCADASEC Magazine's top priority and goal is to provide education and training awareness programs for both public and private sectors, as well as for the general public.