Thursday, July 10, 2014

Cyber Espionage Campaign Hits Energy Companies

Over the past couple of weeks, cybersecurity vendors have announced the uncovering of a successful cyber espionage campaign carried out by the Dragonfy hacking group. In the most recent string of attacks, Dragonfly (also referred to by the name Energetic Bear) has targeted multiple US and European energy companies, successfully looting valuable process information in what appears to be the next step in the cyber warfare campaign against critical infrastructure organizations, after Stuxnet in 2010. Cybersecurity vendors have scrutinized the campaign and presented an analysis of the malware employed by Dragonfy to steal information from the infected computers.

Yesterday, a short paper I co-authored with Security Matters was released. This short paper revisits the main points of this investigation, including additional details into the specifics of the components of the campaign that exploit industrial control systems. This paper also illustrates why the implementation of a defense-in-depth (DiD) strategy is key to successfully counter cyberthreats like Dragonfly. One of the key aspects of improved DiD involves improving situation awareness within industrial architectures. SilentDefense ICS is one key element in the overall process of gaining insight into your ICS architectures allowing early detection and rapid mitigation of cyber threats.

A complete copy of the paper is available by clicking here.

I am currently actively engaged in research of the campaign and the malware employed. In the coming weeks, I will also be releasing another paper that will discuss in details the overall campaign, how the various pieces of the attack are being deployed, and how they are being used against companies relating to industrial automation and control. Stay tuned to and follow watch my Twitter feed for additional release details.

Tuesday, July 1, 2014

DragonFly/Havex Resource Page Now Available on

Today, I am happy to announce the launch of a new page on devoted to provided timely and relevant information relating to the Dragonfly/Havex campaign. Like resource pages developed in the past for Stuxnet and Duqu, this page will provide a one-stop location for key resources pertaining to industrial control systems as used in this campaign, including Technical Reports, White Papers, ICS-CERT Advisories and Alerts, Press Reports, and other pertinent information.

The site will also include a dynamic Twitter feed tracking related posts utilizing hashtags #havex, #dragonfly, and #energeticbear.

If there is anything that you find that could be of use to the general community, please feel free to share this by sending me an email.

Dragonfly/Havex Resource Page on

Monday, May 5, 2014

Presentation for upcoming ICSJWG "Can you hear me now? Standing up a Security Event Management System to improve Situational Awareness"

I am honored to again be presented at the Industrial Control System Joint Working Group (ICSJWG) meeting scheduled for June 3-5 in Indianapolis, Indiana. I will be participating in a panel discussion on Heartbleed and its impact to control systems where I will be sharing some of my research findings and sharing with you my point-of-view based on ICS systems at large.

I will also have a session presentation entitled "Can you hear me now? Standing up a SEM to improve Situational Awareness". This sessions in tentatively scheduled for Wednesday, June 4 at 1:00-2:00pm.

I am looking forward to seeing many of you

Thursday, April 17, 2014

Why "Heartbleed" will only require a Band-Aid in more most ICS installations

(This article was originally posted on ISSSource on April 16, 2014 by Gregory Hale with contributions from Joel Langill)

Heartbleed may need a band aid to fix various small wounds in the industrial control environment, but it surely does not need open heart surgery.

Tuesday, March 18, 2014

Recent development of ICS exploits continues upward trend of security research

In performing my daily rounds on news feeds and websites, I noticed a lot of recent developments in open-source exploit modules targeting industrial control systems. One very important part of a well-rounded ICS Security Management System (IACS-SMS per ISA 62443 terminology) is situational awareness of the actual risks facing industrial systems in terms of both vulnerabilities disclosed and the ease in converting these proof-of-concept (PoC) disclosures into workable exploit modules.

Wednesday, January 22, 2014

Gleg releases Ver 1.31 of the SCADA+ Exploit Pack for Immunity Canvas

Gleg announced last week (January 16) the release of version 1.31 of the SCADA+ Exploit Pack for the Immunity Canvas framework.

A summary of recent releases includes:
  • Version 1.30 was released on December 13, 2013
  • Version 1.29 was released on November 22, 2013
  • Version 1.28 was released on October 7, 2013
  • Version 1.27 was released on September 6, 2013
  • Version 1.26 was released on August 14, 2013
  • Version 1.25 was released on July 5, 2013
  • Version 1.24 was released on May 14, 2013
  • Version 1.23 was released on April 22, 2013
  • Version 1.22 was released on February 27, 2013
  • Version 1.21 was released on February 7, 2013
  • Version 1.20 was released on December 21, 2012
  • Version 1.19 was released on November 8, 2012