Brian Krebs breaks a big story in the ICS security world — Telvent has been informing customers they have been compromised by the Comment Group.
Over the past two decades Telvent has dominated the oil and gas pipeline SCADA market. In recent years they have moved aggressively into the smart grid market and were acquired by Schneider Electric.
According to the Krebs reporting, “Telvent said the attacker(s) installed malicious software and stole project files related to one of its core offerings — OASyS SCADA.” This is Telvent’s flagship SCADA product. There are at least three potentially serious consequences of this compromise:
- The attackers used their presence on the Telvent network to pivot and compromise the Telvent customer SCADA systems that were connected to the Telvent network. Vendors typically connect to their customers for weeks during deployment and periodically for maintenance and support after deployment. Krebs reports that Telvent has terminated the usual method of connecting to customers and deployed a new method.
- The attackers used their presence on the Telvent network to modify project files that were in the deployment phase. The system would be compromised before it was commissioned.
- The attackers used their presence on the Telvent network to download the customer project files for a future attack — think future Stuxnet. If an attacker were going to attack a process in a sophisticated manner they would need time and talent to study the project files and essentially reverse engineer the process
If this Comment Group is the same as Comment Crew, then this is likely the same people that sent spear phishing email to Digital Bond and EnergySec. They are going after the ICS energy sector, and Telvent is almost certainly not the only vendor being targeted or compromised. In fact, I would be worried if a large asset owner or vendor in the energy sector is not detecting these attacks. Little Digital Bond and non-profit EnergySec must be rather low on the list of energy sector ICS targets.