Mobile Navigation

Chemical Engineering

View Comments

Industrial control system vendors reportedly appear on ransomware attack list

| By Scott Jenkins

Siemens Energy (Munich, Germany; www.siemens-energy.com) and Schneider Electric (Rueil-Malmaison, France; www.se.com), two vendors of industrial control systems for critical infrastructure facilities, were reportedly among a group of companies and organizations that have been added to a list of ransomware cyberattack victims by the cybercrime unit known as CL0P.

Although the claims surrounding a possible CL0P ransomware attack on the companies have not been confirmed at this point, Siemens Energy provided Chemical Engineering with a statement that the company is aware of the claim, and is actively working with U.S. government agencies and customers to determine whether the claims are factual or not.

“We have a world-class incident-response team and we have a product service organization that is responsible for disclosing vulnerabilities or incident breaches as they occur,” a Siemens Energy official said.

Since May, the CL0P cybercriminals have reportedly made ransomware cyberattack claims against hundreds of companies and organizations. The two industrial control system companies reportedly were among the latest batch of targets, which also includes the University of California at Los Angeles and the pharmaceutical company AbbVie. 

CL0P has been drawing scrutiny from U.S. cyberdefense groups for its ability to exploit a vulnerability in the file-transfer application MOVEit. On June 7, the U.S. Cybersecurity & Infrastructure Security Agency (CISA; Washington, D.C.; www.cisa.gov) issued a joint cybersecurity advisory (CSA) with the U.S. Federal Bureau of Investigation (FBI; Washington, D.C.; www.fbi.gov) regarding the vulnerability.  

“The CL0P Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL [structured query language] injection vulnerability in Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer,” the CSA says. “Internet- facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases,” it continues.

The alert provides information on the tactics, techniques and procedures used by CL0P and provides guidance on actions to reduce the impact of CL0P ransomware.

“As these things evolve in real-time, our ability to describe what happened and how it happened will become more accurate,” the Siemens official said. “We are at the point of initial investigation and response to the posting from the CL0P ransomware group.”

The U.S. State Department has offered a reward of up to $10 million for “information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).”