Sponsor/Advertisement Voice (11:15)

At talas. They know cyber security can be tough and you can't protect everything, but with Talas you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales. T H A L E S learn more@thalesgroup.com Cyber what's your 2am Security worry? Is it do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows. Using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently and finally get back to sleep. Get started@vanta.com cyber that's v a n t a dot com cyber.

Maria Varmazes (13:07)

Dave Bittner recently sat down with Emily Austin, principal security researcher at Census, as they discuss why nation state attackers continue targeting critical infrastructure. Here's their conversation.

Dave Bittner (13:21)

The biggest summary statement I could give around this is that critical infrastructure is it's still exposed on the Internet. This is not a new problem. This is a problem the security community has been talking about for years. But unfortunately there's still interesting and enticing targets for nation state actors, for hacktivists, you name it. They're quite enticing as far as that goes.

Sponsor/Advertisement Voice (13:45)

Well, let's dig into some of the details of the research you and your colleagues have done here recently. You were looking at things going on with Iranian devices.

Dave Bittner (13:56)

Yeah, so devices that were actually being targeted by Iran in the past. So over the summer, you know, there was this uptick in kinetic activity in that region and the U.S. department of Homeland Security actually issued an advisory in June warning against a heightened threat environment in the us and then a few days later, CISA came out with an alert as well, telling critical infrastructure operators in the US to stay vigilant for targeted activity by Iranian threat actors. And at Census for the last, I'd say two years or so, we've really focused in different ways on understanding the industrial control systems exposure landscape. And one of the questions that I had was, well okay, we know that Iranian threat actors have gone after particular types of critical infrastructure before. What do we see in terms of things that we know that they've targeted before or been interested in before? And that's really kind of where this research started, was wanting to kind of measure. So, so what do we see? What is the potential blast radius of industrial control systems that they might be interested in?

Sponsor/Advertisement Voice (15:04)

Well, let's get into some of the details together here. What did you discover?

Dave Bittner (15:08)

Yeah, so we whittled down the list. There is quite a long list, but I ended up going with four different device types that, you know, again, have been previously targeted or known to be of interest. And that included things like Unitronics Vision PLC or PAC Site Omat, Fuel automation systems, any kind of Red lion equipment or things running the Tritium Niagara framework. And the way we chose that one was actually kind of interesting, I think. So it was based on a 2024 report from OpenAI where they were reporting on influence and cyber operations that they identified on their platform. And in this report they actually were addressing activity that they'd attributed to an Iranian linked hacktivist group called the Cyber Avengers. This group apparently had used OpenAI models to conduct research on different types of ICS devices, asking about different types of industrial routers, PLCs, utility companies in certain regions, and also looking for default passwords for different types of devices. And that included Tritium Niagara devices. So we wanted to look at that as well. We thought that was kind of an interesting perspective.

Sponsor/Advertisement Voice (16:17)

Well, can you put that in perspective for us as to what those devices are used from and the potential impact here?

Dave Bittner (16:25)

Yeah, so just kind of at a high level. So Unitronics makes PLCs and HMIs and things like that. Most of these are software that you can find on the Internet through a browser, through vnc, through rdp. And they're essentially used to manage or monitor industrial control processes. You know, in the case of Unitronics, a few years ago, there was an attack, I think it was in late 2023, where Iranian actors were targeting these devices and defacing them. And there were a couple of water plants in the United States that were affected. So they control a variety of processes that relate to energy, water, power, things like that. Things that we do consider very critical. You know, the ORPAC Site OMAT things, those are fuel station automations, types of software, fleet management. Tritium Niagara is used often in building automation and for like H VAC and alarms and security systems and things like that. So kind of a variety of different types of uses, purposes of these types of software. So lots of different ways to potentially have an impact, unfortunately.

Sponsor/Advertisement Voice (17:36)

And what sort of access do the Iranians seem to be gaining here?

Dave Bittner (17:41)

So in the cases that we looked at, right, and what we are aware of from previous research, because again, we can't really see attack traffic, we just, we see exposures, we see exposure numbers. But from what we've seen, a lot of these things are access through default credentials. So these interfaces will be available through your browser, available through an RDP session, and they'll use default credentials. And so maybe you can go in and toggle on or off an alarm, or you can maybe change levels of chemicals added to wastewater treatment or water treatment things. Lots of different opportunities to affect processes. Fortunately, it doesn't seem like any of these, the attacks that we've seen reported on sort of a TLP clear sense have been catastrophic in nature, at least in this realm. But it certainly does raise questions around the security of these devices, the management of these devices, and kind of the onus on the manufacturers to make sure that they're not shipping with really insecure default settings.

Sponsor/Advertisement Voice (18:49)

Do you have any sense for how broad the Iranians interest might be here? In other words, do they seem to have specific interests in specific types of critical infrastructure or do they just go where they have access?

Dave Bittner (19:07)

So I think it sort of depends, at least in the cases that we've looked at. And again, I'm not an expert necessarily in Iranian threat operations, but based on reporting that I've, that I've read and have, have come to understand, I think it really sort of depends on the group behind it, whether we're talking about like actual nation state affiliation or sort of hacktivism in some ways. And so I think that starts to be where, where things diverge a little bit. Whereas, you know, the hacktivist groups will want to deface things, they'll want to say, you know, look at us, here's what we're doing, you know, down with this country, down with this government, down with these people. Whereas an actual nation state might be more motivated to be a little more stealthy, a little bit more quiet, and potentially a little more disruptive.

Sponsor/Advertisement Voice (19:54)

Well, based on the information you've gathered here, what are your recommendations then for organizations to best protect themselves?

Dave Bittner (20:01)

Yeah, so I think this is boring, you know, and I feel like anytime that someone's asked about this, it's the same thing. It's, you know, these systems really shouldn't be exposed directly to the Internet. This is just not a good practice. So if you are a critical infrastructure operator, regardless of your sector. Try not to put these things online, put them behind a vpn, put them behind a firewall, use some kind of protection so that they aren't just sitting out on the Internet. But I also think there's a burden on the manufacturers as well that I don't think we talk about quite as much because at least two of the four systems that we studied in this particular research shipped or used to ship with default credentials, which is just, I mean it's 2025. Like we can't do that anymore. We never should have done it, but we really can't do it now. And I will say one of the manufacturers, Unitronics, who used to ship with default credentials, they actually, after that 2023 campaign I mentioned with their HMIS being defaced about a month later, they actually pushed a patch that removed the default admin username and password. So there' effort. But I think we need to see it maybe a little bit more widespread from these manufacturers.

Maria Varmazes (21:17)

That was Dave Bittner sitting down with Emily Austin from Census discussing why nation state attackers continue targeting critical infrastructure. And finally, British retailer Next has discovered that one company's cyber misfortune can be another's sales strategy. In a trading update on Wednesday, Next credited favorable weather and competitor disruption, translation marks and Spencer's cyber meltdown for a tidy 7.6% sales jump and a 30 million pound profit boost. M and S while still nursing its digital hangover after months of outages, expected to lose around £300 million this year. And while Next, Zara and H and M cashed in, retailers without robust online stores didn't see the same windfall. Meanwhile, Jaguar Land Rover's separate cyber incident wiped 1.9 billion pounds off of the British economy, a very sobering reminder that not all disruptions come with silver linings. Lawmakers say that stronger cybersecurity laws can't come soon enough.

Sponsor/Advertisement Voice (22:43)

Foreign.

Maria Varmazes (22:49)

And that's the CyberWire. For links to all of today's stories, check out our daily briefing@thecyberwire.com and be sure to join us for a new research Saturday, where Dave Bittner sits down with Dario Pasquini, principal researcher at rsac, discussing the team's work on when AI ops become AI. Oops, Subverting LLM driven IT operations via telemetry manipulation. And that is research Saturday, folks. Definitely check it out. And that's the Cyberwire Daily, brought to you by N2K CyberWire. We'd love to know what you think of our podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K senior producer is Alice Carouse. Our producer is Liz Stokes. We are mixed by Elliot Peltzman and Trey Hester with original music by Elliot Peltzman. Our Executive Producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Maria Varmazas in for host Dave Bittner. Thank you for listening. Have a lovely weekend.

Sponsor/Advertisement Voice (24:30)

Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, DC. Discover the startups building the future of cyber. Learn more at cid Datatribe. Com.