In response to the news that the International Atomic Energy Agency (IAEA) systems have been infected with an unknown data-stealing malware, Tim Erlin, director of IT risk and security strategy, at Tripwire has made the following comments:

“Without knowing what data was actually compromised, it’s hard to speculate about the motivation behind this attack. While the International Atomic Energy Agency (IAEA) may feel that they are protecting themselves by not disclosing that information, it ultimately makes it harder for other similar organizations to protect themselves.

It appears that the malware in question copied, and one assumes transmitted, information from USB drives. It’s interesting to note that the USB drive appears to have been the victim, not the vector in this case. It may be that these systems were specifically targeted because the attackers knew they would be used in this manner.”

CTO of Tripwire, Dwayne Melancon, also had these comments to make too:

I expect this sort of attack against critical infrastructure to continue and increase in the future – after all, the disruption and psychological impact of these sorts of attacks can be irresistible to bad actors.  In this particular case, I’m concerned about the claim that “no data was affected or compromised.”  Such categorical claims are difficult to substantiate when you’re dealing with malware like this, and the IAEA’s security practices have permitted the infected USB drives to introduce the infection into their environment already.  Hopefully, they are exercising enough security configuration management to enable an audit of the system state of all of their infrastructure – otherwise, they may still be compromised and not even realize it.

Furthermore, the IAEA claims they’ve taken appropriate steps to mitigate the risk of additional attacks.  This is promising, as many critical national infrastructure providers are notoriously behind the curve when it comes to implementing strong security controls such as continuous diagnostics and mitigation, system state intelligence, and other practices consistent with recognized frameworks like the Top 20 Critical Security Controls. (