Ransomware gangs often up their game by extorting their victims on so-called shaming sites, where they dump the stolen information to pressure the victims to pony up and pay ransom. According to a new analysis of these attacks by incident response provider Mandiant, one in seven of those extortion incidents exposes sensitive operational technology (OT) information stolen from industrial victims in the attacks.

Mandiant says more than 1,300 OT organizations in critical infrastructure and industrial production were hit by these so-called "multifaceted extortion" attacks in 2021. In a sampling of those victim cases, Mandiant said stolen OT data included detailed network and process documentation from two oil and gas organizations; admin credentials for an OEM to a manufacturer of trains, as well as backups for Siemens TIA Portal PLC project files; and product diagrams and source code for a platform that tracks automobile fleets via GPS for a satellite vehicle-tracking service provider, among other sensitive documents.

"Access to this type of data can enable threat actors to learn about an industrial environment, identify paths of least resistance, and engineer cyber physical attacks. On top of this, other data also included in the leaks about employees, processes, projects, etc. can provide an actor with a very accurate picture of the target’s culture, plans, and operations," Mandiant said in its report.

The Mandiant report is available online.