As industrial network operators and their security teams operate on high alert over worries of potential disruptive attacks by Russian nation-state-controlled hacking teams amid the escalating crisis in Ukraine and US sanctions on Russia, the reality for most of them has been a painful surge in ransomware attacks over the past year.
Real-world incident response investigations in 2021 by teams at Dragos and IBM X-Force overwhelmingly revealed that the hottest operations technology (OT) target is the manufacturing sector, and the main weapon attacking these organizations is now ransomware. Two ransomware groups, Conti and LockBit 2.0, executed more than half of all ransomware attacks on the industrial sector, 70% of which were aimed at manufacturing firms – making manufacturing the No. 1 OT industry hit with ransomware last year, according to a newly published report from Dragos.
While Colonial Pipeline's and JBS's ransomware attacks were the most high-profile in that sector, there were others that didn't go public. "A significant number of cases go unreported ... there are a lot that just don't make the news," says Rob Lee, founder and CEO of Dragos, which responded to 211 ransomware attack cases at manufacturing firms last year.
This dubious distinction for the manufacturing industry should come as no surprise: Over the past two years the sector increasingly has been in the bullseye of cyberattacks, especially as ransomware gangs have begun to take advantage of the increased pressure on manufacturers during the pandemic.
"They are always targeting industries or organizations under pressure because pressure leads to better outcomes or payment for them," says Charles DeBeck, senior cyber threat intelligence analyst at IBM Security X-Force. Manufacturing firms generally can't afford downtime, and the pandemic squeezed them even more as supply chains slowed.
According to incident-response (IR) cases investigated by IBM X-Force, more than 60% of incidents at OT firms last year were against manufacturers, and manufacturing surpassed financial services as the most-attacked vertical (23.2%) investigated by X-Force's incident response team last year. Ransomware accounted for 23% of those attacks.
But the relatively "good" news was that the majority of attacks were on IT networks in the industrial sector, with just a few on their OT networks. "IT networks are well-trodden ground, and a lot of [attackers] know how to [target them]," DeBeck says. "[Direct] OT attacks are not that common."
That's because it takes time for a threat actor to gather intelligence on an OT network and the industrial processes it runs. According to Dragos, it takes about three to four years for a threat group to gather enough intelligence about a victim OT network to wage a significant attack on it. But Lee notes that several of the threat groups Dragos has been tracking during the past five years are well "inside that window" and could take their attacks to the next disruptive or destructive level.
Last year Dragos also discovered three "new" threat groups it had not previously encountered in OT. It named them Kostovite, Petrovite, and Erythrite. Both Kostovite and Erythrite had made their way to victims' OT networks.
Kostovite focuses on renewable energy targets in North America and Australia. It infiltrated a major operations and maintenance company's OT infrastructure, breaking into the firm by exploiting a zero-day flaw in the Ivanti Pulse Connect Secure VPN for remote access. The firm, which Dragos did not name, maintains and operates SCADA systems for wind and solar farms in the US and Australia. The attackers got into the firm's monitoring and control servers.
"They compromised the O&M firm and pivoted down and got into OT networks of numerous power generation sites and plants" across the US and Australia, Lee said during a press briefing on Dragos' report.
To remain under the radar, the hackers used only legitimate, resident tools in the victim network as they stole credentials and then pivoted to some of the firm's clients' OT networks. According to Dragos, Kostovite's M.O. and tactics, techniques, and procedures (TTPs) overlap with those of a Chinese APT dubbed UNC2630 by Mandiant.
But unlike traditional Chinese APT groups, Kostovite had more than intellectual property theft or cyber espionage on its agenda: The attackers were in servers that could turn off some power generation, for example. "It wasn't just getting in to steal IP," Lee said. "Based on our analysis, everything points to long-term access for future disruptive actions."
"This looks as close as we've been in a long time to an adversary that has the intent to do some disruptive actions," Lee explained. Even so, Lee said the O&M firm was quick to react once the attack was detected, and "at no time was there real risk to people," he said. The attackers had been inside the O&M firm network for about a month before Dragos performed its IR engagement.
"That was the most alarming" case for Dragos, Lee said. "One vendor and multiple power companies across multiple countries" could have been at risk, he said.
Erythrite, meanwhile, appears to be a new threat group that goes after Fortune 500 food and beverage, electric, oil and gas, and IT service providers who support the industrial sector, for example, according to Dragos. Some 20% of the Fortune 500 have been attacked so far by the group, including one whose OT network was compromised, Lee said.
"It's consistently trying to get into the IT networks of various industrial firms," he said. Erythrite also uses SEO poisoning, artificially boosting the search engine ranking of websites hosting its malware – for its initial attack vector, and has some similarities to Solarmarker.
A recent Solarmarker campaign spotted by Menlo Security used more than 2,000 unique search terms that lured users to the sites that then dropped malicious PDFs rigged with backdoors.
Dragos also reported on a new group they call Petrovite, which gathers intel on ICS and OT systems in mining and energy operations in Kazakhstan and Central Asia.
You Can't Secure What You Can't See
A still common theme dogging industrial organizations – and really many organizations in every sector – is the inability to get a full and clear picture of their networked systems and possible open and vulnerable ports of entry to the bad guys. Some 86% of organizations Dragos assisted had little or no visibility into their OT environments, according to its report. Among their risk factors were poor network segmentation (77% of the organizations), outside connections to their ICS systems (70% of the organizations), and shared credentials between IT and OT systems (44% of the organizations).
Many of these organizations believe they have properly segmented their OT and IT networks and that they don't have unknown networked connections, according to Dragos. "But they [do and] are and ransomware attackers take advantage of that quickly," for example, Lee said.
IBM X-Force detected a major spike in Internet scanning of TCP Port 502 connections – an increase of 2,204% – between January 2021 and September 2021. That's the port used by Modbus, the industrial communications protocol between buses, networks, and programmable logic controllers.
"You need to make sure your OT devices are locked down," IBM X-Force's DeBeck says. "Threat actors are out there looking" for them, he says.
That means testing the security around those devices, he says, including conducting penetration tests to try to stay ahead of attackers.