Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->
05:35 PM
Connect Directly

Rise in Opportunistic Hacks and Info-Sharing Imperil Industrial Networks

Security researchers at Mandiant have seen an increasing wave of relatively simplistic attacks involving ICS systems - and attackers sharing their finds with one another - since 2020.

The brazen hijack by an attacker of a water system at the Florida city of Oldsmar's water treatment plant earlier this year was no Stuxnet- or Triton-level breach. But the relative simplicity of the attack, where the intruder appeared to somehow have obtained system credentials to remotely control the settings via the TeamViewer application, epitomizes the typical threat most OT networks today face: mainly rudimentary attacks that exploit industrial control systems (ICSs) inadvertently exposed to the open Internet or that abuse chronically weak or shared credentials.

Related Content:

Florida Water Utility Hack Highlights Risks to Critical Infrastructure

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: The Makings of a Better Cybersecurity Hire

In many cases, industrial organizations - while arguably a valuable catch - aren't initially targeted by the attacker, and a cyber-physical attack isn't the goal. That trend was underscored this past year, according to researchers at Mandiant's Cyber Physical Intelligence team. They identified a noticeable uptick in OT-related incidents since 2020, with most of the actors not looking to turn off the lights, poison the water, or perform any physical outcome. Their tactics were less-than-sophisticated, too, and often they weren't necessarily even looking for OT targets but instead had stumbled upon these victims.

Mandiant's research, published today, on publicly reported and not-previous public OT incidents shows a rise in attackers this past year attempting to monetize their access to an exposed ICS system, and a wave of information-sharing by attackers who shared videos and screenshots of industrial systems they were able to access and how they did it - at a level more frequent than Mandiant has seen before.

These incidents have affected solar energy panels and water control systems, as well as building automation systems (BAS) and home security systems. The attackers employed known search tools like Shodan and Censys, and common tactics, techniques and procedures (TTPs).

"These are bad ... but not at the level of Triton," says Nathan Brubaker, senior manager of analysis at Mandiant Threat Intelligence, of the security events and incidents his firm reported on today. Even so, he says, this mix of cybercriminals, hacktivists, and newbies are gaining insight and knowledge on complex ICS environments via increasing information-sharing in the cyber underground.

"There are tutorials that show Shodan and how to pivot around it and find water utilities and then from there click in, and to, that HMI [human machine interface] that's exposed. And if you're not required to authenticate to it, then you can do whatever you want," he says. 

Brubaker, who worked on the Mandiant incident response team for the Triton attack, says that worries him.

"These actors are building expertise and willingness [to make] contact with other actors. What if they meet up with a ransomware group" and combine forces, he asks. "That would make ransomware more impactful on OT." That concerns him.

Dragos' Sergio Caltagirone, vice president of threat intelligence at the ICS security firm, called the City of Oldsmar attack "the perfect example" of the type of ICS attack his firm frequently sees. It's not so much the feared, sophisticated ICS custom-malware type of attack by more well-resourced nation-state hackers, but threat actors breaking in via unknown ports left wide open on the public Internet, or weak or compromised credentials.

"A network that is unprepared and indefensible, but by an organization doing their best but that's chronically under-resourced and under-funded to protect itself ... it's a confluence of [more adversaries]" going after ICS networks and a failure of these networks to operate the most basic security practices, Caltagirone says.

Once they find that ajar - or unlocked - door, they often can make their way through the network, and "they can push buttons," he says, 

Dragos earlier this year published its annual report on the ICS threat and attack trends its researchers and incident responders saw: In all of the incident-response cases it worked on, the attackers gained access to the victim's ICS network via the Internet, and shared IT and OT credentials were used to move laterally in the network.

Mandiant researchers found the low-sophistication compromises typically exploit remote access services including virtual network connections that are not secured properly. HMIs, typically with user-friendly graphical user interfaces, give an unseasoned OT hacker a handy view of industrial processes. In one incident the team saw, an attacker shared images and video (in Dutch) of his tampering with a temperature controls system he had gained access to; he had boasted to have hacked into dozens of control systems in North America, Europe, and East Asia.

Some of the threat actors Mandiant has observed appear to be hacktivists. Israeli OT networks were most commonly found as victims in posts they saw, including a solar energy firm and a data-logger for mining exploration and dam surveillance. One incident involved the access of the building automation system at a major international hotel chain location in Australia.

But they also saw a few cases of "green" threat actors who didn't know what they had compromised: One group mistakenly claimed to have hacked a German-language rail control system, but the screenshot they posted was actually the Web interface for a model train set, the researchers discovered. Other attackers bragged that they had compromised an Israeli gas system in retaliation for the recent explosion at an Iranian missile facility, but their video revealed they had actually hacked an Israeli restaurant's kitchen ventilation system.


Attackers claiming to have hacked an Israeli gas system had actually compromised this Israeli restaurant's kitchen ventilation system. Source: Mandiant

Pipeline Regs On the Horizon
The US federal government, meantime, is about to double down on protecting critical infrastructure with some new rules. 

The Washington Post reported today that the US Department of Homeland Security (DHS) is moving forward with a plan to regulate cybersecurity for the pipeline industry for the first time in the wake of the ransomware attack on Colonial Pipeline. The company shut down its pipeline for 11 days this month in response to the ransomware attack on its IT systems, ultimately paying the attackers $4.4 million to unencrypt its locked-down systems. Colonial Pipeline's shutdown led to gasoline shortages in some areas, as well as panic-buying in parts of the southeastern US. The FBI has linked ransomware-as-a-service (RaaS) group DarkSide to the attack.

DHS's Transportation Security Administration (TSA) this week is expected to issue a security directive that requires pipeline companies to report cyberattacks to the feds and to assess and remediate their security postures, according to The Washington Post report.

The Colonial Pipeline ransomware attack provided a hint at what critical infrastructure disruption could look like, and more ransomware threats loom on the horizon for utilities. A rapidly evolving ransomware family called JSWorm now appears to be targeting critical infrastructure organizations around the globe, according to researchers at Kaspersky. Some 41% of JSWorm attacks hit engineering and manufacturing firms, followed by energy and utilities (10%), finance (10%), professional and consumer services (10%), transportation (7%), and healthcare (7%).

The JSWorm gang in two years has created more than eight different faces of its malware, which previously has been known by its Nemty, Milihpen, and Gangbang variants. The group behind it, initially operating under a ransomware-as-a-service model, last year shut down that operation and launched targeted campaigns against high-profile targets, demanding large ransom payments, the researchers found.

OT Defense
Keeping OT systems off the public Internet is key: Mandiant recommends locking down remote access, monitoring traffic for any nefarious activity, and disabling any network or other services not in use, as well as changing any default credentials, whitelisting access, and reviewing device and other system configurations. HMIs and ICS systems should be set to enforce specific ranges of input such that they prevent dangerous physical outcomes, and organizations should ensure none of their equipment is "discoverable" by Shodan and Censys tools, Mandiant advises in its report.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file