Rise in Opportunistic Hacks and Info-Sharing Imperil Industrial Networks

Security researchers at Mandiant have seen an increasing wave of relatively simplistic attacks involving ICS systems - and attackers sharing their finds with one another - since 2020.


The brazen hijack by an attacker of a water system at the Florida city of Oldsmar's water treatment plant earlier this year was no Stuxnet- or Triton-level breach. But the relative simplicity of the attack, where the intruder appeared to somehow have obtained system credentials to remotely control the settings via the TeamViewer application, epitomizes the typical threat most OT networks today face: mainly rudimentary attacks that exploit industrial control systems (ICSs) inadvertently exposed to the open Internet or that abuse chronically weak or shared credentials.

In many cases, industrial organizations - while arguably a valuable catch - aren't initially targeted by the attacker, and a cyber-physical attack isn't the goal. That trend was underscored this past year, according to researchers at Mandiant's Cyber Physical Intelligence team. They identified a noticeable uptick in OT-related incidents since 2020, with most of the actors not looking to turn off the lights, poison the water, or perform any physical outcome. Their tactics were less-than-sophisticated, too, and often they weren't necessarily even looking for OT targets but instead had stumbled upon these victims.

Mandiant's research, published today, on publicly reported and not-previous public OT incidents shows a rise in attackers this past year attempting to monetize their access to an exposed ICS system, and a wave of information-sharing by attackers who shared videos and screenshots of industrial systems they were able to access and how they did it - at a level more frequent than Mandiant has seen before.

These incidents have affected solar energy panels and water control systems, as well as building automation systems (BAS) and home security systems. The attackers employed known search tools like Shodan and Censys, and common tactics, techniques and procedures (TTPs).

"These are bad ... but not at the level of Triton," says Nathan Brubaker, senior manager of analysis at Mandiant Threat Intelligence, of the security events and incidents his firm reported on today. Even so, he says, this mix of cybercriminals, hacktivists, and newbies are gaining insight and knowledge on complex ICS environments via increasing information-sharing in the cyber underground.

"There are tutorials that show Shodan and how to pivot around it and find water utilities and then from there click in, and to, that HMI [human machine interface] that's exposed. And if you're not required to authenticate to it, then you can do whatever you want," he says. 

Brubaker, who worked on the Mandiant incident response team for the Triton attack, says that worries him.

"These actors are building expertise and willingness [to make] contact with other actors. What if they meet up with a ransomware group" and combine forces, he asks. "That would make ransomware more impactful on OT." That concerns him.

Dragos' Sergio Caltagirone, vice president of threat intelligence at the ICS security firm, called the City of Oldsmar attack "the perfect example" of the type of ICS attack his firm frequently sees. It's not so much the feared, sophisticated ICS custom-malware type of attack by more well-resourced nation-state hackers, but threat actors breaking in via unknown ports left wide open on the public Internet, or weak or compromised credentials.

"A network that is unprepared and indefensible, but by an organization doing their best but that's chronically under-resourced and under-funded to protect itself ... it's a confluence of [more adversaries]" going after ICS networks and a failure of these networks to operate the most basic security practices, Caltagirone says.

Once they find that ajar - or unlocked - door, they often can make their way through the network, and "they can push buttons," he says, 

Dragos earlier this year published its annual report on the ICS threat and attack trends its researchers and incident responders saw: In all of the incident-response cases it worked on, the attackers gained access to the victim's ICS network via the Internet, and shared IT and OT credentials were used to move laterally in the network.

Mandiant researchers found the low-sophistication compromises typically exploit remote access services including virtual network connections that are not secured properly. HMIs, typically with user-friendly graphical user interfaces, give an unseasoned OT hacker a handy view of industrial processes. In one incident the team saw, an attacker shared images and video (in Dutch) of his tampering with a temperature controls system he had gained access to; he had boasted to have hacked into dozens of control systems in North America, Europe, and East Asia.

Some of the threat actors Mandiant has observed appear to be hacktivists. Israeli OT networks were most commonly found as victims in posts they saw, including a solar energy firm and a data-logger for mining exploration and dam surveillance. One incident involved the access of the building automation system at a major international hotel chain location in Australia.

But they also saw a few cases of "green" threat actors who didn't know what they had compromised: One group mistakenly claimed to have hacked a German-language rail control system, but the screenshot they posted was actually the Web interface for a model train set, the researchers discovered. Other attackers bragged that they had compromised an Israeli gas system in retaliation for the recent explosion at an Iranian missile facility, but their video revealed they had actually hacked an Israeli restaurant's kitchen ventilation system.


Attackers claiming to have hacked an Israeli gas system had actually compromised this Israeli restaurant's kitchen ventilation system. Source: Mandiant

Pipeline Regs On the Horizon
The US federal government, meantime, is about to double down on protecting critical infrastructure with some new rules. 

The Washington Post reported today that the US Department of Homeland Security (DHS) is moving forward with a plan to regulate cybersecurity for the pipeline industry for the first time in the wake of the ransomware attack on Colonial Pipeline. The company shut down its pipeline for 11 days this month in response to the ransomware attack on its IT systems, ultimately paying the attackers $4.4 million to unencrypt its locked-down systems. Colonial Pipeline's shutdown led to gasoline shortages in some areas, as well as panic-buying in parts of the southeastern US. The FBI has linked ransomware-as-a-service (RaaS) group DarkSide to the attack.

DHS's Transportation Security Administration (TSA) this week is expected to issue a security directive that requires pipeline companies to report cyberattacks to the feds and to assess and remediate their security postures, according to The Washington Post report.

The Colonial Pipeline ransomware attack provided a hint at what critical infrastructure disruption could look like, and more ransomware threats loom on the horizon for utilities. A rapidly evolving ransomware family called JSWorm now appears to be targeting critical infrastructure organizations around the globe, according to researchers at Kaspersky. Some 41% of JSWorm attacks hit engineering and manufacturing firms, followed by energy and utilities (10%), finance (10%), professional and consumer services (10%), transportation (7%), and healthcare (7%).

The JSWorm gang in two years has created more than eight different faces of its malware, which previously has been known by its Nemty, Milihpen, and Gangbang variants. The group behind it, initially operating under a ransomware-as-a-service model, last year shut down that operation and launched targeted campaigns against high-profile targets, demanding large ransom payments, the researchers found.

OT Defense
Keeping OT systems off the public Internet is key: Mandiant recommends locking down remote access, monitoring traffic for any nefarious activity, and disabling any network or other services not in use, as well as changing any default credentials, whitelisting access, and reviewing device and other system configurations. HMIs and ICS systems should be set to enforce specific ranges of input such that they prevent dangerous physical outcomes, and organizations should ensure none of their equipment is "discoverable" by Shodan and Censys tools, Mandiant advises in its report.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights