Attacks on Industrial Control Systems (ICS) and other forms of Operational Technology (OT) are nothing new. It was assumed that the majority of these attacks need to be conducted by highly skilled attackers with a fair amount of experience. This assumption was based primarily on the reasoning that an attacker would need to have an extensive knowledge base of the OT targeted, including how specific manufacturers created their products and what process those products regulated and maintained. According to a new report published by FireEye, it appears that the bar has been lowered significantly allowing inexperienced hackers the ability to carry out attacks on OT infrastructure.
For state-sponsored groups and experienced financially motivated hacking groups, the typical suspects behind such attacks often what was needed was the development of custom malware and exploiting zero-day vulnerabilities unknown to manufacturers until it was too late. Researchers have noted that low-hanging fruit, ready for less-skilled attackers, has developed over the years including known vulnerabilities that are not patched.
Further, the Internet has provided attackers with how-to guides on how to attack specific OT processes. This has by no means lessened the threat faced by those tasked with defending OT networks due to the lack of sophistication.
Rather, it has increased the possibility for future attacks placing increased pressure on organizations. Fortunately, none of the incidents observed by FireEye researchers has had a major impact on the physical world, especially when compared to the recent Colonial Pipeline incident.
Worryingly, due to the increase in threat actors capable of targeting OT networks, researchers have seen attacks increase. The attacks are seemingly carried out for a variety of reasons but for the most part, appear to be financially motivated. Researchers noted,
“While Mandiant has monitored threat actors claiming to share or sell access to internet-exposed OT systems since at least 2012, we have seen a significant increase in the frequency and relative severity of incidents in the past few years. The most common activity we observe involves actors trying to make money off exposed OT systems, but we also see actors simply sharing knowledge and expertise. More recently, we have observed more low sophistication threat activity leveraging broadly known tactics, techniques, and procedures (TTPs), and commodity tools to access, interact with, or gather information from internet exposed assets—something we had seen very little of in the past.”
This spike in activity has impacted a wide range of manufacturers within the OT sphere including manufacturers and consumers of solar energy panels and water control systems, to building automation systems (BAS) and home security systems in academic and private residences. This broad spectrum of targets means that some attacks will offer heightened risks to organizations and the public, while others will present very little risk. Given that several attacks observed by FireEye were opportunistic in nature, evaluating risk across the whole sector becomes difficult and can only be done on a case-by-case basis.
Low Hanging Fruit
A trend observed by researchers involves attackers abusing the graphical user interfaces developed by OT manufacturers to make using products easier. As researchers note,
“A consistent characteristic we observe among low sophisticated compromises is that actors most often exploit unsecure remote access services, such as virtual network computing (VNC) connections, to remotely access the compromised control systems. Graphical user interfaces (GUI), such as human machine interfaces (HMI), become the low-hanging fruit of process-oriented OT attacks as they provide a user-friendly representation of complex industrial processes, which enables actors to modify control variables without prior knowledge of a process. In many cases, the actors showed evidence of compromised control processes via images of GUIs, IP addresses, system timestamps, and videos.”
In one instance this trend was seen when an attacker shared low-quality screenshots who claimed to compromise dozens of control systems across North America, Western and Central Europe, and East Asia. Based on the timestamps from the images, the actor appeared to gain unauthorized access to these assets over five days. The same attacker shared a low-quality video, probably filmed on a cell phone, showing how they accessed a temperature control system.
While much of the activity seen by researchers was financially motivated, the researcher also saw another trend emerging involving hacktivists driven by socio-political motivations. One example provided involved hacktivist groups that frequently use anti-Israel/pro-Palestine rhetoric in social media posts. Some of the posts included images where the poster shared images of compromised OT processes belonging to Israeli organizations. These included solar panels and data logging assets.
One side effect of this trend is that attackers exhibit little knowledge of their targets and seem to want to generate a level of notoriety rather than cause lasting damage. This has resulted in some humorous blunders. In one instance a hacker bragged that they had compromised a German-language rail control system. Such a compromise could result in horrendous loss of life, but it was later seen that the attacker had compromised software for model-train enthusiasts. In another instance, a group that wished to retaliate for an attack on an Iranian missile facility stated they had compromised an Israeli “gas system”.
In reality, they had compromised a kitchen ventilation system. While funny on some level, the lack of skill and intention of the hackers still poses a threat that should be taken seriously. It was also noted that hacktivist collectives would share how-to guides regarding the compromise of certain OT systems which could be found by searching for such systems on Shodan or Censys. This is done by searching for open 5900 ports. These guides would also include information on what open source tools to use in a particular instance to facilitate compromise. Researchers concluded that while the attacks analyzed posed very little threat in the physical world they were concerned for several reasons. These reasons include:
- Each incident provides threat actors with opportunities to learn more about OT, such as the underlying technology, physical processes, and operations. These opportunities can increase an adversary's ability and enhance their tradecraft.
- Even low-sophistication intrusions into OT environments carry the risk of disruption to physical processes, mainly in the case of industries or organizations with less mature security practices. As the number of intrusions increase, so does the risk of process disruption.
- The publicity of these incidents normalizes cyber operations against OT and may encourage other threat actors to increasingly target or impact these systems. This is consistent with the increase in OT activity by more resourced financially motivated groups and ransomware operators.
Ransomware Gangs eyeing OT
In a report published by FireEye in 2020, researchers noted the increase in financially motivated groups, including ransomware gangs, targeting OT infrastructure. It was also noted that these groups do not necessarily separate IT and OT infrastructure they have seen that by targeting OT money can be extorted as if they targeted the IT infrastructure.
In the report, researchers noted that six ransomware gangs, including DoppelPaymer, LockerGoga, Maze, MegaCortex, Nefilim, and SNAKEHOSE had included lists of OT processes to kill in their codebases. These lists are designed to help facilitate the encryption of data unhindered. A side effect of this is that victims may lose vital historical data regarding those processes.
Theoretically, ransomware attacks in OT environments will result in the disruption of services and a temporary loss of view into current and historical process data. However, OT environments impacted by ransomware that leverages this kill list and happen to be running one or more of the processes used by the initial victim may face additional impacts. For example, historian databases would be more likely to be encrypted, possibly resulting in loss of historical data.
Other impacts could include gaps in the collection of process data corresponding to the duration of the outage and temporary loss of access to licensing rights for critical services. At the time of writing the report, researchers concluded,
“As OT networks continue to become more accessible to threat actors of all motivations, security threats that have historically impacted primarily IT are becoming more commonplace. This normalization of OT as just another network from the threat actor perspective is problematic for defenders for many of the reasons discussed above. This recent threat activity should be taken as a wake-up call for two main reasons: the various security challenges commonly faced by organizations to protect OT networks, and the significant consequences that may arise from security compromises even when they are not explicitly designed to target production systems. Asset owners need to look at OT security with the mindset that it is not if you will have a breach, but when. This shift in thinking will allow defenders to better prepare to respond when an incident does happen, and can help reduce the impact of an incident by orders of magnitude.”