Attacks on control processes, such as systems in industrial settings, are on the rise with common and unsophisticated methods being employed to compromise them.
On Tuesday, FireEye’s Mandiant cyberforensics team released a report exploring attack rates on control processes, particularly those supported by operational technology (OT).
While control process attacks may have once been viewed as complex due to access requirements, the need for malware designed to compromise proprietary industrial technologies, or the task itself of disrupting a control process to create a predictable effect, vulnerable, internet-facing OT endpoints are now offering a wider attack surface.
Mandiant’s Keith Lunden, Daniel Kapellmann Zafra, and Nathan Brubaker said that there is an increasing frequency of “low sophistication” OT attack attempts and the firm has observed hackers with “varying levels of skill and resources” using “common IT tools and techniques to gain access to and interact with exposed OT systems.”
Solar energy panel networks, water control systems, and building automation systems (BAS) have been targeted, and while critical infrastructure entities are on the list, the same techniques are being used against academic and private residency internet-of-things (IoT) devices, too.
According to the team, the general trend against OT systems appears to be based on attackers trying to wrestle control of vast numbers of open endpoints for “ideological, egotistical, or financial objectives,” rather than a wish to cause severe damage — such as by taking control of a core infrastructure asset.
Over the past few years, the researchers have observed OT assets becoming compromised through a variety of methods, including remote access services and virtual network computing (VNC).
However, the “low-hanging fruit” many attackers are going for are graphical user interfaces (GUI) — including human machine interfaces (HMI) — which are, by design, intended to be simple user interfaces for controlling complex industrial processes. As a result, threat actors are able to “modify control variables without prior knowledge of a process,” Mandiant says.
Another trend of note is hacktivism, propelled by widely available and free tutorials online. Recently, the researchers have seen hacktivist groups bragging in anti-Israel/pro-Palestine social media posts that they have compromised Israeli OT assets in the renewable and mining sectors.
Other low-skilled threat actors appear to be focused on notoriety, however, with little knowledge of what they are targeting.
In two separate cases, threat actors bragged about hijacking a German rail control system — only for it to be a command station for model train sets — and in another, a group claimed they had broken into an Israeli “gas” system, but it was nothing more than a kitchen ventilation system in a restaurant.
Despite these gaffes, however, successful attacks against critical OT assets can have serious ramifications. After all, we only need to consider the panic-buying and fuel shortages across the US caused by the ransomware outbreak at Colonial Pipeline as an example.
“As the number of intrusions increase, so does the risk of process disruption,” Mandiant says. “The publicity of these incidents normalizes cyber operations against OT and may encourage other threat actors to increasingly target or impact these systems. This is consistent with the increase in OT activity by more resourced financially-motivated groups and ransomware operators.”
The researchers recommend that whenever it is possible, OT assets should be removed from public, online networks. Network hardening, security audits including device discovery should be conducted on a frequent basis, and HMIs, alongside other assets, should be configured to prevent potentially hazardous variable states.
The risk of OT compromise has not gone unnoticed by federal agencies. In July, the US National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert warning of attacks against critical infrastructure through vulnerable OT.
The agencies said legacy OT devices, internet connectivity, and modern attack methods have created a “perfect storm.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0