New data from Mandiant has observed that low sophistication incidents are increasingly adopting broadly known tactics, techniques, and procedures (TTPs), and commodity tools to access, interact with or gather information from internet exposed assets.
“This low sophistication threat activity has impacted a variety of targets across different industries, ranging from solar energy panels and water control systems to building automation systems (BAS) and home security systems in academic and private residences,” according to a Mandiant report released this week. “While some critical infrastructure targets are very sensitive in nature, other targets present very little risk.” Mandiant is a division of FireEye.
The activity is typically not sophisticated and is normally not targeted against specific organizations. Rather, the compromises appear to be driven by threat hackers who are motivated to achieve ideological, egotistical, or financial objectives by taking advantage of an ample supply of internet-connected OT systems, Mandiant said. As the attackers are not interested in causing specific physical outcomes, they target whatever is available on the internet.
Hackers most often exploit insecure remote access services, such as virtual network computing (VNC) connections, to remotely access the compromised control systems. Graphical user interfaces (GUI), such as human-machine interfaces (HMI), become the low-hanging fruit of process-oriented OT attacks as they provide a user-friendly representation of complex industrial processes, which enables hackers to modify control variables without prior knowledge of a process. In many cases, the attackers showed evidence of compromised control processes via images of GUIs, IP addresses, system timestamps, and videos.
“Each of the low sophistication incidents we observe is unique and poses a different level of risk, which we normally determine by examining the actor’s previous work and reputation, the target’s industry, and the nature of the compromised process, among other things,” the researchers observed in their report.
Mandiant also observed that while low sophistication incidents do not appear to commonly impact physical environments, they are concerning as every incident provides threat cyberattackers with opportunities to learn more about the OT, such as the underlying technology, physical processes, and operations. These instances can help increase an adversary’s ability and enhance their tradecraft.
Low sophistication incidents into OT environments also carry the risk of disruption to physical processes, mainly in the case of industries or organizations with less mature security practices. As the number of intrusions increase, so does the risk of process disruption. In addition, publicity of these incidents normalizes cyber operations against OT and may encourage other threat hackers to increasingly target or impact these systems. This is consistent with the increase in OT activity by more resourced financially motivated groups and ransomware operators.
Attacks on control processes supported by OT are often perceived as necessarily complex, since disrupting or modifying a control process to cause a predictable effect is often quite difficult and can require a lot of time and resources.
“Some of the actors we track made comments that indicated they had either a limited understanding of the OT assets they compromised or that they were simply attempting to gain notoriety,” the researchers added.
There have been a number of recent incidents of hackers attacking an organization’s OT and causing disruptions in operations. Earlier this year, WestRock Company detected a ransomware incident affecting ‘certain of its operational and information technology systems,’ which affected production at the corrugated packaging company, leading to flagging shipments from some of its facilities.
Jet-maker Bombardier also confirmed in February that it had been a victim of a cybersecurity breach on what it described as purpose-built servers, which were isolated from the main Bombardier IT network. Last month, oil drilling services company Gyrodata was hit by a data security incident after an unauthorized hacker was able to gain access to certain company systems and steal the personal information of some current and former company employees.
This month, fuel pipeline company Colonial Pipeline had to take certain systems offline after the company detected that DarkSide ransomware was responsible for the compromise of its networks. Colonial had to temporarily halt all pipeline operations after some of its IT systems were affected until the company’s executives authorized the ransom payment of US$4.4 million because they were unsure how badly the cyberattack had breached its systems.