Microsoft report finds attackers use multiple tactics, approaches to target OT, as critical infrastructure risks rise

A new Microsoft report provided new insights on wider risks that converging IT, Internet of Things (IoT), and operational technology (OT) systems pose to critical infrastructure. The data reported a spike in the presence of attackers across these environments and networks fueled by the convergence and interconnectivity many organizations have adopted over the past few years.

In the third edition of Cyber Signals report titled ‘The Convergence of IT and Operational Technology: Cyber Risks to Critical Infrastructure on the Rise,’ Microsoft disclosed a 78 percent increase in disclosures of high-severity vulnerabilities from 2020 to 2022 across industrial control equipment produced by various vendors. It also identified ‘unpatched, high-severity vulnerabilities’ across 75 percent of the most common industrial controllers in customer OT networks. 

“Over 1 million connected devices publicly visible on the Internet running Boa, an outdated and unsupported software still widely used in IoT devices and software development kits (SDKs),” the Microsoft report added. 

IDC data shows that with over 41 billion IoT devices across enterprise and consumer environments expected by 2025, devices such as cameras, smart speakers, or locks and commercial appliances can become entry points for attackers. 

The report identified the pervasiveness, vulnerability, and cloud connectivity of IoT and OT devices representing a rapidly expanding, often unchecked risk surface affecting an array of industries and organizations. Rapidly increasing IoT creates an expanded entry point and the attack surface for attackers. With OT becoming more cloud-connected and the IT-OT gap closing, access to less secure OT is opening the door for damaging infrastructure attacks. 

Last month, Microsoft researchers identified a vulnerable component on all the IP addresses published as IOCs and found evidence of a supply chain risk that may affect millions of organizations and devices. The vulnerable component was found to be the Boa web server, often used to access settings and management consoles and sign-in screens in devices.

The report said that adversaries compromise internet-connected devices to gain access to sensitive critical infrastructure networks. “Over the past year, Microsoft has observed threats exploiting devices in almost every monitored and visible part of an organization. We have observed these threats across traditional IT equipment, OT controllers, and IoT devices like routers and cameras,” it added. 

Furthermore, advanced attackers are leveraging multiple tactics and approaches in OT environments. Many of these approaches are common in IT environments but are more effective in OT environments, like the discovery of exposed, Internet-facing systems, abuse of employee login credentials, or exploitation of access granted to third-party suppliers and contractors to the networks. 

While the prevalence of IoT and OT vulnerabilities presents a challenge for all organizations, critical infrastructure is at increased risk. Disabling critical services, not even necessarily destroying them, is a powerful lever. IoT devices offer significant value to organizations looking to modernize workspaces, become more data-driven, and ease demands on staff through shifts like remote management and automation. 

However, in critical infrastructure networks, if not properly secured, they increase the risk of unauthorized access to operational assets and networks, giving attackers a gateway to planning large-scale attacks on sensitive equipment and devices. 

Attackers can have varied motives to compromise devices other than typical laptops and smartphones. Russia’s cyberattacks against Ukraine, as well as other nation-state sponsored cybercriminal activity, demonstrate that some nation-states view cyberattacks against critical infrastructure as desirable for achieving military and economic objectives.

“Almost every attack we’ve seen in the last year started from initial access to an IT network that was leveraged into the OT environment,” David Atch, head of IoT/OT security research at Microsoft Threat Intelligence, wrote in the report. “Critical infrastructure security is a worldwide challenge and difficult to tackle. We must be innovative in creating tools and conducting research to learn more about these types of attacks.”

He added that the best approach to combat attackers targeting IT and OT is Zero Trust and device visibility, understanding what you have in a network and what it’s connected to is critical.

“With increasing connectivity across converging IT, OT, and IoT increasing, organizations and individuals need to rethink cyber risk impact and consequences,” Vasu Jakkal, Microsoft’s corporate vice president for security, compliance, identity, and management, wrote in a company blog post on Wednesday. “Similar to how the loss of a laptop or modern vehicle containing a homeowner’s cached Wi-Fi credentials could grant a property thief unauthorized network access, compromising a manufacturing facility’s remotely connected equipment or a smart building’s security cameras introduces new vectors for threats like malware or industrial espionage,” he added.

As IT and OT converge to support expanding business needs, assessing risk and establishing a more secure relationship between IT and OT require consideration of several control measures, the report disclosed. “Air-gapped devices and perimeter security are no longer sufficient to address and defend against modern threats like sophisticated malware, targeted attacks, and malicious insiders.” 

The Microsoft report also analyzed that the growth of IoT malware threats, for example, reflects this landscape’s expansion and potential to overtake vulnerable systems. “Analyzing 2022 threat data across different countries, Microsoft researchers found the largest share of IoT malware, 38 percent of the total, originating from China’s large network footprint. Infected servers in the United States put the U.S. in second place, with 18 percent of observed malware distribution,” it added. 

In 2022, Microsoft assisted a major global food and beverage company, using very old operating systems to manage factory operations, with a malware incident. “While performing routine maintenance on equipment that would later connect to the Internet, malware spread to factory systems via a compromised contractor laptop. Unfortunately, this is becoming a fairly common scenario. While an ICS environment can be air-gapped and isolated from the Internet, the moment a compromised laptop is connected to a formerly secure OT device or network it becomes vulnerable,” the report disclosed. 

Across the customer networks Microsoft monitors, 29 percent of Windows operating systems have versions that are no longer supported. The report has seen versions such as Windows XP and Windows 2000 operating in vulnerable environments. “Because older operating systems often don’t get the updates required to keep networks secure, and patching is challenging in large enterprises or manufacturing facilities, prioritizing IT, OT, and IoT device visibility is an important first step for managing vulnerabilities and securing these environments,” it added.

Seventy-two percent of software exploits utilized by ‘Incontroller,’ which was described by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as a ‘novel set of state-sponsored, industrial control system (ICS) oriented cyberattack tools, are now available online. Such proliferation fosters wider attack activity by other actors, as expertise and other barriers to entry diminish.’ As the cybercriminal economy expands and malicious software targeting OT systems becomes more prevalent and easier to use, threat actors have more varied ways of mounting large-scale attacks. 

The Microsoft report also covered ransomware attacks, previously perceived as an IT-focused threat, which are affecting OT environments, as seen in the Colonial Pipeline attack, where OT systems and pipeline operations were temporarily shut down while incident responders worked to identify and contain the spread of ransomware on the company’s IT network. 

“Adversaries realize that the financial impact and extortion leverage of shutting down energy and other critical infrastructures is far greater, compared to other industries,” according to the report. “OT systems include almost everything supporting physical operations, spanning dozens of vertical industries. OT systems aren’t solely limited to industrial processes, they can be any special purpose or computerized equipment, such as HVAC controllers, elevators, and traffic lights. Various safety systems fall into the category of OT systems,” it added. 

Microsoft has also observed Chinese-linked threat actors targeting vulnerable home and small office routers in order to compromise these devices as footholds, giving them new address space less associated with their previous campaigns, from which to launch new attacks.

The Microsoft report also pointed to the potential of deploying a defense based on zero trust, effective policy enforcement, and continuous monitoring to help limit the potential blast radius and prevent or contain incidents in cloud-connected environments. “Investigating OT equipment requires specific unique knowledge and understanding the state of security of industrial controllers is crucial. Microsoft released an open source forensics tool to the defender community, to help incident responders and security specialists better understand their environments and investigate potential incidents,” it added. 

Microsoft called upon organizations to implement new and improved policies, stemming from the zero trust methodology and best practices to provide a holistic approach for enabling seamless security and governance across devices. It also suggested adopting a comprehensive and dedicated security solution that enables visibility, continuous monitoring, attack surface assessment, threat detection, and response.

The report also suggested providing security teams with specific training to deal with threats originating from or targeting IoT/OT systems. It also recommended examining means of augmenting existing IoT and OT security operations, to achieve a unified IT and OT/IoT security operations center (SOC) across environments. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.