Nozomi reports significant rise in cyberattacks disrupting critical infrastructure landscape, as RATs targeted OT

Industrial cybersecurity company Nozomi Networks disclosed in its latest OT/IoT security report for the second half of 2022 that disruptive and malicious cyberattacks on vital infrastructures like energy, hospitals, rail, and manufacturing were still observed and remain a significant issue. The firm reports that it also tracked hacktivists causing disruptive attacks, thefts of technology source code, and use of wiper malware. 

“Continued attacks on railroads have prompted guidelines to help rail operators secure their assets. Hacktivists have opted to use wiper malware to launch disruptive attacks on critical infrastructure, to further their political stance in the Russia/Ukraine war,” Nozomi reported on Wednesday. “As cyber threats evolve and intensify, it is important to understand how threat actors are targeting the Operational Technology (OT) and Internet of Things (IoT) devices embedded in critical infrastructure.”

Additionally, Nozomi provided insights from its IoT honeypots, and analysis of ICS-CERT advisories to determine which industries are most vulnerable. It further provides recommendations for strengthening defenses and a forecast of emerging threats to help prepare for 2023.

Nozomi reports that ​​three major steel companies in Iran – the Mobarakeh Steel Company (MSC), Khouzestan Steel Company (KSC), and Hormozgan Steel Company (HOSCO) – were hit by a cyberattack at the end of June last year continuing into July. These attacks, which caused website and production line disruptions, were claimed by a hacktivist group dubbed Gonjeshke Darandethat. “This group had previously taken responsibility for a cyberattack that deployed wiper malware on the Iranian train system earlier in the year. This incident brings to light the vulnerability of critical infrastructure to malicious actors, regardless of their motives or affiliations,” it added.

Between August and September, there were several disruptive attacks on manufacturing, oil, water, and electric utility companies.

In November, automotive and rail technology giant Continental was hit with a cyberattack. The attackers had already breached Continental’s networks before they struck, allowing them to gain access to numerous technical documents and source codes about Continental’s advanced technologies. Attackers accessing source code for these technologies is cause for major concern.

“Attacks against rail systems have been growing in frequency, making this sector an attractive target to all threat actor types at play (i.e. nation-state, hacktivists, cybercriminals),” Nozomi reports. “Attackers may seek out private customer information like credit card numbers or personal data such as addresses or Social Security numbers for identity theft purposes. Additionally, they could attempt to sabotage operations by causing delays or disruption of services through DDoS attacks on websites or applications used within the network. By disrupting service schedules, attackers can cause significant financial losses for companies providing these services as well as create public safety hazards,” it added.

Nozomi reports that healthcare facilities have become a prime target for cybercriminals due to the sensitive nature of their data. “Hospitals rely heavily on technology like medical records and imaging systems to provide patient care, so any disruption in service can cause significant harm to patients’ health. As a result, hospitals may be more willing to pay ransoms than other organizations in order to regain access to their systems quickly. Additionally, healthcare providers often have access to medical records that contain financial information such as insurance numbers and credit card information,” it added.

The report evaluates that recent cyberattacks on hospitals during the second half of 2022 have given rise to new fears about healthcare systems being vulnerable to hackers. Citing examples, Nozomi said that on Oct. 10, 2022, a ransomware attack hit CommonSpirit Health, the fourth-largest U.S. health system with 140 affiliate hospitals. The attack led to delays in surgeries and other patient operations. There has also been a series of cyberattacks across Europe. In December, a ransomware attack at the French hospital Corbeil-Essonnes resulted in a data leak and disruption of operations.

Nozomi reports that hackers can steal ‘clear text passwords’ and guess ‘weak passwords’ to gain unauthorized access to devices. Those alerts, coupled with ‘multiple access denied events’ within a short period, could indicate a potential brute force attack. Other alerts like ‘TCP SYN flood,’ where the hacker floods a server with connection requests, could also indicate an attempted denial of service (DoS) attack. 

The report also disclosed that over the past six months, trojans were the most common malware detected targeting enterprise networks, Remote Access Tools (RATs) targeted OT, and DDoS malware targeted IoT devices.

In the second half of 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published 218 Common Vulnerabilities and Exposures (CVEs) via ICS-CERT advisories. Nozomi reports that there were 70 affected vendors mentioned in these advisories, with 184 associated products. CVE reporting was down by 61 percent compared to the first half of 2022, while mentioned vendors went up 16 percent and affected products were up 6 percent from the first half of last year.

The Nozomi report said that critical manufacturing continues to be the most vulnerable sector, based on disclosed ICS-CERT vulnerabilities affecting products used in that industry. “Energy remains the second industry most affected by vulnerabilities. Healthcare is still in the top five, however, two new vulnerable industries have emerged: Water & Wastewater and Transportation Systems. This is reflective of the various cyberattacks we have reported on water treatment facilities and rail/transit systems this year,” it added.

Malicious IoT botnet activity remained high and continued to rise in the second half of 2022. Nozomi Networks Labs uncovered growing security concerns as botnets continue to use default credentials in attempts to access IoT devices.

From July to December last year, Nozomi Networks honeypots found attacks spiked in July, October, and December with more than 5,000 unique attacks in each of those months. The top attacker IP addresses were associated with China, the United States, South Korea, and Taiwan. Additionally, ‘root’ and ‘admin’ credentials are still most often used as a way for threat actors to gain initial access and escalate privileges once in the network.

In the second half of 2022, Nozomi reports finding protocols involving hard-coded credentials, with Telnet currently being targeted more than SSH, with Telnet at 70 percent and SSH at 30 percent. When it comes to attacking source locations, devices in the U.S., China, and South Korea are leveraged by attackers to initiate attacks more than devices in other countries. Identified top credentials used include default credentials that continue to be used, but with double or triple frequency, indicating the presence of additional botnets attempting to gain access.

The honeypots also identified significant spikes in the number of unique IPs targeting OT/IoT in July, October, and November, while malicious IP addresses attempted to access Nozomi IoT honeypots, with the top entry associated 

Nozomi expects the 2023 cyber threat landscape to be marked with continued complexity and sophistication as attackers evolve their strategies for exploiting vulnerable systems and networks. “Critical infrastructure organizations should prioritize proactive defense strategies to include network segmentation, asset discovery, vulnerability management, patching, logging, endpoint detection, and threat intelligence to protect against potential threats. Organizations should proactively safeguard their systems now, so they can be in a better position to combat cyber threats that may arise in 2023,” the report added.

Some of the key cybersecurity trends that Nozomi expects to see in 2023 include hybrid threat tactics as it will become increasingly difficult to categorize threat groups based on TTPs and motives, which have aided in attribution efforts in the past. Quantum threats and preparation as hackers use the ‘store now, decrypt later’ (SNDL) technique in preparation for quantum decryption, governments are taking steps to prepare against this future threat. 

The report also listed medical device exploits with many medical devices susceptible to cyberattacks since the legacy systems they are using are no longer being manufactured and/or the software is no longer supported. Threat actors use scanners and other types of tools to identify and exploit vulnerabilities in these devices and perform manipulative tactics or even launch cyberattacks.

Nozomi also sees cyber insurance at an inflection point. Cyber insurance is an important part of a comprehensive cybersecurity strategy. However, cybercriminals are conducting reconnaissance on cyber insurance claims policies and tailoring their ransom requests to match the amount of a cyber insurance payout. This could either cause premiums to significantly increase, or even dry out cyber insurance resources making it more difficult to file serious claims and receive payouts. 

“Cyber insurance is not a cure for cyberattacks, in fact, it could motivate cybercriminals,” Nozomi stated. “Companies should invest in cyber prevention, protection, and remediation as a first line of defense.”

Nozomi also flagged AI-driven chatbots used for malicious purposes in its report. As these systems become more sophisticated, malicious threat actors could use them to write malicious code or develop exploits for vulnerabilities. This could reduce the time it takes to develop targeted threat campaigns, increasing the frequency of cyberattacks.

Lastly, Nozomi reports that cybersecurity professionals will need to learn new skill sets. As the threat landscape changes, organizations will need highly skilled cyber professionals and more advanced cybersecurity solutions to defend against an increasingly sophisticated range of attacks. Cybersecurity professionals need to be able to adapt quickly as new threats emerge and to find new ways to defend their environments.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.