Mandiant reveals that multifaceted extortion leaks represent a risk to critical OT data

Researchers from cybersecurity firm Mandiant analyzed a semi-random selection of samples from industries that typically leverage operational technology (OT) systems for production, in order to gauge the extent to which multifaceted extortion leaks represent a risk to these environments. They also revealed that one out of every seven leaks from industrial organizations posted in ransomware extortion sites is likely to expose sensitive OT documentation. 

“Access to this type of data can enable threat actors to learn about an industrial environment, identify paths of least resistance, and engineer cyber physical attacks,” Mandiant researchers wrote in a company blog post. “On top of this, other data also included in the leaks about employees, processes, projects, etc. can provide an actor with a very accurate picture of the target’s culture, plans, and operations,” they added.

Using various technical and human resources, Mandiant downloaded and parsed through many terabytes of dump data and found a substantial amount of sensitive OT documentation. “This included network and engineering diagrams, images of operator panels, information on third-party services, and more. We note that our analysis of each dump was limited due to the scale of our dataset and that a more targeted examination of a handful of dumps would probably uncover more documentation per organization,” they added.

In 2021, Mandiant data identified over 3,000 extortion leaks released by ransomware operators. “Around 1,300 of these leaks were from organizations in industrial sectors that are likely to use OT systems, such as energy and water utilities, or manufacturing,” according to the researchers. 

“We selected and retrieved a couple hundred of these samples by skimming through readily available file listings or other indicators of interest such as comments from the actor, or the targets’ subindustry. In many cases, we were not able to acquire or access data from a leak because of timing or errors in the shared files; in these cases, we discarded the leak,” they added.

After initial triage, Mandiant collected and manually analyzed approximately 70 leaks using custom and publicly available tools. “We found that one out of every seven leaks contained at least some useful OT information, while the rest contained data related to employees, finances, customers, legal documentation, among other things. Mandiant did not further analyze those files, though we note they remain available to threat actors for other purposes,” according to the researchers.

Ransomware extortion leaks are mostly shared on a variety of hacker-operated sites on the dark web, Mandiant said. Although each hacker operates differently, advertisements for incoming leaks are typically posted in hacker forums or on social media. Anyone with access to a Tor browser can visit the sites and download available dumps.

The research added that downloading a single extortion leak is very simple but collecting multiple samples from different leaks is quite complex given the enormous volume of available data. The ability to download each of these leaks depends on multiple factors such as the infrastructure from the attacker and the downloader, the time during which the data is exposed, the number of users acquiring the file, and the quality of the file itself. Acquiring each dump may require multiple hours and sometimes days. The dumps can often fill entire hard drives or virtual machines.

In early 2020, Mandiant observed media claims indicating ransomware leaks exposed aerospace manufacturing designs and third-party technical documentation from an electric utility. 

“A year later, an actor reshared a 2.3 GB Doppelpaymer extortion leak from a major Latin American oil and gas organization in an underground forum, claiming it contained OT information, the researchers said. “We analyzed that leak and found a variety of sensitive data including usernames and passwords, IP addresses, remote services, asset tags, original equipment manufacturer (OEM) information, operator panels, network diagrams, etc. All information which a sophisticated threat actor would be hunting for during reconnaissance or what Mandiant’s red teamers would employ to identify attack paths in a target OT network,” it added.

Mandiant has identified at least 10 dumps that contained sensitive OT technical data. “Due to the volume of data in many leaks, we performed only superficial analysis of the dumps, however had we invested additional resources to process our samples further, we would have likely found a significant amount of additional information,” it said.

The researchers noted that most hackers would likely focus their efforts on a smaller number of organizations due to resource limitations or a preexisting interest in a specific target or targets. This would allow the hacker to focus their resources on finding more information on each target, which would be essential for any sophisticated attack.  

Historically, espionage campaigns have helped state-sponsored groups to acquire details about the operations of industrial organizations. “This reconnaissance data has supported different stages of real cyber-physical attacks such as the Ukraine power outages in 2015 and 2016 and the TRITON incident,” according to Mandiant.

The research also revealed that data from extortion leaks may provide sophisticated hackers with information on targets while limiting their exposure to defenders and the cost of operations. Hackers may also select targets based on readily available sensitive data about the victim’s infrastructure, assets, security flaws, and processes.

Attacks that leverage higher levels of cyber-physical reconnaissance data are likely to result in more significant and precise impacts, Mandiant said. Hackers that have limited resources and capabilities will likely have more limited visibility into data from large extortion leaks. However, they can still explore dumps, learn about an organization, satisfy their curiosity, or reshare the contents, it added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.