Ransomware Trained on Manufacturing Firms Led Cyberattacks in Industrial Sector

  /     /     /  
Publicated : 23/11/2024   Category : security


Ransomware Trained on Manufacturing Firms Led Cyberattacks in Industrial Sector


Meanwhile, a few alarming infiltrations of OT networks by previously unknown threat groups occurred last year as well.



As industrial network operators and their security teams operate on high alert over worries of potential disruptive attacks by Russian nation-state-controlled hacking teams amid the escalating crisis in Ukraine and US sanctions on Russia, the reality for most of them has been a painful surge in ransomware attacks over the past year.
Real-world incident response investigations in 2021 by teams at Dragos and IBM X-Force overwhelmingly revealed that the hottest operations technology (OT) target is the manufacturing sector, and the main weapon attacking these organizations is now ransomware. Two ransomware groups, Conti and LockBit 2.0, executed more than half of all ransomware attacks on the industrial sector, 70% of which were aimed at manufacturing firms – making manufacturing the No. 1 OT industry hit with ransomware last year, according to a newly published report from Dragos.
While
Colonial Pipelines
and
JBS
s ransomware attacks were the most high-profile in that sector, there were others that didnt go public. A significant number of cases go unreported ... there are a lot that just dont make the news, says Rob Lee, founder and CEO of Dragos, which responded to 211 ransomware attack cases at manufacturing firms last year.
This dubious distinction for the manufacturing industry should come as no surprise: Over the past two years the sector
increasingly has been in the bullseye
of cyberattacks, especially as ransomware gangs have begun to take advantage of the increased pressure on manufacturers during the pandemic.
They are always targeting industries or organizations under pressure because pressure leads to better outcomes or payment for them, says Charles DeBeck, senior cyber threat intelligence analyst at IBM Security X-Force. Manufacturing firms generally cant afford downtime, and the pandemic squeezed them even more as supply chains slowed.
According to incident-response (IR)
cases investigated by IBM X-Force,
more than 60% of incidents at OT firms last year were against manufacturers, and manufacturing surpassed financial services as the most-attacked vertical (23.2%) investigated by X-Forces incident response team last year. Ransomware accounted for 23% of those attacks.
But the relatively good news was that the majority of attacks were on IT networks in the industrial sector, with just a few on their OT networks. IT networks are well-trodden ground, and a lot of [attackers] know how to [target them], DeBeck says. [Direct] OT attacks are not that common.
Thats because it takes time for a threat actor to gather intelligence on an OT network and the industrial processes it runs. According to Dragos, it takes about three to four years for a threat group to gather enough intelligence about a victim OT network to wage a significant attack on it. But Lee notes that several of the threat groups Dragos has been tracking during the past five years are well inside that window and could take their attacks to the next disruptive or destructive level.
Last year Dragos also discovered three new threat groups it had not previously encountered in OT. It named them Kostovite, Petrovite, and Erythrite. Both Kostovite and Erythrite had made their way to victims OT networks.
Kostovite focuses on renewable energy targets in North America and Australia. It infiltrated a major operations and maintenance companys OT infrastructure, breaking into the firm by exploiting a zero-day flaw in the Ivanti Pulse Connect Secure VPN for remote access. The firm, which Dragos did not name, maintains and operates SCADA systems for wind and solar farms in the US and Australia. The attackers got into the firms monitoring and control servers.
They compromised the O&M firm and pivoted down and got into OT networks of numerous power generation sites and plants across the US and Australia, Lee said during a press briefing on Dragos report.
To remain under the radar, the hackers used only legitimate, resident tools in the victim network as they stole credentials and then pivoted to some of the firms clients OT networks. According to Dragos, Kostovites M.O. and tactics, techniques, and procedures (TTPs) overlap with those of a Chinese APT dubbed UNC2630 by Mandiant.
But unlike traditional Chinese APT groups, Kostovite had more than intellectual property theft or cyber espionage on its agenda: The attackers were in servers that could turn off some power generation, for example. It wasnt just getting in to steal IP, Lee said. Based on our analysis, everything points to long-term access for future disruptive actions.
This looks as close as weve been in a long time to an adversary that has the intent to do some disruptive actions, Lee explained. Even so, Lee said the O&M firm was quick to react once the attack was detected, and at no time was there real risk to people, he said. The attackers had been inside the O&M firm network for about a month before Dragos performed its IR engagement.
That was the most alarming case for Dragos, Lee said. One vendor and multiple power companies across multiple countries could have been at risk, he said.
Erythrite, meanwhile, appears to be a new threat group that goes after Fortune 500 food and beverage, electric, oil and gas, and IT service providers who support the industrial sector, for example, according to Dragos. Some 20% of the Fortune 500 have been attacked so far by the group, including one whose OT network was compromised, Lee said.
Its consistently trying to get into the IT networks of various industrial firms, he said. Erythrite also uses SEO poisoning, artificially boosting the search engine ranking of websites hosting its malware – for its initial attack vector, and has some similarities to Solarmarker.
A recent Solarmarker campaign
spotted by Menlo Security used more than 2,000 unique search terms that lured users to the sites that then dropped malicious PDFs rigged with backdoors.
Dragos also reported on a new group they call Petrovite, which gathers intel on ICS and OT systems in mining and energy operations in Kazakhstan and Central Asia.
You Cant Secure What You Cant See
A still common theme dogging industrial organizations – and really many organizations in every sector – is the inability to get a full and clear picture of their networked systems and possible open and vulnerable ports of entry to the bad guys. Some 86% of organizations Dragos assisted had little or no visibility into their OT environments, according to
its report
. Among their risk factors were poor network segmentation (77% of the organizations), outside connections to their ICS systems (70% of the organizations), and shared credentials between IT and OT systems (44% of the organizations).
Many of these organizations believe they have properly segmented their OT and IT networks and that they dont have unknown networked connections, according to Dragos. But they [do and] are and ransomware attackers take advantage of that quickly, for example, Lee said.
IBM X-Force detected a major spike in Internet scanning of TCP Port 502 connections – an increase of 2,204% – between January 2021 and September 2021. Thats the port used by Modbus, the industrial communications protocol between buses, networks, and programmable logic controllers.
You need to make sure your OT devices are locked down, IBM X-Forces DeBeck says. Threat actors are out there looking for them, he says.
That means testing the security around those devices, he says, including conducting penetration tests to try to stay ahead of attackers.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Ransomware Trained on Manufacturing Firms Led Cyberattacks in Industrial Sector