Rise in Opportunistic Hacks and Info-Sharing Imperil Industrial Networks

Security researchers at Mandiant have seen an increasing wave of relatively simplistic attacks involving ICS systems - and attackers sharing their finds with one another - since 2020.

The brazen
hijack by an attacker of a water system
at the Florida city of Oldsmars water treatment plant earlier this year was no Stuxnet- or
Triton
-level breach. But the relative simplicity of the attack, where the intruder appeared to somehow have
obtained system credentials
to remotely control the settings via the TeamViewer application, epitomizes the typical threat most OT networks today face: mainly rudimentary attacks that exploit industrial control systems (ICSs) inadvertently exposed to the open Internet or that abuse chronically weak or shared credentials.
In many cases, industrial organizations - while arguably a valuable catch - arent initially targeted by the attacker, and a cyber-physical attack isnt the goal. That trend was underscored this past year, according to researchers at Mandiants Cyber Physical Intelligence team. They identified a noticeable uptick in OT-related incidents since 2020, with most of the actors not looking to turn off the lights, poison the water, or perform any physical outcome. Their tactics were less-than-sophisticated, too, and often they werent necessarily even looking for OT targets but instead had stumbled upon these victims.
Mandiants research, published today, on publicly reported and not-previous public OT incidents shows a rise in attackers this past year attempting to monetize their access to an exposed ICS system, and a wave of information-sharing by attackers who shared videos and screenshots of industrial systems they were able to access and how they did it - at a level more frequent than Mandiant has seen before.
These incidents have affected solar energy panels and water control systems, as well as building automation systems (BAS) and home security systems. The attackers employed known search tools like Shodan and Censys, and common tactics, techniques and procedures (TTPs).
These are bad ... but not at the level of Triton, says Nathan Brubaker, senior manager of analysis at Mandiant Threat Intelligence, of the security events and incidents his firm reported on today. Even so, he says, this mix of cybercriminals, hacktivists, and newbies are gaining insight and knowledge on complex ICS environments via increasing information-sharing in the cyber underground.
There are tutorials that show Shodan and how to pivot around it and find water utilities and then from there click in, and to, that HMI [human machine interface] thats exposed. And if youre not required to authenticate to it, then you can do whatever you want, he says.
Brubaker, who worked on the Mandiant incident response team for the Triton attack, says that worries him.
These actors are building expertise and willingness [to make] contact with other actors. What if they meet up with a ransomware group and combine forces, he asks. That would make ransomware more impactful on OT. That concerns him.
Dragos Sergio Caltagirone, vice president of threat intelligence at the ICS security firm, called the City of Oldsmar attack the perfect example of the type of ICS attack his firm frequently sees. Its not so much the feared, sophisticated ICS custom-malware type of attack by more well-resourced nation-state hackers, but threat actors breaking in via unknown ports left wide open on the public Internet, or weak or compromised credentials.
A network that is unprepared and indefensible, but by an organization doing their best but thats chronically under-resourced and under-funded to protect itself ... its a confluence of [more adversaries] going after ICS networks and a failure of these networks to operate the most basic security practices, Caltagirone says.
Once they find that ajar - or unlocked - door, they often can make their way through the network, and they can push buttons, he says,
Dragos earlier this year published
its annual report
on the ICS threat and attack trends its researchers and incident responders saw: In all of the incident-response cases it worked on, the attackers gained access to the victims ICS network via the Internet, and shared IT and OT credentials were used to move laterally in the network.
Mandiant researchers found the low-sophistication compromises typically exploit remote access services including virtual network connections that are not secured properly. HMIs, typically with user-friendly graphical user interfaces, give an unseasoned OT hacker a handy view of industrial processes. In one incident the team saw, an attacker shared images and video (in Dutch) of his tampering with a temperature controls system he had gained access to; he had boasted to have hacked into dozens of control systems in North America, Europe, and East Asia.
Some of the threat actors Mandiant has observed appear to be hacktivists. Israeli OT networks were most commonly found as victims in posts they saw, including a solar energy firm and a data-logger for mining exploration and dam surveillance. One incident involved the access of the building automation system at a major international hotel chain location in Australia.
But they also saw a few cases of green threat actors who didnt know what they had compromised: One group mistakenly claimed to have hacked a German-language rail control system, but the screenshot they posted was actually the Web interface for a model train set, the researchers discovered. Other attackers bragged that they had compromised an Israeli gas system in retaliation for the
recent explosion at an Iranian missile facility
, but their video revealed they had actually hacked an Israeli restaurants kitchen ventilation system.
Attackers claiming to have hacked an Israeli gas system had actually compromised this Israeli restaurants kitchen ventilation system. Source: Mandiant
Pipeline Regs On the Horizon
The US federal government, meantime, is about to double down on protecting critical infrastructure with some new rules.
The Washington Post
reported today
that the US Department of Homeland Security (DHS) is moving forward with a plan to regulate cybersecurity for the pipeline industry for the first time in the wake of the ransomware attack on Colonial Pipeline. The company shut down its pipeline for 11 days this month in response to the ransomware attack on its IT systems, ultimately
paying the attackers $4.4 million
to unencrypt its locked-down systems. Colonial Pipelines shutdown led to gasoline shortages in some areas, as well as panic-buying in parts of the southeastern US. The
FBI has linked
ransomware-as-a-service (RaaS) group DarkSide to the attack.
DHSs Transportation Security Administration (TSA) this week is expected to issue a security directive that requires pipeline companies to report cyberattacks to the feds and to assess and remediate their security postures, according to The Washington Post report.
The Colonial Pipeline ransomware attack provided a hint at what critical infrastructure disruption could look like, and more ransomware threats loom on the horizon for utilities. A rapidly evolving ransomware family called JSWorm now appears to be targeting critical infrastructure organizations around the globe, according to researchers at Kaspersky. Some 41% of JSWorm attacks hit engineering and manufacturing firms, followed by energy and utilities (10%), finance (10%), professional and consumer services (10%), transportation (7%), and healthcare (7%).
The JSWorm gang in two years has created more than eight different faces of its malware, which previously has been known by its Nemty, Milihpen, and Gangbang variants. The group behind it, initially operating under a ransomware-as-a-service model, last year shut down that operation and launched targeted campaigns against high-profile targets, demanding large ransom payments,
the researchers found
.
OT Defense
Keeping OT systems off the public Internet is key:
Mandiant recommends
locking down remote access, monitoring traffic for any nefarious activity, and disabling any network or other services not in use, as well as changing any default credentials, whitelisting access, and reviewing device and other system configurations. HMIs and ICS systems should be set to enforce specific ranges of input such that they prevent dangerous physical outcomes, and organizations should ensure none of their equipment is discoverable by Shodan and Censys tools, Mandiant advises in its report.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Rise in Opportunistic Hacks and Info-Sharing Imperil Industrial Networks