Aerial view of coal power plant showing ransomware attacks on critical infrastructure expose OT information

One in Seven Ransomware Attacks on Critical Infrastructure and Industrial Systems Expose Sensitive OT Information

The Mandiant Threat Intelligence team analyzed data posted in ransomware extortion sites and discovered that ransomware attacks exposed sensitive OT information of victimized companies that depend on this technology for production.

According to the researchers, access to this type of data could allow attackers to create an accurate picture of the target’s culture, plans, and operations and craft successful attacks.

Out of 3,000 data leaks originating from ransomware attacks, the study identified at least 1,300 exposures from critical infrastructure and industrial production organizations that use OT technology.

The study was part of Mandiant’s attempt to determine the extent to which “Multifaceted Extortion” events posed risks to operational technology.

Leaked OT information may enable ransomware attacks and cyber espionage

Mandiant team discovered that one out of every seven leaks from industrial organizations posted in ransomware extortion and shaming sites is likely to expose sensitive OT documentation.

The exposed OT information included network and engineering diagrams, images of operator panels, information on third-party services, and more. Additionally, exposed data also included leaks about employees, processes, projects, and other information.

The researchers warned that attackers could use this access to learn about an industrial environment, identify paths of least resistance, and engineer cyber-physical attacks.

According to Mandiant, ransomware attacks reported in 2020 exposed aerospace manufacturing designs, and third-party technical documentation on an electric utility. Similarly, data stolen from a Latin American oil and gas organization exposed OT information.

Mandiant found that the stolen information, included usernames and passwords, IP addresses, remote services, asset tags, original equipment manufacturer (OEM) information, operator panels, network diagrams, and more.

The researchers isolated a couple of hundred samples and manually analyzed 70 leaks and found at least 10 data dumps containing technically sensitive OT information.

Some dumps included OEM’s credentials, engineering documentation for a control systems integrator, product diagrams, source code for a satellite vehicle tracking service provider, and maintenance legal agreements for a renewable energy producer with access to third partys’ SCADA systems through public IP addresses.

“We found that one out of every seven leaks contained at least some useful OT information, while the rest contained data related to employees, finances, customers, legal documentation, among other things,” they said.

The researchers suggested that had they allocated more resources to analyze more data dumps, they would find more leaked OT information.

Additionally, the leaks did not leak just trivial OT information. The exposed OT data was what “a sophisticated threat actor would be hunting for during reconnaissance or what Mandiant’s red teamers would employ to identify attack paths in a target OT network.”

The researchers raised concerns about a “well-resourced actor” hunting for the data and learning about specific targets. The problem is compounded by the fact that “anyone with access to a Tor browser” can access the data that is usually advertised on underground forums and social media.

Leaked OT information could assist state-sponsored attackers in cyber espionage campaigns against critical infrastructure organizations

The Federal Bureau of Investigation (FBI), Cyber Security and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) have listed OT as a possible route for Russian state-sponsored attacks.

“In some cases, Russian state-sponsored cyber operations against critical infrastructure organizations have specifically targeted operational technology (OT)/industrial control systems (ICS) networks with destructive malware,” they warned.

Similarly, advanced persistent threat actors (APTs) could use this information to execute ransomware attacks.

“The reality of today’s enterprises is that data is everywhere,” said Sam Jones, VP of Product Management at Stellar Cyber. “It is on the computer, it is in SaaS apps, it is in homegrown apps, and it is likely now on employee personal computing assets. Unless a holistic data protection plan is in place, and an enterprise is detecting across all forms of the attack surface, this will likely be a worsening problem for most enterprises.”

“The IT/OT barrier is more a logical separation than an actual one,” Saumitra Das, CTO and Cofounder at Blue Hexagon. “Attacks typically start on the IT side and propagate into OT because of improper network segmentation and privilege limitations.”

“In light of this report, focusing on the IT/OT boundary and protecting access to the OT networks is critical because defending against a threat once inside the OT network is much harder. Attackers can not only use IT network compromise to laterally move to OT but can now obtain detailed information and diagrams so they can plan their attack into the OT side.”

Sanjay Raja, VP of Products and Solutions at Gurucul, said that ransomware attacks aren’t usually single and conclusive events.

“While ransomware is seemingly focused on getting paid to unlock your sensitive data, threat actors often return multiple times once they are successful at an attack, knowing the victim has paid once,” Raja said. “We also knew they often replicate the data for themselves for sale even as they lock organizations out of their own data.”

He added that cybercriminals find ways to extort their victims after ransomware attacks by posting already stolen data.

“It feels like a never-ending cycle for targeted organizations. This reinforces the need to evaluate newer and more advanced technologies beyond current XDR and SIEM platforms as part of ongoing threat detection and response initiatives within security operations to prevent a successful detonation of ransomware.”

Raja recommended investing in solutions that automate threat detection and prioritize random indicators of compromise.

“Automating responses with a high level of confidence and low impact are critical in deciding where to invest,” he concluded.