Unsophisticated threat actors — in many cases motivated by financial gain — have increasingly targeted internet-exposed operational technology (OT) systems, according to research conducted by Mandiant, FireEye’s threat intelligence and incident response unit.
There are a handful of public reports of attacks on industrial control systems (ICS) causing significant physical damage or disruption. These attacks are typically launched by sophisticated and well-funded threat groups.
While in many cases OT systems — particularly ones used for critical processes — are not exposed to the internet, many industrial systems are connected to the internet and these connected systems have been increasingly targeted by hackers who are in most cases not sophisticated and don’t have many resources.
“The most common activity we observe involves actors trying to make money off exposed OT systems, but we also see actors simply sharing knowledge and expertise,” Mandiant researchers said. “More recently, we have observed more low sophistication threat activity leveraging broadly known tactics, techniques, and procedures (TTPs), and commodity tools to access, interact with, or gather information from internet exposed assets—something we had seen very little of in the past.”
Since the beginning of 2020, Mandiant says it has observed what it described as “low sophistication threat activity” targeting a wide range of systems, including solar energy, water control, building automation, and home security systems.
In some cases, the hackers offered tutorials for compromising OT systems or shared IP addresses allegedly associated with ICS, but in others they gained access — or at least claimed to do so — to actual control systems and apparently even interacted with them.
Unsophisticated threat actors often leverage unprotected remote access services such as VNC connections to gain access to such systems, and in many cases they target human-machine interfaces (HMIs), which are described as low-hanging fruit in OT attacks as they can offer a simple representation of complex industrial processes.
“While much of this type of activity appears opportunistic in nature, some may also be driven by political motivations. For example, we have seen hacktivist groups that frequently use anti-Israel/pro-Palestine rhetoric in social media posts share images indicating that they had compromised OT assets in Israel, including a solar energy asset and the webserver of a datalogger used for different applications such as mining exploration and dam surveillance,” Mandiant said.
The claims of some of these hackers demonstrate a limited understanding of OT systems. For instance, one threat actor claimed to have hacked a German rail control system, but they actually compromised a web interface for a model train set. Others claimed to have hacked an Israeli “gas system” that turned out to be a ventilation system in the kitchen of an Israeli restaurant.
While these incidents may not appear to pose a significant risk to organizations or critical infrastructure, Mandiant warned that low sophistication attacks are concerning for several reasons. For instance, they help threat actors learn more about OT systems, enabling them to enhance their capabilities. Additionally, publicizing these attacks can encourage other hackers to target ICS.
Finally, Mandiant noted, “Even low-sophistication intrusions into OT environments carry the risk of disruption to physical processes, mainly in the case of industries or organizations with less mature security practices. As the number of intrusions increase, so does the risk of process disruption.”