Opportunistic threat actors have attacked industrial sites and other entities that use operational technology in recent years, via commonly available tools and relatively unsophisticated techniques, according to a report from Mandiant Threat Intelligence released Tuesday.
The attacks have targeted internet-exposed OT providers that range from water control systems to solar energy panels as well as building automation systems. The compromises most often have exploited remote access technologies, including virtual network computing links or graphical user interfaces, such as human machine interfaces.
The threat actors, some of whom claim to be white hat activists, have often displayed visual evidence of their attacks, such as IP addresses, GUI's, videos or time stamps.
Mandiant researchers have been monitoring threats targeting OT since 2012, but in the last two years, threat patterns began to change. It's more common to see early stage threat actors poke around an industrial system, and, in a growing number of cases, they try to change industrial processes that could pose a real danger.
"Even though [the threat actors] don't know what they're doing, they could potentially cause physical damage in the real world," Nathan Brubaker, senior manager of analysis, at Mandiant Threat Intelligence Center. "So they could — this is a very rare situation, but theoretically kill people."
In one example, hackers displayed visual evidence of dozens of compromised industrial systems located in North America, Western and Central Europe and East Asia. The evidence includes low quality mobile phone video that shows them interacting with a Dutch-language temperature control system.
There are a few mitigation steps that can help harden an industrial system against such attacks, according to Mandiant researchers:
Remove OT assets from public facing networks whenever possible. If remote access is required, use access controls and monitor traffic for unusual activity.
Use network hardening techniques to remotely accessible and edge devices, for example change default credentials, create whitelists for access, disable unused services and review asset configurations.
Check if assets are discoverable using online scanning systems like Shodan or Censys.
HMI's and other control systems can be configured to enforce certain range limitations and prevent hazardous variable states.
U.S. officials and security researchers have been concerned about the vulnerability of the aging infrastructure, as illustrated by the hack of the water treatment facility in Oldsmar, Florida in February. During that incident, unidentified threat actors gained remote access and attempted to poison the water supply after hacking into the plant's supervisory control and data acquisition system through TeamViewer software.
"There really is no such thing as a hacker who doesn't have advanced powerful techniques at their disposal, even if they are broke teens in their parents basement," Jeff Hussey, co-founder, president and CEO at Tempered Networks. "The level of tools in the public domain and shared on message boards give these people the capabilities that only the most well funded attackers had a decade ago, from scanners and password cracking tools to ransomware apps and botnet code."
Operators of critical infrastructure have worked with federal officials to protect various assets against cyber intrusions.
The Department of Energy last year announced $12 million in three-year cooperative agreements with the American Public Power Association (APPA) and the National Rural Electric Cooperative Association to enhance cyber and physical security at distribution and municipal utilities.
The agreements were designed to boost threat detection, community-led information sharing, the use of AI to reduce false positives and advanced analytics to specify points of compromise.
While APPA does not officially track which utilities have been targeted, the association has heard from a number of utilities that have been hit by ransomware attacks on their IT systems as opposed to their OT networks, according to Alex Hofmann, VP of technical and operations services at APPA.
Asked about the most prevalent techniques used to access these networks, Hofmann said that publicly commenting on methods used to access these systems was not something the organization was eager to do.
"That being said, oftentimes the greatest danger lies in human choice/social engineering," Hofmann said. "Spear phishing attacks are getting increasingly sophisticated, so utilities continuously train their employees to be in a state of vigilance when it comes to casting a suspicious eye on all incoming email messages."