- Threat actors divulged sensitive data from operational technology (OT) environments in one in seven leaks targeting industrial organizations, according to Mandiant researchers.
- Mandiant researchers identified more than 3,000 extortion leaks in 2021. About 1,300 of the leaks came from industrial organizations that were likely to use OT environments, including manufacturing plants, water companies and energy facilities.
- Leaked data includes password administration credentials from a maker of industrial and passenger trains, a hydroelectric power producer's list of user privileges and passwords, and source code from a provider of satellite vehicle tracking systems.
The report highlights the risks critical infrastructure and production facilities face against sophisticated threat actors. Sensitive information that is essential to running these facilities safely is frequently exposed on the dark web and threatens the stability of key industrial sites.
"Ransomware operators often advertise their victims and subsequent victims' data dumps as part of their multifaceted extortion scheme," Nathan Brubaker, director, Mandiant Threat Intelligence, said via email.
By posting sensitive information about these companies on shaming sites, a threat actor can leverage that information to attempt a forced payment. Victim companies become exposed to additional harm by other threat actors who can attempt to extort additional payments or leverage information for future attacks.
The report comes at a time when nation-state and criminal threat actors have ramped up attacks on major industrial sites in the U.S.
Colonial Pipeline, the largest fuel supplier to the eastern U.S., was attacked in May 2021. Colonial paid more than $4.4 million to the attackers in order to resume operations after six days of fuel shortages and panic buying disrupted much of the southern and eastern U.S.
Weeks later, federal authorities recovered about $2.3 million of the ransomed funds after investigators were able to partially trace the source of the cryptocurrency payments to the threat actors.
Authorities issued warnings in late 2021 warning local grain were targeted in several ransomware attacks in Iowa, Minnesota and other states. Federal officials later warned of attacks against water and wastewater treatment facilities.
Now, attention is turning toward critical infrastructure providers as authorities are urging organization to take measures against potential attacks in connection to the conflict over Ukraine.
Research from Nozomi Networks shows that while ransomware activity against critical sites rose during the second half of 2021, organizations are beginning to step up their efforts to prevent future attacks.