Endpoint protection company Cybereason has published findings from its latest honeypot that was created to analyse the tactics, techniques, and procedures used by hackers to target critical infrastructure providers. This project has revealed hackers have adopted multistage ransomware attacks as part of hacking operations against industrial control systems (ICS).
The honeypot IT and OT (operational technology) environment was built to look like a large electricity company with operations in North America and Europe. Cybereason successfully launched a similar honeypot two years ago looking at the same industry.
The report titled “Cybereason’s Newest Honeypot Shows How Multistage Ransomware Attacks Should Have Critical Infrastructure Providers on High Alert” is based on attacks to a network architecture masquerading as part of an electricity generation and transmission provider’s network, including an IT and OT environment and HMI (human machine interface) management systems. The environment employed customary security controls including segmentation between the different environments.
Once the honeypot went live, hackers compromised the network within three days by brute forcing the admin password, which had medium complexity. Attackers placed ransomware on every compromised machine early in the process but didn’t detonate it immediately. After the other stages of the attack were completed (including data theft, user password stealing and propagation across the network), the attacker detonated the ransomware across all compromised endpoints simultaneously. This is a common trait to multistage ransomware campaigns, that is intended to amplify the impact of the attack on the victim.
“Ransomware threats to critical infrastructure providers should be a top concern for security teams. In the ICS industry, we are seeing fewer strains of ransomware yet the existing strains rake in more gains. Hackers do this by better targeting and making more money from each target. We can expect to see an increase in multistage ransomware embedded into hacking operations in the foreseeable future,” said Israel Barak, Chief Information Security Officer, Cybereason.
In this new research, the Cybereason team identified multiple attackers executing ransomware operations involving data theft, the stealing of user credentials, and lateral movement across the victims network to compromise as many endpoints as possible. This includes critical assets like the domain controllers, which could take between several minutes to several hours to properly infiltrate.
Ransomware capabilities were deployed early on in the hacking operation, but it was not immediately detonated. The ransomware was designed to detonate only after preliminary stages of the attack finished across all compromised endpoints in order to achieve maximum impact on the victim.
This operational attack pattern attempts to impact as many victim assets as possible, representing a higher risk to organisations compared to ransomware attacks that impact the single machine they initially access. However, this operational pattern also represents an opportunity for defenders with a rapid detection and response process to detect the attack at its early stages and respond effectively before ransomware is able to impact the environment.
“Attackers are succeeding in hacking operations against ICS operators by breaking in and debilitating the business and demanding huge ransoms. Because many organisations now purchase cyber insurance, we are seeing an increase in the number of ransoms being paid as opposed to patching the holes in the network that enabled the hackers to gain access in the first place. These brazen intrusions will continue until the cost of the insurance becomes comparable to the cost of fixing the problem,” added Barak.
