Multistage targeted ransomware attacks against critical infrastructure, designed to maximize damage and recovery costs, are increasingly common. An analysis of a honeypot-captured attack demonstrates the three basic stages of intrusion, persistence and lateral movement, and simultaneous detonation on as many systems as possible.
The attack was captured by Cybereason’s 2020 honeypot research. Similar to a 2018 study, the research used a honeypot designed to look like an electricity company with operations in North America and Europe. In 2018, the system was infiltrated with backdoors suggesting the attacker intended to sell access on the dark web. This year the researchers “identified multiple attackers executing ransomware operations involving data theft, the stealing of user credentials, and lateral movement across the victim’s network to compromise as many endpoints as possible.” Combined, the research indicates that cybercriminals are increasingly targeting critical infrastructure companies with increasingly dangerous attacks.
The Cybereason honeypot masqueraded as part of an electricity generation and transmission provider’s network, including IT, OT, and HMI environments. Initial access was gained by the attackers through remote administration interfaces and brute forcing an Administrator account. (The report does not indicate the strength of the account password, although we can assume that MFA was not involved.)
Through this account, the attackers uploaded a PowerShell script that created a backdoor user account called ‘Admin’. This ensured future access and created persistence that allowed the attackers to upload additional attack tools. One of these was Mimikatz, which was used to steal user credentials for lateral movement beyond the initial compromised server. In this instance, it failed because none of the credentials obtained could access the domain controllers. Instead, the attackers used a network scanner to discover additional endpoints. Only after as many endpoints as possible were detected and compromised was the ransomware simultaneously detonated.
The report is lacking in many details. It does not name the ransomware or ransomware strains used against the honeypot. It does not indicate how many endpoints may have been compromised. It does not say whether both the IT and OT sides of the environment were compromised. It does not give any indication of the date or duration of the attack or attacks, and there is no mention of a ransom note, nor any details of the ‘data theft’ element of the attacks.
Nevertheless, the basic findings and conclusions from this research are almost certainly accurate. Firstly, critical industries are increasingly being targeted with ransomware; and secondly, attackers are seeking to embed themselves deeply within the victim network in order to maximize the damage done on detonation.
This premise is immediately confirmed by the news of a major ransomware attack against the Japanese Honda motor manufacturer this week. It is not, at the time of writing, confirmed to be ransomware; but security researchers are increasingly confident that the SNAKE ransomware is involved. Honda has merely confirmed that “a cyber-attack has taken place on the Honda network,” and “There is also an impact on production systems outside of Japan.”
In fact, production has been suspended at plants in Swindon, UK, and in North America, Turkey, Italy, and Japan. “Snake ransomware,” comments Morgan Wright, chief security advisor at Sentinel One, “is designed to attack industrial control systems networks. The fact that Honda has put production on hold and sent factory workers home points to disruption of their manufacturing systems.”
This confirms Cybereason’s conclusions that critical industry manufacturing is now a primary target for ransomware — just as the simultaneous shutting of different plants around the world confirms the practice of stealthy lateral movement combined with simultaneous detonation for maximum effect.
Honda told Forbes on Wednesday, “Honda has experienced a cyberattack that has affected production operations at some U.S. plants. However, there is no current evidence of loss of personally identifiable information. We have resumed production in most plants and are currently working toward the return to production of our auto and engine plants in Ohio.”
With no detailed explanation of the events from Honda, there is little that can be said with confidence. If it is ransomware, it is a good example of the multi-stage attacks described by Cybereason. For now, we must wait for more details from Honda. The ability to shut multiple plants in multiple countries simultaneously points to extensive attacker dwell time, which also points to sophisticated attackers. The rapid resumption of production ‘in most plants’ points to effective breach response and recovery capabilities — or payment of a ransom.