OT Data Stolen by Ransomware Gangs Can Facilitate Cyber-Physical Attacks

Many of the ransomware attacks on industrial and critical infrastructure organizations result in the exposure of operational technology (OT) data that could be useful to threat actors, including to conduct cyber-physical attacks, according to Mandiant.

The company’s researchers have analyzed the roughly 2,600 data leaks that resulted from ransomware attacks in 2021 and determined that approximately 1,300 of them impacted critical infrastructure and industrial organizations.

An investigation of 70 of these leaks showed that ten of them contained technically sensitive OT information. Mandiant’s analysis included manually browsing through file listings and files, and forensic analysis using public and custom tools.

Exposed data, which at one point had been available — or still is available — to anyone with the knowledge to access websites on the Tor anonymity network, included IT and OT admin credentials, PLC project files, process documentation, engineering documentation for customer projects, and source code and other information for a proprietary platform.

Impacted organizations included renewable and hydroelectric energy producers, a train manufacturer, oil and gas organizations, control systems integrators, and a satellite vehicle tracking service.

Mandiant noted that its analysis was limited and it’s confident that a more thorough analysis of each data dump would have likely uncovered more information for each of the affected companies.

“Access to this type of data can enable threat actors to learn about an industrial environment, identify paths of least resistance, and engineer cyber physical attacks,” Mandiant warned. “On top of this, other data also included in the leaks about employees, processes, projects, etc. can provide an actor with a very accurate picture of the target’s culture, plans, and operations.”

It added, “Even if the exposed OT data is relatively old, the typical lifespan of cyber physical systems ranges from twenty to thirty years, resulting in leaks being relevant for reconnaissance efforts for decades—much longer than exposed information on IT infrastructure.”

A cyber-physical attack is a breach in cyberspace that impacts physical processes, potentially causing damage to property and putting safety or lives at risk. For instance, a compromised controller in a plant could be used to cause an explosion.

Ransomware has also become increasingly problematic for the industrial control systems (ICS) themselves. Last year, both government and private sector organizations warned of the threat posed by ransomware to ICS and other OT assets.

Related: 5 Ways to Reduce the Risk of Ransomware to Your OT Network

Related: Industrial Control Systems Ripe Targets for Ransomware Attacks

Related: Cring Ransomware Targets Industrial Organizations

Related: Sierra Wireless Says Ransomware Disrupted Production at Manufacturing Facilities