Many of the ransomware attacks on industrial and critical infrastructure organizations result in the exposure of operational technology (OT) data that could be useful to threat actors, including to conduct cyber-physical attacks, according to Mandiant.
The company’s researchers have analyzed the roughly 2,600 data leaks that resulted from ransomware attacks in 2021 and determined that approximately 1,300 of them impacted critical infrastructure and industrial organizations.
An investigation of 70 of these leaks showed that ten of them contained technically sensitive OT information. Mandiant’s analysis included manually browsing through file listings and files, and forensic analysis using public and custom tools.
Exposed data, which at one point had been available — or still is available — to anyone with the knowledge to access websites on the Tor anonymity network, included IT and OT admin credentials, PLC project files, process documentation, engineering documentation for customer projects, and source code and other information for a proprietary platform.
Impacted organizations included renewable and hydroelectric energy producers, a train manufacturer, oil and gas organizations, control systems integrators, and a satellite vehicle tracking service.
Mandiant noted that its analysis was limited and it’s confident that a more thorough analysis of each data dump would have likely uncovered more information for each of the affected companies.
“Access to this type of data can enable threat actors to learn about an industrial environment, identify paths of least resistance, and engineer cyber physical attacks,” Mandiant warned. “On top of this, other data also included in the leaks about employees, processes, projects, etc. can provide an actor with a very accurate picture of the target’s culture, plans, and operations.”
It added, “Even if the exposed OT data is relatively old, the typical lifespan of cyber physical systems ranges from twenty to thirty years, resulting in leaks being relevant for reconnaissance efforts for decades—much longer than exposed information on IT infrastructure.”
A cyber-physical attack is a breach in cyberspace that impacts physical processes, potentially causing damage to property and putting safety or lives at risk. For instance, a compromised controller in a plant could be used to cause an explosion.
Ransomware has also become increasingly problematic for the industrial control systems (ICS) themselves. Last year, both government and private sector organizations warned of the threat posed by ransomware to ICS and other OT assets.
Related: 5 Ways to Reduce the Risk of Ransomware to Your OT Network
Related: Industrial Control Systems Ripe Targets for Ransomware Attacks
Related: Cring Ransomware Targets Industrial Organizations
Related: Sierra Wireless Says Ransomware Disrupted Production at Manufacturing Facilities

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
