Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

OT Data Stolen by Ransomware Gangs Can Facilitate Cyber-Physical Attacks

Many of the ransomware attacks on industrial and critical infrastructure organizations result in the exposure of operational technology (OT) data that could be useful to threat actors, including to conduct cyber-physical attacks, according to Mandiant.

Many of the ransomware attacks on industrial and critical infrastructure organizations result in the exposure of operational technology (OT) data that could be useful to threat actors, including to conduct cyber-physical attacks, according to Mandiant.

The company’s researchers have analyzed the roughly 2,600 data leaks that resulted from ransomware attacks in 2021 and determined that approximately 1,300 of them impacted critical infrastructure and industrial organizations.

An investigation of 70 of these leaks showed that ten of them contained technically sensitive OT information. Mandiant’s analysis included manually browsing through file listings and files, and forensic analysis using public and custom tools.

Exposed data, which at one point had been available — or still is available — to anyone with the knowledge to access websites on the Tor anonymity network, included IT and OT admin credentials, PLC project files, process documentation, engineering documentation for customer projects, and source code and other information for a proprietary platform.

Impacted organizations included renewable and hydroelectric energy producers, a train manufacturer, oil and gas organizations, control systems integrators, and a satellite vehicle tracking service.

Mandiant noted that its analysis was limited and it’s confident that a more thorough analysis of each data dump would have likely uncovered more information for each of the affected companies.

“Access to this type of data can enable threat actors to learn about an industrial environment, identify paths of least resistance, and engineer cyber physical attacks,” Mandiant warned. “On top of this, other data also included in the leaks about employees, processes, projects, etc. can provide an actor with a very accurate picture of the target’s culture, plans, and operations.”

It added, “Even if the exposed OT data is relatively old, the typical lifespan of cyber physical systems ranges from twenty to thirty years, resulting in leaks being relevant for reconnaissance efforts for decades—much longer than exposed information on IT infrastructure.”

A cyber-physical attack is a breach in cyberspace that impacts physical processes, potentially causing damage to property and putting safety or lives at risk. For instance, a compromised controller in a plant could be used to cause an explosion.

Ransomware has also become increasingly problematic for the industrial control systems (ICS) themselves. Last year, both government and private sector organizations warned of the threat posed by ransomware to ICS and other OT assets.

Related: 5 Ways to Reduce the Risk of Ransomware to Your OT Network

Related: Industrial Control Systems Ripe Targets for Ransomware Attacks

Related: Cring Ransomware Targets Industrial Organizations

Related: Sierra Wireless Says Ransomware Disrupted Production at Manufacturing Facilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.

Cybercrime

Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.

ICS/OT

Vulnerabilities in GE’s Proficy Historian product could be exploited for espionage and to cause damage and disruption in industrial environments.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...