Security Experts:

Connect with us

Hi, what are you looking for?



OT Systems Increasingly Targeted by Unsophisticated Hackers: Mandiant

Unsophisticated threat actors — in many cases motivated by financial gain — have increasingly targeted internet-exposed operational technology (OT) systems, according to research conducted by Mandiant, FireEye’s threat intelligence and incident response unit.

Unsophisticated threat actors — in many cases motivated by financial gain — have increasingly targeted internet-exposed operational technology (OT) systems, according to research conducted by Mandiant, FireEye’s threat intelligence and incident response unit.

There are a handful of public reports of attacks on industrial control systems (ICS) causing significant physical damage or disruption. These attacks are typically launched by sophisticated and well-funded threat groups.

While in many cases OT systems — particularly ones used for critical processes — are not exposed to the internet, many industrial systems are connected to the internet and these connected systems have been increasingly targeted by hackers who are in most cases not sophisticated and don’t have many resources.

“The most common activity we observe involves actors trying to make money off exposed OT systems, but we also see actors simply sharing knowledge and expertise,” Mandiant researchers said. “More recently, we have observed more low sophistication threat activity leveraging broadly known tactics, techniques, and procedures (TTPs), and commodity tools to access, interact with, or gather information from internet exposed assets—something we had seen very little of in the past.”

Since the beginning of 2020, Mandiant says it has observed what it described as “low sophistication threat activity” targeting a wide range of systems, including solar energy, water control, building automation, and home security systems.

In some cases, the hackers offered tutorials for compromising OT systems or shared IP addresses allegedly associated with ICS, but in others they gained access — or at least claimed to do so — to actual control systems and apparently even interacted with them.

Unsophisticated threat actors often leverage unprotected remote access services such as VNC connections to gain access to such systems, and in many cases they target human-machine interfaces (HMIs), which are described as low-hanging fruit in OT attacks as they can offer a simple representation of complex industrial processes.

“While much of this type of activity appears opportunistic in nature, some may also be driven by political motivations. For example, we have seen hacktivist groups that frequently use anti-Israel/pro-Palestine rhetoric in social media posts share images indicating that they had compromised OT assets in Israel, including a solar energy asset and the webserver of a datalogger used for different applications such as mining exploration and dam surveillance,” Mandiant said.

 Learn more about threats to industrial systems at SecurityWeek’s ICS Cyber Security                Conference and SecurityWeek’s Security Summits virtual event series

The claims of some of these hackers demonstrate a limited understanding of OT systems. For instance, one threat actor claimed to have hacked a German rail control system, but they actually compromised a web interface for a model train set. Others claimed to have hacked an Israeli “gas system” that turned out to be a ventilation system in the kitchen of an Israeli restaurant.

While these incidents may not appear to pose a significant risk to organizations or critical infrastructure, Mandiant warned that low sophistication attacks are concerning for several reasons. For instance, they help threat actors learn more about OT systems, enabling them to enhance their capabilities. Additionally, publicizing these attacks can encourage other hackers to target ICS.

Finally, Mandiant noted, “Even low-sophistication intrusions into OT environments carry the risk of disruption to physical processes, mainly in the case of industries or organizations with less mature security practices. As the number of intrusions increase, so does the risk of process disruption.”

Related: NSA Issues Guidance on Securing IT-OT Connectivity

Related: Electricity Distribution Systems at Increasing Risk of Cyberattacks, GAO Warns

Related: Kaspersky Sees Rise in Ransomware Attacks on ICS Devices in Developed Countries

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.