Trend Micro researchers have set up a factory honeypot and found that industrial organizations should be more concerned about attacks launched by profit-driven cybercriminals rather than the threat posed by sophisticated state-sponsored groups.
The honeypot mimicked a factory and was designed to be as realistic as possible. The industrial environment included ICS hardware, physical hosts, and hardened virtual machines. The ICS hardware included PLCs from Siemens, Allen-Bradley and Omron, and the virtual machines ran an HMI for controlling the factory, a robotics workstation that controlled a palletizer, and an engineering workstation used for programming PLCs. The physical machine served as a file server for the factory.
In an effort to make everything even more realistic, the researchers created a fake company that claimed to be a “small industrial prototyping boutique working for special customers.” They developed a website for it and set up some phone numbers that, when called, would play a recording that instructed the caller to leave a message.
In order to make the honeypot a more attractive target, the experts intentionally left some ports open, including for a couple of VNC services that could be accessed without a password, the PLCs, and Ethernet/IP.
The honeypot went online in May 2019 and Trend Micro researchers monitored it for a period of seven months. The company told SecurityWeek that the honeypot was fully taken offline after the experiment was concluded.
Unsurprisingly, the honeypot was initially mostly targeted by scanners, which is why the researchers blocked requests coming from known scanning services, such as Shodan, ZoomEye and Shadowserver.
Once the honeypot was online and properly configured, Trend Micro saw a significant number of attempts to misuse the systems and their resources for fraudulent activities, such as cashing out airline miles for gift cards and buying smartphones by upgrading mobile subscriber accounts.
Other hackers installed cryptocurrency miners, and there were also two instances of file-encrypting ransomware being installed. The ransomware attacks involved Crysis and Phobos malware, and some cybercriminals also attempted to deploy a fake piece of ransomware that only renamed files to make them appear as if they were encrypted, but without actually encrypting them.
In terms of control system attacks, Trend Micro said the PLCs were mostly targeted by unknown scanners — scanning activity associated with tools and services other than the ones that were blacklisted. While the traffic did not appear malicious — the scanners mainly collected information about the exposed devices — the experts said they could not discount the possibility that the scans were part of reconnaissance activity conducted in preparation for later attacks.
In the case of the Allen-Bradley MicroLogix PLC hosted by the honeypot, the researchers observed a number of unknown commands. While they may seem harmless, the unknown commands could cause some older devices to crash, as demonstrated a few years ago by Cisco Talos researchers.
In some cases, the attacker closed applications running on the compromised device, shut down the device, or logged off the current user.
Some of the most interesting activities from an ICS perspective occurred in December. One threat actor started the factory, stopped the conveyor belt, stopped the factory, and then closed the application window. One day later, the same hacker started the palletizer and opened the log view for its optical system.
Trend Micro told SecurityWeek that in these cases the attacker was likely just curious to see what would happen.
“In most cases, the attacker would stop the process almost immediately when they saw it had started something,” explained Stephen Hilt, senior threat researcher at Trend Micro. “During one of the three attacks [from December], the attacker let the system run for hours and we finally stopped it by acting like the ‘company’ who had realized what was happening and reset all the values. Since then, we haven’t seen any further activity from this person.”
Hilt said none of the source IP addresses they analyzed could be linked to a known threat group.
“Too often, discussion of cyber threats to industrial control systems (ICS) has been confined to highly sophisticated, nation-state level attacks designed to sabotage key processes. While these do present a risk to Industry 4.0, our research proves that more commonplace threats are more likely,” Greg Young, vice president of cybersecurity for Trend Micro, commented on the research. “Owners of smaller factories and industrial plants should therefore not assume that criminals will leave them alone. A lack of basic protections can open the door to a relatively straightforward ransomware or cryptojacking attack that could have serious consequences for the bottom line.”
More details about the factory honeypot are available on Trend Micro’s website.