A technical system engineer and hardware asset manager performs control-and-maintenance operations of a cryptomining farm installed inside a hydroelectric power plant on Feb. 2, 2022, in Bolzano, Italy. (Photo by Alessio Coser/Getty Images)
A group is offering to crack passwords for industrial control systems, but instead it's installing malware, Dragos researchers reported. (Photo by Alessio Coser/Getty Images)

A warning for people in the industrial control system space: It's entirely possible that the random account on Twitter offering to circumvent your security systems may not have your best interests at heart.

Password retrieval utilities being marketed over social media for programmable logic controllers(PLC) and human-machine interfaces (HMI) may be installing malware.

Dragos is reporting that one such group offering password cracking for 15 vendors worth of PLCs and HMIs is using the password recovery software to install the Sality botnet. Sality is used for distributed criminal tasks, including cryptomining.

The recovery tool is marketed as a password cracker, which traditionally refers to password recovery tools that retrieve passwords from hashes, but in Dragos' test of the Automation Direct’s DirectLogic 06 PLC version of the tool, it actually uses vulnerabilities to breach machines. It does, in fact, recover the password in the process of roping systems into the Sality network. Dragos has not named the vendor of the specific tool they saw, but notes the password-cracking ecosystem is full of shady players. They only tested the DirectLogic tool.

"If an engineer needs to recover a lost password, contact Dragos or the respective vendor for instructions and guidance. As the adage goes, if it’s too good to be true, then it probably is," wrote Dragos' Sam Hanson in the blog post.