Critical Infrastructure Security, Malware, Vulnerability Management

Industrial control system password cracker may be bad, actually

A technical system engineer and hardware asset manager performs control-and-maintenance operations of a cryptomining farm installed inside a hydroelectric power plant on Feb. 2, 2022, in Bolzano, Italy. (Photo by Alessio Coser/Getty Images)
A group is offering to crack passwords for industrial control systems, but instead it's installing malware, Dragos researchers reported. (Photo by Alessio Coser/Getty Images)

A warning for people in the industrial control system space: It's entirely possible that the random account on Twitter offering to circumvent your security systems may not have your best interests at heart.

Password retrieval utilities being marketed over social media for programmable logic controllers(PLC) and human-machine interfaces (HMI) may be installing malware.

Dragos is reporting that one such group offering password cracking for 15 vendors worth of PLCs and HMIs is using the password recovery software to install the Sality botnet. Sality is used for distributed criminal tasks, including cryptomining.

The recovery tool is marketed as a password cracker, which traditionally refers to password recovery tools that retrieve passwords from hashes, but in Dragos' test of the Automation Direct’s DirectLogic 06 PLC version of the tool, it actually uses vulnerabilities to breach machines. It does, in fact, recover the password in the process of roping systems into the Sality network. Dragos has not named the vendor of the specific tool they saw, but notes the password-cracking ecosystem is full of shady players. They only tested the DirectLogic tool.

"If an engineer needs to recover a lost password, contact Dragos or the respective vendor for instructions and guidance. As the adage goes, if it’s too good to be true, then it probably is," wrote Dragos' Sam Hanson in the blog post.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.