While the cybercrime ecosystem usually conjures a 21st Century online bazaar for buying and selling credit card numbers, some hackers possess loftier goals.
Attackers stepped into a honeypot environment that was set up by Cybereason to emulate a gateway to a power substation of a major electricity provider in the U.S. shortly after credential became available on the dark web. In fact, an actual power company’s name was placed on the xDedic listing for the virtual machine that could take the buyer from what appeared to be the facility’s information technology environment to its operational technology (OT), which the buyer was led to believe could cause physical damage if acted upon.
Cybereason advises power companies, so it had firsthand knowledge of how to replicate such an environment with an actual network blueprint that showed its inner workings.
Within five minutes of being available, a party bought the fake asset for between $1,000 and $10,000, based on its attributes, according to Cybereason CISO Israel Barak. The transaction took place in a non-public channel, preventing Cybereason from obtaining information on how the payment was made.
“The actor who came through the door didn’t fit the profile of the typical OT attacker,” Barak explained, and couldn’t ascertain whether the buyer was acting on behalf of a nation-state but probably not. However, the intruder navigated “quickly and aggressively” from an IT to an OT environment by following a well-known playbook.
“The actor had done it before,” Barak noted, although surprised by the attacker’s disregard for setting off alarms by not disabling anti-virus software or attempting to remain hidden.
But after waiting a few weeks, “there was no endgame,” said Barak, meaning that the attacker didn’t attempt to damage the physical plant, even though there wasn’t one to be damaged.