A research honeypot set up to look like an electric company's power transmission substation network was compromised by a dark web hacker within two days of it going online -- yet another sign that industrial control systems are increasingly becoming targets of not just nation-states, but also traditional cybercriminals.
Cybereason, whose researchers conducted the experiment in the second quarter of 2018, detailed its findings in a report released on Tuesday. Co-authors Israel Barak, CISO of Cybereason, and Ross Rustici, senior director of intelligence services, noted that within 48 hours of the honeypot's launch, a seller for the xDedic black market accessed the fake network and installed a malicious toolset called xDedic RDP Patch, along with several backdoors, all in an effort to sell the asset to a prospective buyer.
In the days following the takeover, the honeypot was reportedly barraged with bots specializing in cryptomining, phishing and DDoS, before a third party believed to be the buyer accessed one of the backdoors created by the seller.
“In two days, the attackers got into the environment, conducted reconnaissance aimed at finding an entry point from the IT environment to the OT environment, which is really what they wanted,” Barak said in the release.
“The biggest lesson learned from the honeypot is that multiple tiers of attackers find ICS environments interesting. That's increasing risk for people who operate those types of systems. The security basics are really what's going to prevent a bad day from becoming a catastrophic day,” added Rustici.