Hackers with minimal experience and technical expertise are increasingly targeting industrial networks, driving a new wave of low sophistication OT breaches that researchers tells SC Media is a strong learning opportunity for criminals looking to monetize their work.
The low sophistication attacks, which are outlined by Mandiant in a new blog post released Tuesday, encompass simpler attacks, where actors with varying levels of skill and resources use common IT tools and techniques to gain access to and interact with exposed OT systems. It's an approach that involves less targeted intrusion, and instead a Shodan model, where attackers can search for specific types of computers connected to the internet without the need for authentication, said Nathan Brubaker, senior manager of analysis for Mandiant Threat Intelligence and a co-author of the blog.
"Five years ago, we would see posts from people who had no idea what they were doing, saying 'Oh I have access to this ICS or this device,' and then copy and paste in the title of whatever thing they had gotten access to. 'How do I make money off of this?'" said Brubaker. "In the past year and a half, there's been a dramatic shift from that kind of bumbling about, not-quite-sure-what-you're-doing kind of learning phase, to groups that are actively changing process information and process variables that will result in changes in physical processes."
In the blog post, Mandiant lists 18 incidents of low sophistication hacking in OT systems — only four of which had previously been disclosed — alongside three instances of reconnaissance and two instructional videos posted since January 2020.
Casual intruders had been hesitant in the past to interfere with industrial systems. ("We've kind of hypothesized what would keep actors from doing that, like a willingness to kill somebody," said Brubaker.) But attacks like the Colonial Pipeline may normalize interrupting OT.
While the low sophistication attacks right now might be the work of disorganized lookie-loos, low sophistication actors could be building up an unnerving amount of experience navigating the industrial systems.
"The longer this goes on, the more experience and knowledge these actors are going to gain about the types of systems that they're interacting with and comfort with those systems," said Brubaker, who worries that increasing comfort with the systems would result in OT-specific ransomware and other criminal efforts. "We see some of the same groups doing the same stuff over and over again; and the third fourth or fifth time we see them posting something. It's pretty clear they're fairly confident in what they're doing."
Mandiant offers prevention advice for low sophistication attacks in its blog post. The blog recommends tactics that OT security pros have heard for years — disconnect unnecessary systems from the internet, obey basic security hygiene, whitelist access, monitor exposure to the Shodan search engine and keep an open ear for relevant threat intelligence.