Industrial systems with operational technology are being exposed on the internet in growing numbers, and many are vulnerable to basic entry-level intrusion techniques. That’s according to researchers at FireEye, who said in a research post Tuesday that operational technology (OT) networks are being compromised at their highest clip in years, and as a result, vital industries including electricity, mining, and water management are being put at risk of a catastrophic attack.
Even more disturbing, said the FireEye team, the attackers who are pulling off these network breaches do not appear to be high-level teams that have dedicated weeks or months to infiltrate a specific target. Rather, they seem to be crimes of opportunity where hackers stumble upon low-hanging fruit and decide to use it to their advantage, either to turn a quick buck or boost their own reputation among underground forums. “The most common activity we observe involves actors trying to make money off exposed OT systems, but we also see actors simply sharing knowledge and expertise,” the blog post said. “More recently, we have observed more low sophistication threat activity leveraging broadly known tactics, techniques, and procedures (TTPs), and commodity tools to access, interact with, or gather information from internet exposed assets — something we had seen very little of in the past.”
Despite the recent government efforts to improve security for industrial IoT and OT networks, securing the embedded systems and their associated networks has proven a difficult task. Aside from the challenges of bolting security onto devices that were never designed for connectivity, basic questions of responsibility and jurisdiction have arisen in areas such as solar power, where it can be unclear whether vendors, operators, or government agencies have the responsibility to secure hardware. Thus, the FireEye researchers said it should be highly concerning to all parties involved that hackers who appear in many cases to be low-skilled threat actors have been able to get access to a wide range of different OT assets without much trouble.
In many cases, FireEye found that the OT equipment had been left exposed to the open internet, where it was discoverable through well-known search services like Shodan. Armed with some basic knowledge of how to put together a query and a handful of entry-level hacking tools, the attackers were able to compromise a number of devices without even knowing what they were. Among the breached systems the research team observed were solar power control systems, surveillance systems for a dam, and a data-logging system used by a mining operation.
“In a few instances, actors operating as part of hacktivist collectives created and shared tutorials that instructed their affiliates and sympathetic parties on how to identify and compromise internet-accessible OT assets. The tutorials typically described simple methodologies, such as using VNC [virtual network computing] utilities to connect to IP addresses identified in Shodan or Censys searches for port 5900,” the FireEye team wrote. “These methods appear to have been used in some of the incidents we described, as some of the shared screenshots of compromised OT systems also showed the actor’s web browser tabs displaying similar Shodan queries and remote access tools.”
That is not to say each of the observed attacks was a major heist. In some cases, the hackers were so unskilled they did not even understand just what it was they had uncovered or they were simply trying to boost their reputations. In one case, a forum user had proudly displayed what they thought was the control system for a railroad, including screens displaying gauges and speed controls for a locomotive. As it turns out, the hacker was half-right: it was remote controls for a train- a model set for home hobbyists. The hack might dampen a model railroad buff’s afternoon, but it would hardly be an industrial disaster.
In another logged case, hacktivists angry over Israeli attacks on factories in Iranian weapons facilities boasted of taking revenge by hacking into a gas plant in Israel. Little did they know that their prized trophy was just the ventilation system for a restaurant in Ramat Hasharon. While amusing, these hacker bloopers are not something that should be particularly comforting to administrators and security providers. That threat actors prone to such basic errors were able to access the full gamut of devices underscores just how poor the current state of OT network security is. If an adversary with little knowledge can get in without even really knowing what they are doing, imagine the havoc that could be wrecked by a skilled, determined intruder.
On the bright side, FireEye said in many cases admins can raise their networks from the ranks of low-hanging fruit by taking some simple security best practices. These include patching and isolating hardware whenever possible. The researchers also advised that companies keep a close eye on all devices on their networks and limit access from any unnecessary ports or applications.