Gregory Hale | isssource.com»
One out of every seven leaks from industrial organizations posted in ransomware extortion sites is likely to expose sensitive OT documentation, researchers said.
Access to this type of data can enable attackers to learn about an industrial environment, identify paths of least resistance, and engineer cyber physical attacks, according to a post written by Mandiant Threat Intelligence Researchers Daniel Kapellmann Zafra, Corey Hidelbrandt, Nathan Brubaker, and Keith Lunden.
On top of this, other data also included in the leaks about employees, processes, and projects can provide an actor with a very accurate picture of the target’s culture, plans, and operations, the researchers said.
In 2021, Mandiant identified over 3,000 extortion leaks released by ransomware operators. Of that number 1,300 of them were from organizations in industrial sectors likely to use OT systems, such as energy and water utilities, or manufacturing. Mandiant researchers selected and retrieved what they said were a couple hundred of these samples by skimming through readily available file listings or other indicators of interest.
Learned OT Information
After initial triage, researchers collected and manually analyzed 70 leaks. In that analysis, the researchers found one out of every seven leaks contained at least some useful OT information, while the rest contained data related to employees, finances, customers, legal documentation, among other things.
“The IT/OT barrier is more a logical separation than an actual one,” said Saumitra Das, CTO and cofounder of Blue Hexagon. “Attacks typically start on the IT side and propagate into OT because of improper network segmentation and privilege limitations. In light of this report, focusing on the IT/OT boundary and protecting access to the OT networks is critical because defending against a threat once inside the OT network is much harder. Attackers can not only use IT network compromise to laterally move to OT but can now obtain detailed information and diagrams so they can plan their attack into the OT side.”
Sensitive OT and network documentation exposed in ransomware extortion leaks is readily available for anyone to download, including security researchers, industry competitors, or threat actors. As the researchers showed, the most concerning scenario involves well-resourced attackers that have the capability to systematically hunt for data to learn about specific targets.
“The reality of today’s enterprises is that data is everywhere,” said Sam Jones, vice president of product management at Stellar Cyber. “It is on the computer, it is in SaaS apps, it is in homegrown apps, and it is likely now on employee personal computing assets. Unless a holistic data protection plan is in place, and an enterprise is detecting across all forms of the attack surface, this will likely be a worsening problem for most enterprises.”
Attacks After Getting Paid
“While ransomware is seemingly focused on getting paid to unlock your sensitive data, threat actors often return multiple times once they are successful at an attack, knowing the victim has paid once,” said Sanjay Raja, vice president of products and solutions at Gurucul. “We also knew they often replicate the data for themselves for sale even as they lock organizations out of their own data. However, this additional extortion through threats of posting the already stolen data is another example of how threat actors find ways to extract more out of their victims. It feels like a never-ending cycle for targeted organizations. ”
Even if the exposed OT data is relatively old, the typical life span of cyber physical systems ranges from 20 to 30 years, resulting in leaks being relevant for decades, which is much longer than exposed information on IT infrastructure.
To prevent and mitigate the risks presented by exposed OT data, Mandiant suggested users to:
- Create and enforce robust data handling policies for employees and subcontractors to ensure internal documentation is protected. Avoid storing highly sensitive operational data in less-secure networks.
- Place special attention on selecting subcontractors that implement comprehensive security programs to safeguard operational data.
- Victims of ransomware intrusions should assess the value of any leaked data to determine what compensatory controls can help decrease the risk of further intrusions.
- Change any leaked credentials and API keys. Consider changing exposed IP addresses for critical systems and OT jump servers.
- Periodically conduct red team exercises to identify externally exposed and insecure internal information.
Click here for more on the Mandiant report.
Ransomware Attacks Expose OT Information
External Link: Ransomware Attacks Expose OT Information