Industrial Control Systems (ICS) are essential for the functioning of critical infrastructures such as the energy and water grid or the manufacturing sector. These systems often referred to as Operational Technology (OT), are usually legacy systems with known vulnerabilities but no easy way to patch them.

Cyber criminals are increasingly leveraging these vulnerabilities and launching attacks. In fact, according to the latest IBM X-Force Threat Intelligence 2020 report, attacks against OT environments during 2019 increased over 2000% compared to 2018. Most of the observed attacks were centered around using a combination of known vulnerabilities within SCADA and ICS hardware components, as well as password-spraying attacks using brute force login tactics against ICS targets.

OT systems which often use legacy software and hardware lead to production systems that can no longer be patched and are riddled with older vulnerabilities. These unpatched OT systems are becoming easy prey for cyber criminals, who after gaining a foothold, perform lateral movement using simple exploitation techniques.

The attackers target these OT systems with the purpose of disrupting their availability and reliability and cause ripple effects in the national and global economy. That is the reason why the Verizon DBIR 2020 report indicates that these industries are targeted by financially motivated external actors, performing espionage.

Exploiting vulnerabilities is not the only threat vector. Lately, attackers seem to employ ransomware as a method to harm OT systems. The convergence of IT and OT infrastructure allows IT breaches to target OT devices controlling physical assets, which can greatly increase the cost to recover. The IBM X-Force report mentions an example where a global manufacturing company was infected by ransomware starting on an IT system, which then moved laterally into OT infrastructure and brought plant operations to a halt. The attack impacted not only the company’s own operations but also caused a ripple effect in global markets.

It appears that ransomware has become one of the key methods in which attackers are attempting to exploit infrastructure. According to a threat report from security company Dragos, cyber criminals are launching ransomware attacks that are specifically targeting ICS. The report details the characteristics of the ransomware known as Ekans. This ransomware, also known as Snake, first emerged in December 2019 and has been designed for use against Windows systems used in industrial environments.

Although this is not the first instance of ICS-targeting malware, with Triton malware being a recent example of a state-sponsored hacking campaign, researchers have concluded that Ekans looks to be the work of a cybercriminal operation getting involved in this space and that it represents “a unique and specific risk to industrial operations not previously observed in ransomware malware operations”.

Dragos’ researchers found that Ekans contains commands and processes aimed at stopping a number of industrial control system functionalities during a ransomware attack. This ransomware variant represents “a deeply concerning evolution in ICS-targeting malware” because it indicates that cyber criminals are now targeting ICS operation systems purely for financial gain.

According to the Dragos report, Ekans ransomware does not have a self-propagation mechanism. The malware has to be launched following a compromise of the target network. The researchers note that Ekans follows the same trend as in the Ryuk or Megacortex ransomware families, where self-propagation is avoided in favor of performing large-scale compromise of an enterprise network.

Security company Cybereason built a ‘honeypot’, which was designed to look like an electricity company with operations across Europe and North America. The network was made to look authentic to attract potential attackers by including IT and OT environments, as well as human interface systems. The infrastructure was built with common security issues found in critical infrastructures including internet-facing remote desktop ports, medium-complexity passwords, and some custom security controls including network segmentation.

The researchers found that it was only three days after the honeypot went live that the attackers discovered it and were finding ways to compromise. Their actions included a ransomware campaign that infiltrated parts of the network, as well as stealing credentials.

“Very early after launching the honeypot, the ransomware capability was placed on every compromised machine,” Israel Barak, chief information security officer at Cybereason, told ZDNet.

Hackers put ransomware onto the network by exploiting remote administration tools to gain access to the network and cracking the administrator password to log in and remotely control the desktop.

In their threat report, Dragos suggests a list of actions ICS organizations can take to mitigate ransomware attacks. First and foremost, it is recommended that OT systems are segmented from the rest of the IT network, so even if a standard Windows machine is compromised, attackers cannot move laterally onto systems that control infrastructure.

Having visibility into your assets and monitoring them continually to spot any abnormal behavior is essential to identify and isolate attacks before they reach their final target. Coupled with strict access controls, the ICS organizations can minimize the impact of intrusions and maintain business continuity.

Organizations should also ensure that systems are regularly backed up and backups are stored offline. Focusing on ICS operations, these backups must include the last known good-profile data to ensure a swift recovery and to minimize the impact of the attack.

ITEGRITI helps protect some of the nation’s most critical infrastructure, serving clients in the energy, healthcare, transportation, education, retail and financial sectors.  We develop and implement programs that mitigate cyber and compliance risk, supported by internal controls to measure, monitor and report ongoing program effectiveness. Our programs help companies avoid hacks and minimize business impact during a cybersecurity event. To learn more, visit our website or contact our experts.