Operation technology sees rise in targeted remote access Trojans and ransomware

October 6, 2021 by

Greg Belding

Operation technology (OT) is used in many critical infrastructures and industrial settings today and is the operational brain behind much of what we enjoy in the modern world. Attack groups know this, and when they target OT, it can have a more wide-reaching impact than the typical retailer or financial institution data breach. Researchers with IBM and Dragos have been tracking trends in OT attacks and have released a report that presents some interesting findings of OT attack trends. 

Learn ICS/SCADA Security

Explore realistic critical infrastructure scenarios and build your security skills with hands-on labs, on-demand courses and live boot camps.

Start Learning

The seriousness of attacks targeting OT

Cyber threats don’t just target Enterprise IT but OT as well. While Enterprise IT threats make up the lion’s share of overall threats, statistically speaking, attacks on OT can have a greater impact on society. Much of the modern world, such as critical infrastructure, chemical plants, industrial machinery and even passenger automobiles, rely on OT to function. Threats that target OT can cause chemical spills, crashes of passenger vehicles, industrial machinery malfunctions and utility/power outages. Many aspects of the modern world rely on OT, and disrupting it can have wide-reaching chaotic effects on society in general.

Without further ado, let’s delve into the IBM and Dragos research teams’ findings!

Report recap

Ransomware is still king

Following the trend from 2019, ransomware attacks were the most common threat targeting OT. Common might be better phrased as “number one with a bullet,” as demonstrated by the percentages of attack types that make up the OT threat landscape:

Ransomware: 33%

RAT: 15%

Insider Threat: 13%

DDoS: 11%

Credential theft: 11%

Server access: 9%

Worm: 4%

Web script: 4%

 The most observed ransomware strains used in attacks against OT organizations were Medusa, EKANS, Nefilim, PJX and Egregor. The skill level of attackers targeting OT with ransomware can vary greatly (with many attackers being of a novice skill level), and looking at the numbers, what we can say is there is something about organizations using OT that makes them more attractive targets for ransomware attacks than other cyberattack types.

The “something” referred to above has a couple of different reasons. There are likely more reasons that only the attackers themselves know:

• Inadequate security updates: Many organizations are unwilling to invest the time and resources to keep their OT security updated in the face of OT ransomware attacks. This is complicated by OT systems not being air-gapped and malware coming into the OT environment from insiders, both malicious and unwitting
• Companies are willing to pay: While there is a contingent of hacktivists out there are not in it for the money, many cybercriminals are, and they know that governments and organizations are willing to do almost anything in many situations to make the ransomware go away — in other words, ransoms get paid
• Sheer impact: ransomware attacks on OT can have crippling effects on vital services in society, which means some attack groups use the impact their attacks cause as a platform to make a statement (hacktivists)

Remote access trojans (RAT)

The second most commonly seen attack type in 2020 were RATs that came in with 15%. RATs provide a lot of heavy lifting in the early stages of cyberattacks, such as allowing threat actors to gain access to a device and helping to install various forms of surveillance on a targeted OT system. Some of the most seen RATs on OT-connected networks in 2020 were Trickbot, jRAT and Adwind.

Based upon research/observed trends, RATs are most commonly used in the following scenarios:

• To control HMI from an operator workstation
• To control HMI from an engineering workstation
• To control SCADA from an operator workstation
• To provide SCADA maintenance from an engineering workstation or a computer of a third-party vendor in an external network
• To connect multiple operators to one operator workstation (thin client-like architecture used to save money on licenses for the software used on operator workstations)
• To connect to a computer on the office network from the OT network via HMI and perform various tasks on that computer (access email, access the internet etc.).

Insider threats

Coming in as a close third with 13% of the OT-related threat pie is insider threats. The most important thing to take away from this threat is that 60% of all insider threats in 2020 were malicious. Examples of insider threats observed in 2020 were organization employees connecting to websites that hosted or were infected with malware and inside employees selling proprietary organization data on third-party websites. 

Learn ICS/SCADA Security

Explore realistic critical infrastructure scenarios and build your security skills with hands-on labs, on-demand courses and live boot camps.

Start Learning

The impact attacks have against OT is huge

All cyberattacks should be taken seriously. However, those attacks against OT can have a disproportionately large impact on society because of the vital role it plays in critical infrastructure. The combined research that makes the Report includes OT attack data to better round out their threat research. Ransomware was the most common attack type in 2020, but other attack types, such as RATs and insider threats, can pose a significant risk to organizations using OT.

Sources

• X-Force Threat Intelligence Index 2021. IBM Security
• Rise of ransomware: Why OT is a prime target for cybercriminals. Security Magazine
• Attacks on Operational Technology from IBM X-Force and Dragos Data. Security Intelligence