A recent report has shown that cybercriminals are treating OT infrastructures as ‘just another network’ to attack with highly-inclusive ransomware.

Financially-motivated threat actors have increased their nefarious activities against Operational Technology (OT) infrastructures. Seven ransomware families, including DoppelPaymer, LockerGoga, Maze, MegaCortex, Nefilim and SNAKEHOSE have been deployed, according to a new report by Mandiant Threat Intelligence.

Due to need for digitalization, OT networks have continued to become more accessible to threat actors of all motivations. Security threats that were historically targeted primarily at IT systems are becoming more commonplace on OT infrastructures.

This normalization of OT as just another network (from the threat actor perspective) is problematic. According to the authors, “this recent threat activity should be taken as a wake-up call for two main reasons: the various security challenges commonly faced by organizations to protect OT networks, and the significant consequences that may arise from security compromises even when they are not explicitly designed to target production systems.”

OT ransomware with a deadly kill list

While most types of ransomware attacks in OT environments will result in the disruption of services and a temporary loss of view into current and historical process data, OT environments hit by ransomware that has used the latest kill lists used with the seven ransomware families may face additional impacts.

For example, “historian databases would be more likely to be encrypted, possibly resulting in loss of historical data. Other impacts could include gaps in the collection of process data corresponding to the duration of the outage and temporary loss of access to licensing rights for critical services.”

The report reiterates that the likelihood of financially-motivated actors impacting OT while seeking to monetize intrusions will continue to rise for the following reasons:

  • Financially-motivated threat actors moving to a post-compromise ransomware model will continue to evolve and find ways to reach the most critical systems of organizations as part of their mission of monetization. As these actors are mainly driven by profits, they are not likely to differentiate between IT and OT assets.
  • OT organizations will continue to struggle to evolve at the same pace as cybercriminals. As a result, small weaknesses such as misconfigurations, exposed vulnerabilities or improper segmentation will be enough for financial actors to gain access to networks in their attempts to profit from intrusions.
  • As the market for OT solutions continues to incorporate IT services and features into broadly-adopted products, the convergence of technologies is expected to result in a broader attack surface for financial threat actors to target.
  • The methods employed by both financial- and sophisticated nation-state actors often rely on intermediary systems as stepping stones through intrusions. As a result, the skills of both groups hold similar potential of reaching OT systems even when financial groups may only do so coincidentally or as part of their monetization strategy.

“Asset owners need to look at OT security with the mindset that it is not if you will have a breach, but when. This shift in thinking will allow defenders to better prepare to respond when an incident does happen, and can help reduce the impact of an incident by orders of magnitude,” the report advised.