Utility ransomware attacks becoming more sophisticated, new 'honeypot' operation finds

Dive Brief:

Boston-based security firm Cybereason created a fake industrial control network designed to look like an electricity company with operations in North America and Europe and watched as hackers broke in within three days by compromising an administrator password that was insufficiently secure.
The "honeypot" operation revealed hackers are increasingly using sophisticated multistage ransomware attacks as they target industrial control systems (ICS) owned by critical infrastructure providers.
With more companies now purchasing insurance to guard against ransomware, Cybereason warned these types of attacks will increase in frequency "until the cost of the insurance becomes comparable to the cost of fixing the problem.”

Dive Insight:

Cybereason's honeypot operation — in which hackers are lured to break into a fake ICS network to study their methods — revealed increasingly targeted tactics and resulted in a dire warning for the electric sector and critical infrastructure more broadly.

"It is only a matter of time before a catastrophic event occurs, putting a nation in the dark or causing damage to the integrity of our electricity networks, water systems, or SCADA networks," Cybereason Chief Information Security Officer Israel Barak wrote in an analysis of the operation.

Once the fake utility network was live, the company says hackers broke in quickly "by brute forcing the admin password, which had medium complexity." The attackers then placed ransomware on each compromised machine early in the process, "but didn’t detonate it immediately."

Hackers executed other types of attacks on the network, including data theft and stealing user passwords. Once those attacks were complete, the ransomware was activated on all infected machines simultaneously.

"This is a common trait to multistage ransomware campaigns, that is intended to amplify the impact of the attack on the victim," Cybereason's report said.

“Ransomware threats to critical infrastructure providers should be a top concern for security teams," Barak wrote. "In the ICS industry, we are seeing fewer strains of ransomware yet the existing strains rake in more gains. Hackers do this by better targeting and making more money from each target. We can expect to see an increase in multistage ransomware embedded into hacking operations in the foreseeable future."

Other security experts echoed that warning. They say the hackers' methods were similar to another ransomware attack in the news last week, which forced multiple Honda auto factories to briefly shut down. And they say it demonstrates the need for more secure passwords and new types of network monitoring.

"Similar to the Honda ransomware attack we saw earlier this week, the attackers exploited an exposed [Remote Desktop Protocol] port with weak authentication to gain initial entry," CyberX Vice President Phil Neray said in an email. "This is yet another example of why behavioral anomaly detection, at both the network and endpoint layers, is essential for quickly spotting these attacks."

Cybereason's threat research shows how pervasive the cyber risk is to the industrial sector, PAS Global Chief Marketing Officer Matthew Selheimer told Utility Dive.

"And the attack surface is only going to increase as digitalization initiatives proceed in industrial environments," Selheimer said. "The fact that the honeypot was overwhelmed with malware in just three days should be a wake up call for the industrial sector."

Ransomware, which holds hostage company network systems and data until a monetary demand is paid, will continue to be an ongoing issue, IronNet Security Strategist Bill Swearingen told Utility Dive. In particular, hackers will focus on remote desktop servers which allow remote employees to access company systems.

"The attack demonstrated in this paper is an excellent example of a single weak password on an internet facing host resulting in the catastrophic failure of multiple systems," Swearingen said.

The growing cybersecurity threat to the electric grid has been recognized for years. The North American Electric Reliability Corp. has been working to boost security through Critical Infrastructure Standards and a series of new vendor requirements. The beefed up security protocols had been set to go into effect next month, but were delayed until October due to the COVID-19 pandemic.

Because those rules have been in the works for years, security experts say most utilities are either protected or are in the process of implementing them. But the situation was complicated in May, when President Donald Trump issued an executive order blocking the installation of bulk power system equipment sourced from adversaries of the United States.

Details of how the the order will be enforced are still unclear, but observers say it is already having an impact.

"We're already seeing utilities limiting procurement," Tobias Whitney, vice president of energy security solutions at Fortress Information Security, told Utility Dive. The U.S. Department of Energy is supposed to issue regulations to implement the order this fall, but many in the sector say it will be tough to hit that deadline and it is more likely they will be finalized next year.

Going forward, Cybereason's Barak says utility systems must be built with an eye towards keeping them secure.

"Resiliency and security can no longer be an afterthought," Barak wrote. "As new critical infrastructure systems are built and installed, legacy networks will be retired and taken offline. It is very important for next-generation systems to be built with resiliency and security in mind. The design and ongoing operation of the system must take into consideration what security threats will become commonplace in the months and years ahead."