Researchers set up a mock factory network — and watched the criminals rush in
The 2017 WannaCry-fueled shutdown of a car facility and other high-profile infections make ransomware too big to ignore for the manufacturing sector. But while factory operators reckon with their security weaknesses, they sometimes lack information on how and why their networks attract the interest of digital thieves.
In search of those answers, researchers at cybersecurity company Trend Micro ran a simulated factory network for seven months that invited all sorts of digital miscreants into the fray. Different attackers used the mock network, or honeypot, to mine cryptocurrency and infected it with two strains of a ransomware known as CrySIS.
“These are career ransomware actors that are doing these things,” Trend Micro senior threat researcher Stephen Hilt told CyberScoop, reflecting on how professionalized and sector-agnostic ransomware attacks have become.
In both cases, the attackers were able to lock up files on the network by breaching the faux factory’s robotics workstation, which was exposed to the internet. The researchers had very weak security controls in place to make a point: some small businesses, even those in critical infrastructure sectors, fail to do the basics.
There was also raw opportunism on display.
“They were going after [the honeypot] because it was a computer on the internet,” Hilt said. For the attackers, it was just another potential ransomware target, albeit one that purported to support critical manufacturing processes.
“The longer we were exposed, the more activity we saw — and the more sophisticated attacks appeared to be compared to standard penetration-testing techniques,” the researchers concluded in an analysis of the experiment.
There weren’t any attacks on the simulated factory’s programmable logic controllers, a type of control system common in critical infrastructure operations. There was only a series of scans to gather more information on the PLCs.
To make their honeypot more realistic, the Trend Micro researchers set up an online profile for their fictional company, complete with a list of employees. They also negotiated with the attackers after their system had been infected.
“This is not cool!!” Hilt wrote in one email to the attacker, complaining about potential factory downtime.
Tellingly, the ransom demanded by different attackers went down over the course of the experiment from $10,000 to less than a $1,000.
“I’m pretty sure [the honeypot’s system information] was being sold somewhere in the underground,” Hilt said wryly before presenting his team’s research Tuesday at S4, the annual industrial cybersecurity conference in Miami Beach.
Hilt suspected that word was getting out on underground forums about a network — his honeypot — that could be held for ransom or abused in other ways. He noticed a lot of scanning of the honeypot’s files — data that was fed back to other attackers.
The Trend Micro researchers hope their findings will help factories strengthen their defenses against a threat that shows no sign of abating. In the first half of 2019, 50% of “destructive malware attacks,” a category that in this case included ransomware, affected the manufacturing sector, according to IBM.
“[W]e created openings for attacks that could realistically be found in actual smart factories,” the Trend Micro researchers said. Basic security practices, like not leaving control systems exposed online, can render many of those attacks ineffective.
