A new development in malware threats is ransomware that threatens OT security and aims to disrupt OT systems. For example, recently we wrote about the Snake file encrypting ransomware, which was similar to the preceding Megacortex malware. Both threats include code that specifically attempts to kill software processes that manage OT networks, and has the explicit goal of causing process disruption.
In the past, direct attempts to target machinery, or industrial processes, have been advanced threats (Stuxnet, Duqu, Flame) attributed to nation state attacks. Now, we’re seeing simple, crude examples of ransomware that could have a significant impact on OT networks.
Unrefined ransomware malware that aims to disrupt control processes and encrypt files is increasingly a threat to OT security and reliability.
Ransomware Disrupts Natural Gas Compression Facility
A case in point example is a cyberattack against a natural gas compression facility, that occurred this month. The method of entry was spear phishing, to obtain access to the IT network. Then, due to inadequate segregation between the networks, the attackers managed to pivot into the OT network. Once that happened, the attackers deployed a strain of ransomware on both networks, causing the operator to lose visiblity into their OT network.
While there was no impact to the control of operations, the victim had to temporarily suspend operations, resulting in loss of production and revenue.
How to Reduce Risk to OT Ransomware
Asset owners can reduce their risk to this type of attack by:
- Prioritizing robust segmentation between IT and OT networks with firewall rules that consider the requirements of each zone
- Training users to identify possible spear phishing messages, not click them, and report them to cybersecurity staff
- Training users not to visit malicious websites
- Checking that public services are configured properly
- Using a tool that provides visibility into networks and systems and identifies unpatched services, making it easy for administrators to shut down avenues that provide an initial foothold into a network
- Requiring multi-factor authentication for remote access to networks
- Subscribing to a service that provides ongoing threat intelligence updates
New Wave of OT Security Threat Requires Defense in Depth Countermeasures
The availability and use of unsophisticated ransomware targeting ICS environments represents a new wave of OT security threats, and operators should adjust their defenses to protect against it. Cybersecurity best practices such as strong segmentation, user training, proactive cyber hygiene programs, multi-factor authentication and continuously updated threat intelligence are the keys to avoiding control system disruption.
“Nozomi Networks Threat Intelligence”
Read this document to learn how Threat Intelligence:
- Makes it easy to detect threats and identify vulnerabilities
- Notably reduces the time to detection, minimizing impacts
- Speeds response with prioritized alerts and actionable insights
Security Research Manager, Nozomi Networks
Alessandro Di Pinto is an Offensive Security Certified Professional (OSCP) with an extensive background in malware analysis, ICS/SCADA security, penetration testing and incident response. He holds GIAC Reverse Engineering Malware (GREM) and GIAC Cyber Threat Intelligence (GCTI) certifications. Alessandro co-authored the research paper “TRITON: The First ICS Cyber Attack on Safety Instrument Systems” and “Analyzing the GreyEnergy Malware: from Maldoc to Backdoor”.