Skip links

Cybercrims: When we hit IT, they sometimes pay, but when we hit OT… jackpot

Analysis Cybercriminals follow the money, and increasingly last year that led them to ransomware attacks against the manufacturing industry.

Operational technology security firm Dragos, in its 2023 year-in-review report [PDF], found 70 percent of all industrial org ransomware infections hit manufacturing companies. 

Specifically: 638 entities across 33 unique manufacturing subsectors fell victim to ransomware last year.

“Sure, we’re seeing [attacks against] oil and gas and electric, but manufacturing is an order of magnitude larger,” said Dragos CEO Robert Lee on a call with reporters, adding that the explanation for this is twofold.

First, manufacturing organizations bought into the whole idea of “digital transformation” earlier than their counterparts in, say, water and wastewater, Lee explained. But while manufacturing was investing in IoT and connected machines, the spending on security didn’t keep pace with that, and as a result these insecure systems make for easier targets.

Manufacturing “is a richer target” for criminals, Lee said. “And we will see oil and gas, electric, water, mining follow that trend… as those industries become more digitally connected.”

Along these same lines: Dragos’ report found that manufacturing (51 percent of those surveyed) continues to struggle the most with segmentation, compared to other industrial sectors. 

Transportation came in second place, with 43 percent of these orgs having a hard time implementing a network defense that prevents intruders from moving across systems and environments.

The second reason has to do with criminals following the money. “Ransomware groups don’t explicitly target OT because they know OT,” Lee said. “They say, ‘This part of the network, IT, we hit it and they sometimes give us money. And then there’s this weird stuff. When we hit it, they pay and they pay fast.”

The “weird stuff” here is the OT and industrial control systems — in other words, the systems that benefit manufacturing companies’ bottom line, and when disrupted, causes downtime and financial losses.

“It’s not so much that they are OT experts, it’s just that they know they are impacting the revenue-generation portion of those companies,” Lee said. “As a result, the companies are willing to pay and pay faster, and so [the criminals] keep doing that.”

Additionally, with manufacturing and other critical-infrastructure sectors, there’s the issue of supply-chain attacks, where exploiting a vulnerability in one commonly used piece of software or equipment can allow criminals to mass target organizations for ransomware infections — or worse.

PSI ransomware infection

Earlier this month, German control systems provider PSI Software, whose global customers include energy, utility companies, metals producers, manufacturers and transportation network operators, disclosed a ransomware infection that continues to disrupt its systems.

The company initially detected the intrusion on February 14, and by the following day shut down its email and other IT systems.

“After the malware was executed by the attackers, all IT systems were immediately disconnected from the network and the technical connections to the outside world — including to our customers — were disconnected,” PSI said in an incident report on its website.

As of February 22, the company’s internal IT systems remained offline. 

“We are currently in the process of restoring the basic systems,” a PSI spokesperson told The Register. “As soon as the basic infrastructure has been set up, the most important IT systems will gradually be restarted.”

PSI is also working on an interim fix for email and other core services, “to keep the restrictions for our customers as low as possible,” the spokesperson added. “However, experience from similar incidents at other companies show that it could take several weeks before regular operations can be resumed.”

The company hasn’t yet determined if the attackers stole any data, including customer data, in the intrusion. PSI declined to answer additional questions about the ransomware infection.

While removing internet access and shutting down the email system to prevent data theft is a necessary move in these types of attacks, “these types of actions… are likely to have little-to-no impact on data exfiltration,” Steve Stone, head of Rubrik Zero Labs, told The Register.

To be clear, the data security shop has no “direct knowledge of the intrusion of PSI’s systems,” he added. 

Still, “virtually all ransomware groups steal the data before they launch the encryption tools, so many organizations will find their data was likely already gone before the ransomware was used,” Stone said.

Plus, he added, while attacks on manufacturing and industrial control system receive a lot of attention — and for good reason — most of the ransomware intrusions happen in these org’s traditional IT environments as opposed to the control systems themselves.

Manufacturing attacks still start in IT systems — for now

“Manufacturing and ICS-related entities still need standard networks and these are almost universally where cyberattacks take place,” Stone said. “Where impacts are noted, it is typically within controls leveraging standard technology instead of specific manufacturing or ICS equipment.”

This is the case with a critical, 9.8 CVSS rated vulnerability affecting Mitsubishi Electric Machines [PDF], which are widely used in global manufacturing sectors. 

CISA sounded the alarm on this flaw on February 20. And while it affects the electrical discharge machines, the bug itself exists in Microsoft Message Queuing service that is used by the Mitsubishi equipment.

If exploited, CVE-2023-21554 could allow an attacker to disclose, tamper with, destroy or delete information in the products, or cause a denial-of-service condition on the products. 

“It’s basically a maliciously malformed message that can cause remote code execution, which is as bad as it gets,” Contrast Security co-founder and CTO Jeff Williams told The Register.

The good news: “I doubt too many of these are on the public internet,” he added.

And while this flaw could be exploited to deploy ransomware, it’s unlikely that is how criminals would abuse it.

Exploiting this bug for a ransomware infection “is like breaking into your office and locking the file cabinets, instead of stealing your IP, taking control of your bank accounts, and killing your employees,” Williams said. “With this flaw they can completely control the Mitsubishi system and do anything it can do, and access anything it can access.”

To be clear: we don’t have any indications that this Microsoft Message Queuing vulnerability has been exploited in the wild. 

LAURIONITE lasers in on manufacturing

The Dragos report, however, highlights another commonly used enterprise IT product that was used to break into industrial organizations. Specifically CVE-2022-21587 and CVE-2022-21589, both flaws in Oracle E-Business Suite iSupplier web services that Dragos describes as “one of the most widely used enterprise solutions for integrated business processes” with customers including United States Steel and Unifi textile manufacturing.

The OT security shop detected a threat group it tracks as LAURIONITE exploiting these flaws in vulnerable Oracle iSupplier instances as early as March 5, and then moving laterally through the manufacturers’ environments, performing internal reconnaissance, and stealing data.

“While current observations and visibility of LAURIONITE operations do not indicate the adversary seeks to advance to OT networks, Dragos cannot discount this as a possible course of action the adversary may select in the future,” according to the report.

This group, and its continued focus on vulnerable systems within manufacturing companies, doesn’t just pose a threat to corporations intellectual property, Lee said. While LAURIONITE hasn’t disrupted manufacturing lines, or manipulated the makeup of what is being produced, it could.

“It’s a good example of that kind of IT-OT connectivity that can impact operations and society in general through what looks like a mundane compromise of IT networks,” Lee added. ®