ICS, OT-targeted attacks register 2,000% increase, Mirai hits enterprise-grade hardware

The attacks peaked in June 2019 but descended starting October. Despite the descent in October, IBM X-Force warns OT/ICS targets will escalate in 2020 with new attacks expected to target global industrial networks.

The ICS attacks identified at the peak in 2019 were linked to campaigns launched by APT group Xenotime and by Hive0016 (APT33). Directly connected to Russia, Xenotime aggressively went after oil and gas industries in the Middle East and electric utility companies in the U.S. Hive0016 has been linked to Iran.

As reported by ThreatPost, Xenotime released last year a highly sophisticated piece of ICS-tailored malware, similar to 2010s Stuxnet that crippled Iran’s nuclear program, confirming industry predictions that targeted attacks against industrial processes are on the rise.

Companies choosing to deploy hybrid infrastructures were most at risk, IBM X-Force says, due to an “overlap between IT infrastructure and OT, such as Programmable Logic Controllers (PLCs) and ICS.” This merger creates a favorable environment for threat actors to easily target and breach OT devices that run physical assets and function on legacy software and hardware. A 2019 ransomware attack identified by IBM X-Force IRIS on a global manufacturing company crippled its operations but it generated a high recovery cost that affected its global market share.

The report warns that outdated production systems, with known vulnerabilities that can no longer be patched are easy targets for infection that will ultimately spread laterally across the infrastructure. In 2019 alone, over 200 new ICS-related CVEs were distributed online.

The total number of breached records exposed in 2019 was estimated at more than 8.5 billion, registering a threefold year-over-year increase compared to 2018. The spike was triggered by a tenfold year-over-year increase in misconfigurations.

The high volume of lost records in the multiple industries, including the professional services sector, emphasizes the thriving threat landscape and growing risk for sectors that were not seen as appealing attack marks in the past years.

Mirai malware still kicking in 2019, targeting enterprise-grade hardware

Turning to the monthly volume of consumer and enterprise IoT attacks, threat vectors are slowly turning to enterprises, yet consumer IoT attacks remain most prevalent.

According to the report, a number of Mirai malware campaigns were detected in 2019 that were compromising not only consumer electronics but also enterprise-grade hardware. This is was not the case in 2018. Threat actors can use Mirai to infiltrate devices that have network access and then spread across the organization.

Mirai was first identified as sophisticated IoT malware back in 2016 when it infected more than 150,000 IoT devices and manipulated them to launch a massive DDOS attack. According to the report, the manipulation method has changed from two years ago, and the malware is now actively going after enterprise hardware.

Command injection (CMDi) attacks automated by scripts are also on top of the 2019 IoT-targeted attack list. They scan the network for vulnerable IoT devices with weak or default credentials and inject a payload that once executed will turn the compromised devices into a large scale IoT botnet.

The spike in cyberattacks against firmware and software elements of embedded systems combined with a new ransomware strain with ICS-specific functions detected in the wild has triggered industry concern and regulatory interest in IoT security. As a result, vendors are aiming to fortify IoT devices. For example, the Trusted Computing Group (TCG) has recently introduced a set of guidelines addressing software and firmware updates for embedded systems.

Article Topics

IBM  |  ICS  |  IIoT  |  Mirai  |  operational technology  |  SCADA  |  security  |  threat intelligence