Nightmare cyberattack is comparable to a natural disaster – interview


Threat actors nowadays are infecting far more devices outside the usual scope of conventional IT systems. Powerful botnets could enable attackers to unleash cyberattacks that impact human life in a way only a calamity of nature could.

Researchers have recently discovered that threat actors employ ingenious schemes to target industrial systems. In one such scheme, attackers advertised software cracking tool for Programmable Logic Controllers (PLC) and Human-Machine Interfaces (HMI).

The expectation was that engineers would download the software and try to recover a lost password. However, once executed, the malware – dubbed “Sality” – would infect the system and turn it into a bot for its operators to use as they please.

ADVERTISEMENT

Similar attacks against computers occur often, but the operators behind Sality specifically focused on industrial systems. Brian Contos, CSO of Phosphorus Cybersecurity, thinks we will see many more attacks targeting internet-connected devices outside traditional IT systems.

"If somebody were to take down the electric grid, that would impact everything. Probably within three to six weeks, you see major rioting and looting,"

Brian Contos, CSO of Phosphorus Cybersecurity, said.

“If somebody wants to rent out a botnet, it doesn’t matter if it’s made of laptops and servers, or cameras and printers. The only important thing is that it has an IP address, internet connection, and it can do what the attacker wants it to,” Contos told Cybernews.

We sat down to discuss what kind of botnets we are likely to see in the future and how attackers can exploit devices falling into the extended internet of things (XIoT) category. Taken to its extreme, the impact could have disastrous consequences.

Could you elaborate on how threat actors used trojanized PLC and HMI password crackers like Sality on industrial targets? How does that work, and what’s the point of attacking such devices?

From an operational perspective, there isn’t much difference between an attack on a PLC or a traditional IT device. Like any user who might have lost a password, PLC users might try using Google to find a solution. Attackers know people will forget things and google it, and sure enough, there’s a tool online that says it will provide a crack if downloaded – but in reality, it hides malware.

Attackers distribute malware to black-hat search engine optimization (SEO). Google and other search engines will rank websites based on how many other sites point to something. If you google “Bradley Cooper,” a famous actor, and a million sites are pointing to a specific site, that’s going to rank higher than a website with only ten servers pointing to it.

Black-hat SEO works by employing a botnet. An attacker might have thousands or tens of thousands of devices saying, “go to this site if you google Bradley Cooper.” And now, suddenly, a malicious website is ranked really high. And when you go to that site, it tries to infect you with malware.

ADVERTISEMENT

What’s interesting is that PLCs and HMIs are most commonly associated with things like oil and gas, power, and energy manufacturing. And there are a lot of things cybercriminals can do with infected manufacturing equipment. Maybe they could poison the water supply or break a pharmaceutical company’s supply chain.

Historically, security spending was more focused on IT and less on XIoT, [which is] everything from video cameras and printers to network devices and industrial control systems. That’s becoming the new ‘new’ in cybersecurity.

There are a lot of XIoT devices, and they haven’t been secured that well. At the same time, they have the same power, capabilities, ports, and protocols as a laptop or a server, but without the pesky disadvantage of having a bunch of security controls protecting them.

Modern cybercrime is very specialized. Attackers who deploy malware are seldom the same people who wrote it. Do you think there are marketplaces where threat actors buy and sell malware that explicitly targets XIoT devices?

When it comes to XIoT, we know of nation-state actors that have developed tools specifically to target XIoT devices. Not that Russia is the only country that has done this, but they developed a tool called Fronton specifically designed to discover, compromise, and control XIoT devices.

Cybercriminals are also noticing they can leverage similar tools for profit. For example, if somebody wants to rent out a botnet, it doesn’t matter if it’s made out of laptops and servers, or cameras and printers. The only important thing is that it has an IP address, internet connection, and it can do what the attacker wants it to, be it sending traffic or distributing malware.

Most XIoT devices use Linux, Android, VxWorks and other operating systems. They’re known devices with similar ports and capabilities. Instead of compromising 50,000 devices at this manufacturer across servers and desktops, a threat actor could compromise 150,000 by bringing in all their XIoTs.

Think of a casino. I’m guessing they have tens of thousands of connected video cameras. Or take a hotel chain. How many printers do they have across all their disparate hotels? Again, tens of thousands, easily, and maybe more. Well, many devices are just sitting and waiting to be leveraged for an attack.

Threat actors have noticed this. They’ve also noticed that these devices are quite easy to compromise and control. Since most organizations aren’t watching them, attackers can maintain persistence for six months or longer because people aren’t paying attention to what these devices are doing. They’re not being managed. As long as the printer prints and the camera records, nobody is looking to see if there’s a problem. We’re seeing a huge increase in malware targeting XIoT by nation-state threat actors and financially motivated cybercriminals.

ADVERTISEMENT

Recently, botnets like Mēris and Mantis have performed record-breaking attacks. Do you think profit-seeking hackers or state-sponsored actors operate major botnets?

It seems so. Recently, the authorities dismantled the RSOCKS botnet in several European countries. What was interesting about this particular takedown was that most of the devices were industrial control systems. There were some cameras, printers, and traditional IoT devices. But it was almost purely industrial control systems – and the botnet operators weren’t doing it to negatively impact the industrial control systems providers.

It looks like the operators were using it for traditional cybercrime. Nation-states are smart enough to know about this. A lot of people that are cybercriminals by day are state-sponsored actors by night, or vice versa. They have access to the same tools and networks of people, and they understand the processes. There’s some crossover like that in many parts of the world.

"They’re not being managed. As long as the printer prints and the camera records, nobody is looking to see if there’s a problem. We’re seeing a huge increase in malware targeting XIoT by nation-state threat actors and financially motivated cybercriminals,"

Contos said.

People developing these tools for cybercrime are also the people developing some of these tools for politically motivated attacks. Nation-state threats, which aren’t about ransomware or DDoS, are often more severe. Some people doing compromises are getting into organizations through traditional IT, like a phishing campaign. They get in, but they don’t stay in IT systems. Attackers purposely look for XIoT devices, such as a switch, a printer, or a PLC. They do this because attackers know they can maintain persistence and evade detection here.

One of the reasons attackers focus on XIoT devices is that many of them have default passwords. If the passwords were changed, it was a decade ago, so they’re easy to guess. Another thing is that many of them have end-of-life or old firmware. In fact, about 25% of XIoT devices have end-of-life firmware. That’s a huge issue, because they’re filled with vulnerabilities.

For the remaining 75%, the average firmware age is six years. Imagine if you didn’t update the operating system on your smartphone for six years. I don’t think it would even work. And we’re talking about critical devices within organizations: there are troves of them. An organization with 10,000 people has somewhere between 30,000 to 50,000 XIoT devices.

Most companies don’t even know what they have. I think that XIoT security today is like IT security was in the ’90s. Back then, we didn’t have a good idea where our stuff was: we had horrible inventories, patch management, reduction of vulnerabilities, and firmware updates. Software updates were sporadic at best, and credential management was nonexistent.

Nation-state actors and cybercriminals know this. They know the vulnerabilities, the password and firmware issues. They know they’re not being monitored, and there are many of these devices. So, why not attack them?

After Russia invaded Ukraine, fears were running high that Moscow would launch a large-scale attack on critical infrastructure companies. Have you noticed rising threat levels affecting companies in the industrial sector?

ADVERTISEMENT

Of course. People take notice whenever something major, like Russia invading Ukraine, occurs. However, as time goes on, they forget about it. It’s human nature. But I will say this: over the last 20 years, organizations that operate industrial control systems, whether it’s manufacturing, oil and gas, power and energy, water, or transportation, have gotten much more security savvy.

And it’s because of things like Russia and Ukraine and major cyber incidents of the past. The risk is real, and organizations know that they have to take measures they may not have considered taking before. I think generally we’re good at responding to incidents and making changes, rather than imagining what the risks might be. However, I have seen organizations take a more proactive look than they had been.

I’ve seen incidents where critical systems, whether telecom, healthcare, or financial systems, have been compromised and held for extortion. For example, in Brazil, attackers shut down the power for an hour, then turned it back on and demanded money if the company wanted to remain operational. Bad actors take advantage of organizations that aren’t prepared. An actual nightmare scenario would be threat actors extorting critical infrastructure companies.

Infrastructure-CISA-warns
Image by Shutterstock.

Following your train of thought, could you describe what those nightmare scenarios would look like?

That’s when an attacker can break the supply chain on a national level. Things like grocery stores, messing up communications and traffic, and disrupting emergency services. What a great time to come in and invade, right? Because now deaf, blind, and maybe a little scared since you haven’t had power for the last week or two. When that happens, people get a bit desperate. They don’t know what to do.

Now you play that out a little further. If somebody were to take down the electric grid, that would impact everything. Probably within three to six weeks, you see major rioting and looting. Emergency services like police, ambulances, and fire departments are all overwhelmed. Governments would have to bring in the military to try to keep the peace. In my mind, it’s that sort of a collapse. Probably the only thing I can relate it to is a major natural disaster.

The ramifications of the nightmare scenario could be horrific. We haven’t seen anything like that and I’m not predicting we will, at least not on a large scale. But I think the genie is out of the bottle when cybercriminals realize they can start going after XIoT devices. Again, nation-states know they can do this as well, and I think we’re going to start seeing more of these types of things happening.

Just a few years ago, discussions about exploits for XIoT devices were rarely discussed in hacking conferences, and now I hear about it everywhere. There’s this new XIoT exploit, or there’s a way to compromise this wireless access point, or this printer attack. That was esoteric, very recently: but now, this is the primary state of the conversation. And if these people and security companies are talking about it, they’re doing so for a reason: they’re concerned about it and know that threats are out there.

ADVERTISEMENT