Aperture Podcast: Mandiant on Low Sophistication OT Attacks
By Michael Mimoso | June 10, 2021
Some successful exploits of operational technology (OT) aren’t necessarily rooted in complicated exploits that chain together several vulnerabilities. Sometimes an insecure VNC or TeamViewer connection to an industrial network is enough.
That’s at the crux of a recent Mandiant report that examines how attackers are using low-tech means of accessing industrial networks and, on occasion, interacting with processes without much understanding of possible physical outcomes or impacts to public safety. Nathan Brubaker, senior manager of Mandiant Threat Intelligence, discusses the report “Crimes of Opportunity: Increasing Frequency of Low Sophistication Operational Technology Compromises” on the latest episode of Claroty’s Aperture Podcast.
The report, co-authored by Brubaker, Keith Lunden, and Daniel Kapellmann Zafra, provides incident information and data to help decision makers understand real-world risks to industrial control systems and networks. It contains numerous examples of attackers exploiting internet connectivity of OT networks and devices to satisfy ideological, financial, and even egotistical motivations rather than physical outcomes.
Brubaker cautioned in comments made on the podcast that attackers are also conducting surveillance on OT networks and sharing or selling that intelligence via tutorials. These instructional documents and videos describe how to identify and compromise connected assets.
“Historically, ICS and OT survived by at least one piece of it is security by obscurity. Five years ago there were limited amounts of information on the different types of ICS systems running,” Brubaker said, adding that dynamic has changed recently. Volumes of accessible information are online and shared, including technical documents, admin credentials, and more. “If you’re really motivated and you have some flexibility in the targeting you want to do, you can find targets that have a tremendous amount of valuable information exposed.
“That’s a really great start for someone who maybe 10 years ago maybe needed to get a human in (a target) to steal some stuff, do at least some sort of in-depth operations,” Brubaker said. “That’s definitely a huge concern.”
You’ll also hear more about:
Risks introduced by IT/OT convergence
Some of the commodity tools attackers are using to gather information
How much process interaction is actually happening, and how
Why the U.S. government’s singling out of OT in recent activity is crucial
Advice for organizations to counter low-sophistication attacks