By Michael Mimoso | June 21, 2021

Mandiant Threat Intelligence Senior Manager Nathan Brubaker recently joined Claroty’s Aperture podcast to discuss a recent report published by his team that examines a trend of decidedly low-tech intrusions into operational technology (OT) networks. What follows is an edited transcript of that discussion.

Claroty:

Take me through the inspiration for this report. Are you seeing a lot of low-level activity?

Brubaker:

This is not sexy, like the Tritons and Industroyers of the world. Folks like me and you, and anyone interested in security, tend to gravitate toward the more sophisticated, complex stuff because it’s sexy, interesting, and groundbreaking. It does all those things and checks all those boxes. It’s certainly scarier than this stuff. What we’re talking about is a level down.
And we’ve published previously on how ransomware is evolving and, where operators are evolving to impact OT intentionally or unintentionally. We’ve touched that kind of stuff in the middle, where actors are using similar APT-level tactics. So, they’re doing a bit more targeted access operations to get into specific networks. And then once they’re there, they’re escalating privileges, moving around and finding the places where if they did deploy ransomware, it would be a bigger bang for their buck.

That stuff is in the middle, certainly much more sophisticated than this. Then it trickles down to what we’re talking about here, which like I said is not nearly as flashy of a topic, but interesting, nonetheless, and concerning. Internally, we’ve been watching this and have seen the threat change pretty dramatically in the past year or two.

Listen to this complete interview here:

Claroty:

How so?

Brubaker:

Just from my experience and also the kind of the numbers we are seeing, this is increasing fairly dramatically. But the more important piece is what the actors are doing and how often that’s happening.

Initially, we talk about how a lot of these threat actors in 2012, had no idea what was going on and they’d be talking about ‘I just compromised this xyz device,’ and you can tell they just had like copied and pasted it off of the HMI or wherever they were at had found it, and dropped it into the forum. ‘What can I do with this? How do I make money?’ There was that kind of thing.

And then quite a bit of just information sharing, which most of it linked back to security research—which is always interesting—so that kind of, low-level stuff of just puttering around, trying to see what you can do and what you can’t do. And then until a year or two ago, we’ve seen these first instances of actors explicitly interacting with the process. That’s a dramatic jump. To do that, you have to be willing to have some sort of understanding about what you’re doing. You have to be willing to know that the outcomes of your actions could cause a physical outcome in the world.

Some of it has to do with what we would call a normalization of deviance. As this activity happens more often, it becomes normalized, something that’s accepted. For example, if a nation state [or private actor] carries out a cyber-physical action and other nation states or don’t take dramatic action against it, you’re setting the standard that this is somewhat of an accepted thing. That lowers the threshold for the willingness and ability for actors to carry out this kind of activity.

Claroty:

The report mentions these attempts to get a deeper understanding of how vulnerable these systems are through tutorials, which are a common thing on dark web sites for fraud and credit card providers. Seeing it happen for OT; that’s a whole new can of worms opening up?

Brubaker:

I agree. And this is something that we’ve talked about a lot internally and published quite a bit on historically. ICS and OT survived by—at least one piece of it— security through obscurity. The point here is 10 years ago there was limited amounts of information on the different types of systems, different types of devices, systems that companies were running. Now I can point to an example with Triton showing how feasible it was to reverse the Triconex (SIS controllers) and the other technologies that they targeted. And now you can do this with publicly available information.

So internally, we document a whole range of different places where these types of information are stored. You can, you can find targets that have a tremendous amount of really vulnerable information exposed. It’s like just like an attack book essentially, of what you would need to, to kick start your operations. And we pivoted off of that and found quite a bit of other related information and, you know, that’s, that’s a really great start to someone who has, you know, 10 years ago would have had to maybe get a human in there to steal some stuff or do at least some sort of more in-depth operations rather than spending 20 minutes digging around on the internet. So that’s definitely a huge concern.

Claroty:

In the report, you put attackers in three buckets, financial being the most obvious in terms of motivations, especially in the context of ransomware. But you also mentioned ideological motivations and egotistical. Can you go through those, especially egotistical motivations?

Brubaker:

You can say this was generally the lowest sophistication type of actors. They would be people just digging around and trying to figure this stuff out on their own. And then like, they’re the ones that are pretending like they did something; doing something and then trying to get credit for it to build out their street cred. So that’s a pretty straightforward one.
The hacktivist type is ideological, and potentially more concerning and probably something that’s driving more of the actual interaction targeting OT. You get a lot of really flashy headlines and attention when you do something like impact a process or a system.

And so that’s exactly what actors are looking for; it’s a natural draw. Most of the hacktivist groups are the ones that have put out the different tutorials on how to do stuff. And they’re pretty complex and pretty well done.

So someone who knew what they were doing, at least in some of the cases, put out some fairly quality tutorials. It’s a bit of an escalation. Historically, activist groups typically do a lot of web compromise. This is another fairly easy thing to do, especially with tools like Shodan and Censys, so it’s within their reach. And when you have tutorials like that can literally hold your hand all the way through, it’s making it even easier.

Claroty:

There’s a timeline in the report that illustrates activity from the last 15 months and shows how much interaction you guys are seeing with actual processes. And it’s relatively speaking, it’s not a lot. Are they just not looking to disrupt physical processes or do they not know what or where they’re in?

Brubaker:

To be clear, these are ones that we’ve confirmed. I would guess that there’s a decent amount of interaction in all the other ones that are just not confirmed. And so the way we’re getting a lot of this data is from explicitly talking to actors and getting them to share information with us. But to answer your question about do they just not know? Yes. And no. Some of them are trying to sell access, so they don’t maybe feel the need to change anything or don’t want to. Some folks are still somewhat concerned about touching buttons that they don’t know what they’re going to do.

With the recent pipeline attack, the government took a pretty hard stance and the actors clearly stated: ‘Look, we’re, we’re not here to cause trouble. We just want to make money. So just like, sorry, my bad.’ I imagine a lot of actors feel that way and, at least hopefully, maybe there will be some—I’m not gonna hold my breath—but maybe that will be a bit afraid of the law or move towards less critical systems.

I do want to reiterate one more time that these actors, even if they changed something for the most part, there’s a very good chance that either someone, or the technology itself, will catch changes these actors might make. For example, if you’d put a bunch of chloride or whatever in the water, they’re not going to pump it out without testing the water before it goes out. So there are a lot of safety controls. I do want to just be careful, I’m not trying to rile up people too much. I just wanted to make it clear that this is a growing problem and could turn into something worse in the future.

Claroty:

In the report, you talk about the use of commodity tools in some of these attacks (VNC, TeamViewer, others). I would imagine these tools get used because they’re relatively cheap or, and they’re certainly a lot easier to use than maybe some complicated enterprise tool that’s expensive to buy. Are you seeing that as well? Do you think that is an indication of the sophistication of the attacker?

Brubaker:

I think they use what’s available and what’s already potentially being used by the actual victim. To be honest, we see a lot of that with sophisticated actors too. So you use what’s available and what’s there, and there’s no reason to build specific custom tools when you don’t need them.

Claroty:

Some of these GUIs and HMIs, are they straightforward enough that a layman can understand and interact with them? Or, are these guys coming in with some kind of advanced knowledge via some of these tutorials?

Brubaker:

Yeah. I very highly doubt they’re coming in with advanced knowledge. We call this low sophistication because you don’t really need to have much knowledge, expertise, or resources to do this kind of stuff. Because they don’t, they’re able to use that little knowledge they have against the systems that they find, because they’re not trying to target something generally.
Um, so they may be browsing round on Shodan to find maybe a water utility, but if you’re talking about trying to cause a predictable outcome and a target of your choice, that’s another story. You need to have a fairly significant team, a bunch of expertise. You need to get access to documentation on the process and have engineers who understand it. If you make this change in this process, what’s the downstream impact that will then either have the desired outcome you want, or maybe if you do something there’s an unintended consequence that you don’t want.

Claroty:

Is the recent ransomware activity that we’re seeing against JBS Food and Colonial an offshoot of what you guys are talking about? Is that the next level of attacker and these guys becoming emboldened to go after these targets?

Brubaker:

I wouldn’t tie this activity to that. My concern is that it could enhance future activity. Why are we seeing so much more disruption to operations? I think with the dramatic increase in the quantity of ransomware attacks, you’re going to see a pretty significant increase in impact to operations. And that doesn’t mean they are specifically targeting OT. In many cases, operations are shut down because of the impact to IT and the reliance from OT into certain IT processes.

We’ve published a couple of blogs on Fin6 (Magecart) and Fin11 specifically, and some of the malware that they’ve built that has ICS processes built into [kill lists]. We, we continue to believe that this is not a targeted effort to impact OT, rather coincidental they’re there.

Claroty:

I definitely want to get your thoughts on all the U.S. government activity, the executive order, the 100-day plan for improving electric cybersecurity, the TSA directive, all this is calling out OT specifically. How much of a difference can this make?

Brubaker:

There’s money behind some of it, so hopefully that money gets to the organizations that really need it. One of the reasons you see a lot of utilities being impacted is that most of them are locally owned, small, or many of them have one person supporting, maybe part-time. And so if you can get even just some money to support at least getting their systems properly set up so that they’re not just sitting on the internet, along with there’s plenty of other risks that you could potentially mitigate along the way, that’s definitely a win. Hopefully we can sustain this in a way that’s not just a temporary thing.

Claroty:

Last question: One bit of advice for organizations facing some of these low, sophistication attacks. Is there anything beyond segmenting networks better, or not directly connecting devices to the internet. Is there something you’re seeing that might help beyond that?

Brubaker:

We include a bunch of mitigations and how to solve those problems within the blog, so I’ll point people there. It is straightforward and there’s no secret sauce. It’s just kind of going and doing it. Some of it, in some cases, it’s just like changing settings on a device or configuring firewalls in a different way. So this is not a huge technical challenge; it’s more on the quantity and resourcing side. It can be a huge challenge. I don’t want to downplay it, but not because it’s technically difficult.