Fake Factory Experiment Illustrates Attackers' TacticsTrend Micro Project Demonstrates Targeting of Industrial Control Systems
Trend Micro researchers created a phony "smart factory" that lured attackers, demonstrating how they are increasingly focusing on industrial control systems and have become adept at planting malware within vulnerable infrastructure.
The researchers used a network of honeypots to monitor network traffic and keep tabs on the attackers and how they attempted to take advantage of security flaws within the fake industrial environment, Trend Micro explains in a new report.
Industrial control systems that are "air-gapped" and isolated from the public internet have been considered secure, but the increasing use of connected devices and internet of things initiatives have complicated that view. Now cybercriminals and nation-state actors find these industrial control systems - which are used in power companies, oil and gas firms and nuclear plants, among others - are ripe for hacking and attack (see: Xenotime Group Sets Sights on Electrical Power Plants).
"Our findings should serve as cautionary examples for organizations who run similar systems," the Trend Micro report states. "Such attacks would not have been so successful had adequate security measures been in place to deter them in the first place. From this, organizations can take the cue to re-evaluate their defenses. Organizations should ensure that their equipment and the components of their industrial control systems are not exposed online, as we purposely did with our various 'misconfigurations'."
Setting the Trap
To create the illusion of a working industrial firm, the Trend Micro researchers mimicked a variety of hardware and software components, such as programmable logic controllers and human-machine interfaces, that are typically used with industrial control systems, according to the report.
In addition, the researchers created a website for the fictitious factory. "We created a backstory for our fictitious company, which included made-up employee names, working phone numbers, and email addresses - anything and everything that a real company would need to run a day-to-day business," the report notes.
To entice attackers to the phony factory, the researchers left a number of basic security mistakes within the fictitious infrastructure. This included repeatedly using the same or similar passwords for various systems as well as leaving virtual network computing assets exposed without security protections, according to the report.
All this allowed attackers to find their way into the honeypots and ensured that the researchers could track their movements, the researchers add.
"Advanced attackers could be very picky in choosing systems they wanted to compromise and would check every small detail that they could before conducting an attack," the report notes. "With this is mind, we decided to use real [industrial control system] hardware and a mixture of physical hosts and hardened virtual machines."
Types of Attacks
Trend Micro researchers spent two months constructing the virtual factory and setting up the network of honeypots to capture the activity of the attackers, according to the report. Then, between May and December 2019, the researchers observed attack attempts.
In September, for instance, researchers saw an attacker plant a cryptocurrency miner within the infrastructure and take advantage of the weak virtual network computing assets, the report notes.
The Trend Micro researchers also encountered two instances of ransomware infection. The first used a strain called Crysis, with the attackers demanding a ransom of $10,000, according to the report. Crysis is an evolving ransomware that targets businesses with weak remote desktop protocols, the report notes.
The second ransomware attack took place in October, with the attackers using the Phobos, strain, which resembles Crysis, according to the report. Crysis and Phobos were among the most commonly spotted ransomware variants in use during 2019, according to security firm Emsisoft (see: Ransomware Attacks: STOP, Dharma, Phobos Dominate)
In both the ransomware attacks, the threat actors were able to lock the files in the affected systems by breaching the fake factory's exposed IT systems, the researchers say.
In addition to ransomware attacks, the researchers also observed third-party actors who used the resources in a honeypot to engage in activities such as "buying smartphones by upgrading mobile subscriber accounts and cashing out airline miles for gift cards," according to the report.
While the Trend Micro researchers note that attackers are getting better at probing and finding weaknesses within industrial control systems, they say that many of the security flaws incorporated into the fake factory would not be present during real-world situations.
Still, the report’s findings demonstrate that weak security practices open the door to attacks.
"Ultimately, weak security not only makes cyberattacks possible, but can also serve as additional invitation for attacks on industrial systems that have long stoked the interest of cybercriminals," the report concludes.