• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Internet of Things   »   Water and Energy Sectors Through the Lens of the Cybercriminal Underground

Water and Energy Sectors Through the Lens of the Cybercriminal Underground

  • Posted on:November 29, 2018 at 4:58 am
  • Posted in:Internet of Things
  • Author:
    Trend Micro
0

by Stephen Hilt, Numaan Huq, Vladimir Kropotov, Robert McArdle, Cedric Pernet, and Roel Reyes

In our research Exposed and Vulnerable Critical Infrastructure: Water and Energy Industries, we not only found exposed industrial control system (ICS) human machine interfaces (HMIs) but also pointed out how these systems were at risk. This risk is corroborated by the active interest in water and energy ICSs shown by different kinds of cybercriminal groups.

Looking at past incidents shows how real this interest was, enough to lead to attacks like the one on the Ukrainian Power grid in 2015. The reported cases imply that the water and energy sectors are indeed targets, whether of sophisticated criminal groups or state-sponsored actors. However, our exploration into underground forums revealed attention coming from other groups like lone actors as well.

From underground

We categorized underground forum posts on water and energy ICSs into groups based on the context of the discussion, specifically the reason and motivation behind the posting.

Knowledge about ICS/SCADA

Part of the chatter on the ICS/supervisory control and data acquisition systems (SCADA) of energy and water infrastructure stem from people who want to know more about these systems. The kind of information they discussed in the forums – like proofs of concept (POCs), vulnerabilities and exploits of ICS/SCADA – would be dangerous in the wrong hands. Interestingly, some people go to such forums to learn about SCADA for free, too, to avoid fees for professional training. Some of the other examples we found did not reveal why they needed new information.

Figure 1. Post asking about SCADA information to avoid expensive professional training

Figure 1. Post asking about SCADA information to avoid expensive professional training

Opportunities for personal gain

Other conversations in the forums were more actionable, exploring ideas for possible opportunities and gains from ICS/SCADA systems. One of the more general discussions brought up Shodan and Censys within the larger conversation on industrial equipment being profitable IoT devices to exploit.

Some forums had more specific topics and were outright discussions on access and credentials for certain ICS/SCADA systems. An example of such discussions involved a hacker who apparently had success in getting into a system and is looking to sell acquired information. Other such discussions involved groups who are in the reconnaissance phase of a campaign; employees willing to use illicit means to get ahead; and organizations requesting attacks on competitors.

Figure 2. Hacker selling acquired information on a forum

Figure 2. Hacker selling acquired information on a forum

On the other hand, bug bounty programs of legitimate organizations hoping to test the security of their equipment in the wild are reposted by forum users. Bug bounties are a valid means to earn from vulnerability discoveries; however, they could also attract malicious actors seeking to gain more than the rewards offered.

Security implications

Whether these discussions have already turned or will turn into active campaigns is still to be determined. The fact that they exist already puts greater urgency on improving security for organizations in the water and energy sectors. Given that our research uncovered exposed systems in small and medium businesses (SMBs), these findings drive the point that no organization in any sector, of any size, is immune to attack.

Organizations need to keep in mind that cybercriminals will not stop at simply observing exposed systems they discover. As organizations in critical sectors (CI) like water and energy continue to incorporate the industrial internet of things (IIoT) in their operations, they should start with security in mind. Awareness of the different vulnerabilities that might exist in ICS can help pinpoint necessary improvements, not just at the beginning but throughout operations. They should also assess for possible areas of exposure and vulnerability and start improvements from there. After all, a strong security posture can ensure that IIoT systems are used as tools in enhancing CIs instead of the opposite — as avenues for malicious campaigns.

For more insights on exposed CI HMIs, in-depth descriptions of threat actors, and defensive strategies, read our research Exposed and Vulnerable Critical Infrastructure: Water and Energy Industries.

Related posts:

  • Attack Vectors in Orbit: The Need for IoT and Satellite Security in the Age of 5G
  • Disrupting the Flow: Exposed and Vulnerable Water and Energy Infrastructures
  • Mirai-like Scanning Activity Detected From China, With Targets in Brazil
  • Not Only Botnets: Hacking Group in Brazil Targets IoT Devices With Malware
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: critical infrastructuresICSiiotindustrial internet of thingsinternet of thingsIOT

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Monero Miner-Malware Uses RADMIN, MIMIKATZ to Infect, Propagate via Vulnerability
  • February Patch Tuesday: Batch Includes 77 Updates That Cover Flaws in Internet Explorer, Exchange Server, and DHCP Server
  • Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
  • Windows App Runs on Mac, Downloads Info Stealer and Adware
  • Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners

Popular Posts

  • February Patch Tuesday: Batch Includes 77 Updates That Cover Flaws in Internet Explorer, Exchange Server, and DHCP Server
  • Going In-depth with Emotet: Multilayer Operating Mechanisms
  • Various Google Play ‘Beauty Camera’ Apps Send Users Pornographic Content, Redirect Them to Phishing Websites and Collect Their Pictures
  • Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
  • Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.