Researchers at RSA 2020 discussed the growing trend of hackers harassing large industrial systems. In doing so, they aren't just shifting their targets — they're also exhibiting more insidious behavior.
Researchers have known for years that sophisticated hacking methods exist that can take control of large industrial machines, manipulate their systems or render them useless.
There have been some prominent examples, albeit typically involving high-level, nation-state rivalry and espionage: incidents like Stuxnet, the malicious, probably U.S.-created program that infected an Iranian nuclear power plant in 2010 and dismantled it from the inside out.
Yet experts now worry that the trend may grow more common, with hackers potentially targeting a wider milieu of infrastructure and industry. A survey last year showed some 54 percent of the utility sector expected an attack on critical infrastructure during 2020. Similarly, security professionals have increasingly expressed concern for attacks of this kind, with people like former Homeland Security Secretary Michael Chertoff calling it a "real national security issue."
This was also one of the more talked about subjects at this year's RSA conference. During the conference's "Emerging Threats" seminar, Daniel Kapellmann Zafra of FireEye gave some perspectives on what ransomware hackers can do to critical infrastructure and industrial production systems.
Zafra, who works as a technical analysis manager of cyber-physical systems, said that since 2017 there has been an uptick in public disclosures involving ransomware attacks on industrial control organizations.
In some cases, cyberattacks will target a company’s data that is related to important industrial physical processes; the compromise of this data and the inability for that physical process to be completed then results in a large financial loss for the company, he said.
As an example, Zafra brought up the ransomware attack on shipping company Maersk in 2017, which managed to interrupt shipping terminal operations all over the world and cost the company as much as $300 million. A similar example targeting a shipping company occurred last year as well, he noted.
“In both cases what we saw is that ransomware infections had actually caused these organizations to lose control over data that they required for loading cargo containers,” Zafra said. “We see how limited access to this data generated a physical problem that, in the case of Maersk, it was a much bigger [problem] in terms of financial loss.”
These attacks are frequently carried out with a somewhat new methodology of ransomware attack, which is referred to as the "post-compromise approach." This approach differs from the classic "shotgun" style in which ransomware is sent out to target any of many vulnerable organizations; instead, a hacker targets an organization methodically, breaching its security, then crawling through its system and advancing privileges, after which they deploy ransomware. This allows the hacker to cause much more damage and increase their bargaining power during the ransoming stage, Zafra wrote for FireEye.
So what can be done? Zafra admitted that there was not a one-size-fits-all solution, and that organizations should invest in backups and redundancy, while also fostering a culture of collaboration across departments to enforce safety procedures and policies.
"You have to know what are your critical systems: What do you need for production? What impact is it going to generate on you if you fail to protect those assets?"