ICS Threat Activity on the Rise in Manufacturing Sector

Dragos is pleased to announce the release of the Manufacturing Sector Cyber Threat Perspective, a comprehensive analysis of recent observations of ICS-targeting threats to manufacturing organizations along with practical defensive recommendations. This article touches on highlights from the November 2020 report, which is available for download in its entirety here.

Cyber risk is increasing

Cyber risk to the manufacturing sector is increasing, led by disruptive cyberattacks impacting industrial processes, intrusions enabling information gathering and process information theft, and new activity from Industrial Control Systems (ICS)-targeting adversaries. Dragos currently publicly tracks five ICS-focused activity groups targeting manufacturing: CHRYSENE, PARISITE, MAGNALLIUM, WASSONITE, and XENOTIME in addition to various ransomware activities capable of disrupting operations.

Dragos has not observed ICS-specific malware targeting manufacturing operations on the same scale or sophistication as that used in the disruptive TRISIS and CRASHOVERRIDE malware attacks that targeted energy operations in Saudi Arabia and Ukraine, respectively. However, known and ongoing threats to manufacturing can have both direct and indirect impacts to operations. This article will discuss the following topics:

• Ransomware with the ability to disrupt industrial processes is the biggest threat to manufacturing operations. Adversaries are increasingly adopting ICS-aware mechanisms within ransomware that could stop operations.
• Disruptions within manufacturing industrial processes have supply chain implications that impact businesses and potentially operations elsewhere.
• The theft of proprietary and confidential manufacturing process details – often considered intellectual property – remains a high risk for manufacturers.

Activity groups targeting or demonstrating interest in manufacturing entities

CHRYSENE targets petrochemical, oil and gas, manufacturing, and electric generation sectors. Targeting has expanded beyond the group’s initial focus on the Arabian Gulf region, and the group remains active in more than one area.
Links: APT 34, GREENBUG, OilRig

MAGNALLIUM has targeted energy, aerospace, and supporting entities since at least 2013. The activity group initially targeted firms based in Saudi Arabia but expanded targeting to include entities in Europe and North America, including U.S. electric utilities. MAGNALLIUM lacks an ICS-specific capability, but the group remains focused on initial IT intrusions.
Links: PARISITE, APT 33, Elfin

PARISITE, operating since 2017, targets electric utilities, aerospace, manufacturing, oil and gas entities, and government and non-governmental organizations. Its geographic targeting includes North America, Europe, and the Middle East.
Links: MAGNALLIUM, Fox Kitten, Pioneer Kitten

WASSONITE targets electric generation, nuclear energy, manufacturing, and research entities in India, and likely South Korea and Japan. The group’s operations rely on DTrack malware, credential capture tools, and system tools for lateral movement. WASSONITE has operated since at least 2018.
Links: Lazarus Group, COVELLITE

XENOTIME is known for its TRISIS attack that caused disruption at an oil and gas facility in Saudi Arabia in August 2017. In 2018, XENOTIME activity expanded to include electric utilities in North America and the Asia-Pacific region; oil and gas companies in Europe, the United States (U.S.), Australia, and the Middle East. Expanded activity also includes control system devices beyond the Triconex controllers targeted in the 2017 incident. This group compromised several ICS vendors and manufacturers, posing a potential supply chain threat. Links: Temp.Veles

Currently two activity groups, XENOTIME and ELECTRUM, have demonstrated the ability to interact with and disrupt operations with malware specifically targeting ICS processes: TRISIS and CRASHOVERRIDE malware respectively. Although Dragos has not observed either malware family disrupting manufacturing operations, it is possible these adversaries will target manufacturing companies in the process of developing such malware, even if they are not the ultimate target.

ICS Vulnerabilities

Vulnerabilities in ICS-specific devices and services can introduce risk to the manufacturing environment. As of October 2020, Dragos researchers assessed and validated 108 advisories containing 262 vulnerabilities impacting industrial equipment found in manufacturing environments. Dragos found that almost half of the advisories described a vulnerability that could cause a loss of view and/or loss of control within a compromised environment.

Of the vulnerabilities assessed by Dragos impacting manufacturing industrial equipment, 70 percent require access to the victim network to exploit, 26 percent require an adversary to have access to the vulnerable device itself, and 8 percent require an adversary to be on the local area network to facilitate exploitation. Asset owners and operators are encouraged to be aware of the threat these vulnerabilities pose to manufacturing operations. A loss of view or control, for instance, may cause safety concerns and potentially put workers’ lives or the environment at risk.

Ransomware

The most common threat to manufacturing is ransomware. Dragos observed a significant rise in the number of non-public and public ransomware events that have affected ICS environments and operations over the last two years. This year, Dragos identified multiple ransomware strains adopting ICS-aware functionality, including the ability to “kill” (i.e., stop) industrial processes if identified in the environment, with activity dating back to 2019. EKANS, Megacortex, and Clop are just a few ransomware strains that contain this type of code. EKANS and other ICS-aware ransomware represent a unique and specific risk to industrial operations no previously observed in ransomware operations.

Attack vectors

Industrial and networking assets exposed to the internet are a high risk for manufacturing that can facilitate initial access to a victim environment. Various tracked ICS-targeting activity groups – PARISITE, MAGNALLIUM, ALLANITE, and XENOTIME – have previously targeted or currently attempt to exploit remote access technology or logon infrastructure.

According to the 2019 Dragos Year in Review report detailing lessons learned from the incident response and services team, 66 percent of incident response cases involved adversaries directly accessing the ICS network from the internet, and 100 percent of organizations had routable network connections into their operational environments. Recent cyber intrusions targeting water infrastructure in Israel were the result of PLCs exposed to the open internet. Dragos also responded to ransomware events at industrial entities that leveraged internet-connected remote access portals to infiltrate the operations network and deploy ransomware. In July 2020, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) published an alert encouraging asset owners and operators to take immediate actions restricting exposure of OT assets to the internet.

Since 2017, multiple threats migrated toward compromising vendors, Managed Service Providers (MSPs), and external network services as the first step in victim compromise. Adversaries can abuse existing trust relationships and interconnectivity to gain access to sensitive resources – including ICS systems in some cases – with little likelihood of detection. Recent examples of this include instances when activity groups DYMALLOY and ALLANITE compromised vendors and contractors for subsequent phishing campaigns targeting the electric sector, XENOTIME targeting several original equipment manufacturers and vendors, and a widespread hacking campaign by APT10 that hijacked connections between MSPs and their customers, which included manufacturing organizations.

It is not unusual to see flat networks in manufacturing environments. This is when network connections are shared across both enterprise and operational segments. This makes it easier for an adversary to bridge the IT and OT boundary, and disrupt manufacturing operations after pivoting from an access point in IT.

In addition to internet-connected process automation and other “smart” manufacturing processes, operators are adopting Wi-Fi enabled machine tools and diagnostic equipment that enable workers to move around plants and factories without tripping over power cords. Internet-connected tools connect to historian databases for quality assurance, regulatory, and logistics purposes, among others. Often these tools are connected to enterprise or operations resources and can be used as network access points or targeted in an attack meant to disrupt production and impede operations.

As manufacturing operations become increasingly connected, a lack of visibility into processes, assets, and connections remain within these environments. It is difficult to defend against threats operators do not see. According to the Dragos 2019 Year in Review report, 81 percent of organizations the Dragos Services team worked with had extremely limited or no visibility into the ICS/OT network. Observations from incident response engagements found no instances of security and process data aggregation for incident analysis requiring manual retrieval of logs and distributed analysis.

Theft of intellectual property

Dragos assesses with high confidence intellectual property theft and industrial espionage are major threats to manufacturing entities, especially by state-sponsored adversaries and malicious insiders. IP and theft of trade secrets related to process and automation functions can enable industrial organizations and interested states and governments to fast-track development of critical infrastructure, including manufacturing. It can also support state-sponsored espionage activities for political or national security efforts. Obtaining material specifications for products is likely not enough to replicate them. Businesses rely on engineering and industrial design schematics, and sequencing automation details. According to Dragos researchers, adversaries may want to steal the algorithms, engineering designs, and programming specifications to replicate the entire production process, not just the material goods and services output.

Recommendations

• Conduct architecture reviews to identify all assets, connections, and communications between IT and OT networks. Identify Demilitarized Zones (DMZs) to restrict traffic between enclaves. Critically examine and limit connections between corporate and ICS networks to only known, required traffic.
• Ensure an understanding of network interdependencies and conduct crown jewel analysis to identify potential weaknesses that could disrupt business continuity.
• Enforce Multi-Factor Authentication (MFA) wherever possible, especially on perimeter devices and login portals. Focus critically on connections to integrators, maintenance, vendor personnel, and crown jewels such as safety equipment. If MFA cannot be implemented on internal equipment, ensure strong, hard-to-guess passwords are used for all credentials.
• Ensure backups of enterprise network systems are maintained and test backups during disaster recovery simulations. Create an ICS specific incident response plan and conduct tabletop exercises to practice how to handle different incidents.
• Passively identify and monitor ICS network assets to identify key assets, chokepoints, and external communications in the network.
• Look for threat behaviors and known Tactics, Techniques, and Procedures (TTPs) that adversaries targeting manufacturing use, like those mapped to ATT&CK for ICS. You can view our interactive matrix that highlights TTPs by Threat Activity Group here.
• Monitor outbound communications from ICS networks to detect malicious threat behaviors, indicators, and anomalies. Understanding malicious behaviors exhibited by malicious activity groups is crucial for defending against them.
• Identify and label critical ICS assets to aid with detection and monitoring. Dragos Asset Identification allows for certain analytics to function by detecting malicious behaviors against asset types.
• Leverage industrial-specific threat detection mechanisms to identify malware within OT and reinforce defense in depth strategies at the network level, leading to a more robust investigation ability by defenders and analysts.
• Ensure corporate networks are patched to prevent malware infections from entering the environment and to prevent subsequent propagation.
• Ensure that critical network services, such as Active Directory (AD) and the servers hosting it, are well-defended and that administrative access to hosting devices is restricted to the greatest degree possible.
• Evaluate and limit AD federation and sharing between IT and ICS networks to the greatest extent possible. Among other items, create dedicated security groups for OT systems within a shared AD environment and limit permission for deploying Group Policy Objects (GPOs) or other changes to only a subset of administrators to reduce attack surface.
• Ensure networks are segmented to the greatest extent possible. If segmentation is not possible, ensure emergency response plans are well-documented to detail segmentation efforts in case of emergency such as a malware infection. For example, implement firewall rules to segment off critical ICS components from the network that can be activated and deactivated depending on the safety and security of the environment and any potential malicious activity.
• Services and equipment that are not needed for real-time communications or direct access to operations should be virtualized. This can improve vulnerability management and enable improved security for interdependencies. For example, Engineering Workstations (EWS) and Human Machine Interface (HMI) operations may be able to be virtualized.
• Isolate equipment and services used for Building Access Control (BAC) and Heating, Ventilation, and Air Conditioning (HVAC). These services can be considered secondary or support systems that are critical to maintaining safe, reliable manufacturing operations and considered potential targets for adversaries seeking to disrupt manufacturing production.

Conclusion

A concerning upward trend of ransomware targeting manufacturing companies leading to operations disruptions exists. Internet-exposed assets, supply chain and third-party compromise risks, and growing convergence of interconnected enterprise and operations networks are contributing to a growing threat landscape. Dragos continues to monitor targeted activity groups and threats targeting manufacturing operations, including concerning ICS-aware ransomware capable of disrupting operations. Additionally, adversaries do not need to specifically target industrial processes to achieve widespread disruption across plants, fleets, or automation processes, as detailed in this report. Dragos assesses with high confidence the threats to manufacturing will continue to increase over the next year.