Top attacks on industrial machines in 2020

COVID-19 shut down many things in 2020, but industrial machines kept rolling.

So did cyber attackers, who didn’t let work-from-home rules keep them from attacking-from-home, too.

Here’s a look at some of the big attacks and threats to industrial machines — also called operational technology or OT — in 2020.

Watch here:

The New Year Begins

2020 started with hope, celebration, and a bit of a hangover.

Teams battled it out for the top prize at the ‘Super Bowl’ of industrial hacking in Miami, Pwn2Own at the S4 security conference.

But there was a headache brewing for the new year — a surprise from the last — the news that attackers hit a U.S. gas pipeline with ransomware at the end of 2019.

The malware impacting some devices connected to industrial control systems. Unable to see, the pipeline decided to shut down for about two days. Reports say the company did not separate networks as they should and did not prepare for cyberattack.

“Anytime you have someone, whether it’s a nation-state or criminal element, targeting what we would consider our critical infrastructure, it’s a big deal.  Because, ultimately, you can cause loss of human life,” said Clint Bodungen with security company ThreatGen. “If you value even one human life, that’s a big deal.”

Full Throttle Pandemic

The pandemic set in, with companies sending people home to work remotely if possible.

Attackers sent signals that ransomware would be their weapon of choice.

Researchers reported their fake factory, a honeypot, drew in ransomware intruders demanding $10,000 and leaving the factory shut down for four days. Other attackers messed with industrial equipment.

“The most destructive things that we saw to our ‘factory’ were definitely ransomware,” said researcher Stephen Hilt with Trend Micro.

Aiming at Industrial?

Analysts saw ransomware strains with industrial features like EKANS, or ‘backwards snake’.

“Maybe it’s not intended to disrupt physical operations, but has the distinct possibility of doing so,” said threat researcher Joe Slowik, formerly with Dragos, now with DomainTools. “And that’s very concerning.”

EKANS went on to strike big companies like Honda and Enel, two of many industrial groups falling victim to ransomware this year.

The long list includes energy companies such as the U.K.’s Elexon, Light S.A. of Brazil, and LTI Power Systems, based in Ohio.

Also, oil and gas organizations like INA Group of Croatia and Taiwan’s state-owned energy company, CPC Corp.

Shipping companies were hit, including Toll Group, CMA CGM and Mediterranean Shipping Company.

Ransomware gangs targeted manufacturing companies, such as Mitsubishi Electric Corporation, Visser Precision, Evraz North America, Steelcase, IPG Photonics, Lion, and many more.

Attackers not only encrypted data, but stole it, too — another way to pressure companies into paying up.

Getting Physical

While criminals held industrial companies hostage, nation-states and threat groups plied their own tricks.

A favorite — the dangling phish for spying or infiltration — as well as working their way in through security gaps.

This year, researchers alerted that attackers could play games with important industrial equipment, like the crucial PLC — or programmable logic controller — that helps run factories, power plants and more around the world.

“Why is it bad to be able to play tic-tac-toe on a PLC?” we asked researcher Tobias Scharnowski of Ruhr-University Bochum, Germany, who demonstrated his team’s work.

“Instead of doing like some fun creativity, with that you can also have some more malicious creativity and potentially cause a lot of damage,” he answered.

Water Supply

Some attackers played their own games, for example, targeting Israel’s water supply and those PLCs. Reports say attackers hit once April and twice in June.

“Does it seem like they knew what they were doing with the controller?” we asked Ilan Barda with Radiflow.

“Yes, they did very, very accurate changes,” he said. “Somebody was doing very good homework. So, it was not just somebody getting, you know, sporadic access and then trying some changes.”

Yet another reminder that preparing for cyberattack is essential.

“If you leave your door open and no one has come and taken anything from you, does that mean that you’re supposed to leave your door open all the time?” asked Kwadwo Burgee with Rapid7.

Later in the year, researchers found more than 100 smart irrigation systems without passwords online where anyone could access them, many located in Israel, but others around the world. In December, attackers published a video saying they had hacked a water facility in Israel.

Cybersecurity experts have long warned that water systems around the globe may be hackable.

Heading to the Courts

As the year wound to a close, the U.S. government took big steps in some of the world’s most notorious industrial hacking cases.

The U.S. filed criminal charges against six Russian military officers, accusing them of hacking the power system in Ukraine in 2015 and 2016, causing blackouts for hundreds of thousands of homes and business in winter.

The six are also responsible for other infamous crimes, according to court documents.

“Even though these attackers might not see justice in a courtroom, I am glad to know that these attackers and others are being put on notice,” said industrial security consultant Chris Sistrunk with FireEye.

The U.S. also laid down sanctions for suspects behind what some call the world’s most destructive malware — Triton/Trisis —  capable of shutting down the critical safety systems in an industrial plant.

“I would like to see more international laws which regulate usage of cyber warfare in general, especially those which have impact on the well-being of the civilian population,” said industrial cybersecurity researcher Marina Krotofil.

Not Over Yet

In the final throes of 2020, a December surprise — the revelation that attackers had used a security hole in SolarWinds to launch malware on the systems of 18,000 companies and agencies, including the U.S. nuclear weapons agency.

It was an exclamation point on an already historic year, underscoring the final words of those industrial ‘Super Bowl’ champions in their victory interview, just before COVID took over the globe.

“It means we’ve got to keep trying harder,” said Steven Seeley of the Incite Team.

“It means we worked very hard and we’ve got to continue to work very hard,” added his teammate, Chris Anastasio.

Main image: Electrical towers at sunset. Image: Aydinmutlu/iStock