The factory—a small prototyping company—was attacked several times over the space of seven months. The threats didn't come from sophisticated state-sponsored groups, but rather cybercriminals intent on fraud and financial gain.
MeTech wasn't a real factory. The network was a honeypot consisting of real industrial control systems (ICS) hardware and a mix of physical hosts and virtual machines, set up by Trend Micro Research to mimic the operations of a small factory. The researchers monitored the attacks against the honeypot to determine how “knowledgeable and imaginative” attackers had to be to compromise a manufacturing operation, and to monitor firsthand what kind of attacks manufacturing companies dealt with on a regular basis. Over the course of the project, researchers saw the network compromised for cryptocurrency mining, crippled by two separate ransomware attacks, and abused for consumer fraud.
“Too often, discussions of cyber threats to industrial control systems have been confined to highly sophisticated, nation-state level attacks designed to sabotage key processes,” said Greg Young, Trend Micro’s vice-president of cybersecurity.
Manufacturing and other sectors that rely on ICS are understandably worried about advanced attacks such as the ones involving Stuxnet and the Triton malware. However, the Trend Micro investigation showed that industrial environments were just as susceptible to fraud and financially-motivated exploits that plague enterprise information technology networks.
Building a Factory
The honeypot was designed to be as realistic as possible, with ICS hardware, physical hosts, and hardened virtual machines. Trend Micro included programmable logic controllers (PLCs) from Siemens, Allen-Bradley and Omron, and the virtual machines ran an human machine interface (HMI) for controlling the factory in the honeypot. There was also a robotics workstation that controlled a palletizer and an engineering workstation used for programming PLCs. Finally, a physical machine running an old version of Windows served as the factory's file server. The file server had a shared directory with global read/write permissions populated with randomly created files of various extensions and filesizes.
Some ports were intentionally left open on the honeypot, including VNC services that could be accessed without a password. The robotics workstation was exposed via Remote Desktop Protocol (RDP). The engineering workstation, on the other hand, was not exposed outside of the network. Instead, it used the same administrator password as that of the exposed HMI and robotics workstation, mimicking "a common setup in companies maintained by an administrator."
"The goal was to build a honeypot that appeared so real that not even a well-trained control systems engineer would be able to tell that it was fake without diving deeply into the system," the researchers wrote.
Recognizing that attackers frequently research the target beforehand, Trend Micro researchers went beyond the technical details to make this fake company look more legitimate. The "small industrial prototyping boutique working for special customers" in the military, avionic and manufacturing sectors had a professional-looking website with a motto and logo, made-up employee names and email addresses, and working phone numbers which played a recording instructing callers to leave a message. This level of detail was necessary because if it was too obvious that the network was actually a honeypot, the malware may not execute its payload, and attackers would not bother completing the attack.
"Advanced attackers could be very picky in choosing systems they wanted to compromise and would check every small detail that they could before conducting an attack," the researchers wrote.
One of the earlier attacks involved malicious cryptocurrency miners, the report found. An attacker came on to one of the virtual machines on the network, opened up a web browser on the system, and set up a remote access tool to mine Monreo cryptocurrency. The attacker is believed to have entered the network at least three times. A different attacker tried downloading a different miner at a later date, but did not succeed.
The researchers also observed a significant number of attempts to use the honeypot's systems and resources for fraud, such as cashing out airline miles for gift cards and buying smartphones by upgrading mobile subscriber accounts. There were also some reconnaissance activities that could have been related to phone fraud.
Scanning attempts don't automatically mean the system is under attack. The researchers identified scanning traffic from 9,452 unique IP addresses, of which 610 were linked to scanners such as ip-ip, Rapid 7, Shadow Server, Shodan, and ZoomEye, as well as others performing monitoring services for other companies. The researchers also identified scanning activity against PLCs which collected information about exposed devices—while the scans did not appear malicious, the researchers could not say with certainty that the scans were not part of reconnaissance activity for a future attack.
There were cases where the attacker closed applications running on the compromised workstation, shut down the system, or logged the current user out of the system. Another stopped the conveyor belt, started the palletizer application, and stopped the factory.
Infected by Ransomware
The network was infected by ransomware twice during the course of the research project—once by Crysis and the other by Phobos. While the researchers believe the infections were carried out by "two unrelated individuals or groups," the execution flows were similar. The group behind Crysis first spent some time looking around the shared drive and the robotics workstation. The attackers installed the remote desktop software Team Viewer and used that tool to copy the malware files to find and encrypt files on the the system. The group behind Phobos also spent some time browsing the file system and scanning the network before deploying the ransomware.
Interestingly, researchers also observed an attempt to fake a ransomware attack, where the files were all renamed to have a .rnsmwr extention but nothing was encrypted.
Focus on Cybercrime
Security professionals are increasingly shifting their focus towards protecting ICS, but there is a disconnect on the dangers they worry about and the threats that are more likely. A lot of the discussion centers around sophisticated attacks from nation-state adversaries, and while that is still a possibility, Trend Micro's research suggests that cybercriminals are even more likely to cause problems on these networks.
“A lack of basic protections can open the door to a relatively straightforward ransomware or cryptojacking attack that could have serious consequences for the bottom line,” Trend Micro's Young said.
There have already been several incidents where ransomware disrupted factory operations. Back in 2017, Honda stopped production at one of its vehicle plants in Japan after finding WannaCry in its networks. Global aluminum producer Norsk Hydro had to shut down some production lines and switch others to manual functions after a ransomware attack. ASCO, one of the world's largest suppliers of airplane parts, ceased production in factories across four countries after finding ransomware in its Belgian plant.
"We created openings for attacks that could realistically be found in actual smart factories," the researchers wrote.
The researchers "had to do everything wrong" with MeTech's security so that the honeypot could be compromised, but many small factories would have made similar decisions—open VNC with no passwords, reusing weak administrator passwords throughout the network, no firewall filters to block unknown traffic.
"Our findings should serve as cautionary examples for organizations who run similar systems," the researchers wrote.