Since the beginning of 2020, the number of attacks on the industry has been at a high level. In the third quarter, this industry was attacked by various hacker groups - including RTM and TinyScouts, as well as cryptographic operators - for example, Maze. It is reported by the company Positive Technologies.
So, TinyScouts ' goal was to target energy companies. Hackers used a method of social engineering - at the first stage, the attackers sent phishing emails to employees of various organizations-either on the subject of COVID-19, or compiled for a specific victim. In the July campaign, a file with the .lnk extension was attached to the email, and when the user opened it, the utility was launched mshta.exe. It was used to open a stub file for the user, and for attackers, a script was executed that checks for the presence of TeamViewer, RDP sessions, and the fact of logging in to the domain. Then came the variable part: if the company was interesting to attackers, a spyware program was launched that collected all the data they needed, otherwise the cryptographer started working. The Gamaredon group, which security experts have been monitoring for several quarters, also acted in a similar way.
The operators of the Maze ransomware program successfully attacked Hoa Sen Group, the largest steel sheet manufacturer in Vietnam. During the attack, personal data of employees, internal correspondence and other confidential information were stolen. 1.64 GB of files were uploaded to the network, which is 5% of the total amount of stolen data. SK hynix, a major supplier of RAM and flash memory, also suffered at the hands of the same attackers. As a result of the attack, 11 GB of information was stolen, including confidential agreements with Apple for the supply of NAND flash memory.
"This year, the vast majority of criminal groups switched to working with encryption programs-attackers realized that they can earn no less than in the case of a successful attack on a Bank, and technical execution is much easier," explains Anastasia Tikhonova, head of research at APT Group - IB.
According to her, the current year has given life to even more groups and partner programs that have joined the "big game hunt". "The size of the ransom has also increased significantly: cryptolocker operators often ask for several million dollars, and sometimes even several tens of millions. For example, the OldGremlin group, consisting of Russian-speaking hackers, actively attacks exclusively Russian companies-banks, industrial enterprises, medical organizations and software developers," explains Tikhonova.
The expert believes that one of the weakest links is still a person. "There are examples when an operator of a large industrial enterprise got bored, wanted to listen to music, and plugged a 3G modem directly into the USB port of the SCADA control and monitoring system. And like evil did not want, and knows the rules, but the desire to "just listen to music" will not be anything... Or another example: when administrators connect a modem to the automated process control system to provide remote control, forgetting that they are opening their system to a public network. There are other ways that cyber spies and saboteurs can get into the "isolated" networks of important infrastructure: USB flash drives, a new server with a Trojan in UEFI, a Raspberry Pi with a 4G modem connected to the network, and a "trusted laptop" that an employee brought from a business trip," concludes Tikhonova.
Internet of things devices are diverse and can be used in various industries-from smart cameras for monitoring the technological process at an oil refining plant to industrial sensors installed on a heating pipeline at a huge distance, explains Alexander Karpenko, head of the automated process control system and CII protection Department at the jet information security Center. "They are miniature self-sufficient computing complexes with a processor, an operating system (mostly unix-like) and a large number of peripheral components: a Wi-Fi module, a Bluetooth module, etc. The level of security of such devices often depends on hardware manufacturers, who may sacrifice security in the pursuit of functionality and cost of solutions. According to Palo Alto Networks statistics, 98% of IOT device traffic is not encrypted and is transmitted in clear form over the Internet."
The expert believes that the danger of using Internet of things devices is that it is problematic for advanced engineers to determine the fact of compromise. Target systems are assembled from a fairly large number of devices, and it is almost impossible to monitor and respond to possible security events and threats without additional solutions and human resources.