Rise in low-level hacking of critical infrastructure globally

Online attacks had become more severe, with even dud attempts now a cause for concern.
Online attacks had become more severe, with even dud attempts now a cause for concern.PHOTO: ST FILE

SINGAPORE - Low-level attempts to hack systems for controlling critical infrastructure, such as in the energy and water sectors, have increased globally by about three to five times in the last few years, said a recent report by United States cyber-security firm, Mandiant.

It said the online attacks had become more severe, with even dud attempts now a cause for concern.

The systems targeted controlled infrastructure like solar energy panels, building ventilation and those for water supplies.

Mandiant, part of FireEye, said that attacks on these operational technology systems had increased since 2015.

"The severity of incidents has dramatically escalated from almost exclusive attempts to buy and sell access to devices in 2015, to multiple cases of (threat) actors interacting with industrial processes between 2020 and now," Mr Nathan Brubaker, a senior manager at Mandiant Threat Intelligence, told The Straits Times.

Such interactions were not apparent as much in the past.

Last month, an attack shut down a major pipeline under Colonial Pipeline that supplies about 45 per cent of fuel used on the East Coast of the United States.

Later, in the same month, a cyber attack on the world's largest meat processor, Brazilian food giant JBS, forced the company to shut down all its beef plants in the US - accounting for almost a quarter of supplies in the country - and slowed pork and poultry production.

Mandiant's report released late last month said that hackers likely did not target specific sectors in their low-sophistication attacks on operational technology systems.

This is because they used search engines to scan for any exposed infrastructure online. Unsecured services to access control systems remotely were often exploited.

One possible reason for more attacks could be the rise in the number of systems online, said Mr Brubaker.

More information has also been made available online for operational technology systems that hackers could use to improve their skills for more attacks.

Utilities, particularly the smaller ones, were often targeted mostly because of the higher visibility gained from attacking them.

"These were typically smaller utilities so they probably had fewer resources to put towards security programs," Mr Brubaker said.

Some hackers targeted specific regions, such as Israel, but Mandiant did not observe any aimed at Singapore.

The hackers had political motives and a few would share hacking tutorials with others. But some were in it for the money or to become notorious.

Hackers usually tried to access through user-friendly graphical interfaces that allowed them to modify controls without needing existing knowledge about the processes.

Many hackers also flaunted their handiwork. One group shared images as evidence that it had compromised dozens of control systems in North America, Western and Central Europe, and East Asia, including a video for a Dutch-language temperature control system.

But some cyber crooks either had limited understanding of operational technology systems or were simply trying to brag.

One hacking group claimed that it compromised a German-language rail control system. But Mandiant later found out that the image of the attacked system was actually a Web interface designed for model train sets.

One hacking group claimed it compromised a German-language rail control system, but Mandiant found out that the image of the attacked system was actually a Web interface designed for model train sets.
One hacking group claimed it compromised a German-language rail control system, but Mandiant found out that the image of the attacked system was actually a Web interface designed for model train sets. PHOTO: MANDIANT

Even so, Mr Brubaker warned that any unauthorised access to operational technology systems remained worrying. "It may be blind luck that these actors accessed a toy rail system rather than a real one. The more threat actors interact with operational technology and learn about it, the more dangerous their future activities will be."

The attacks that Mandiant detected did not cause physical damage due to the many fail safes built into most industrial processes. But, with more attacks, even low-level ones, the risk of physical disruption rises, the firm said.

The publicity around these incidents may also encourage other hackers to target operational technology systems.

Mandiant has advised organisations to have best practices for security in place, such as looking out for unusual activities for remote access to their infrastructure.