Ransomware, snooping and attempted shutdowns: See what hackers did to these systems left unprotected online

Researchers set up a honeypot to monitor what cyber criminals are doing when they target industrial environments - and found that hackers are going after factories in large numbers.
Written by Danny Palmer, Senior Writer

Malicious hackers are targeting factories and industrial environments with a wide variety of malware and cyberattacks including ransomware, cryptocurrency miners – and in some cases they're actively looking to shut down or disrupt systems.

All of these incidents were spotted by researchers at cybersecurity company Trend Micro who built a honeypot that mimicked the environment of a real factory. The fake factory featured some common cybersecurity vulnerabilities to make it appealing for hackers to discover and target.

To help make the honeypot as convincing as possible, researchers linked the desktops, networks and servers to a false company they called MeTech and created a website detailing how the manufacturer served clients in high-tech sectors including defence and aerospace – popular targets for hacking.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

The website even featured images and bios of people who supposedly worked for the false brand, with headshots generated by artificial intelligence in an effort to make the honeypot look as much like a legitimate company as possible.

Trend Micro launched the honeypot in May last year, purposefully setting it up with weaknesses like Virtual Network Computing (VNC) without control access, unsecured outward-facing remote desktop ports, and using the same password for workstations across the network.

To further entice potential hackers towards the exposed online systems, researchers 'leaked' information about vulnerabilities in the systems. And it wasn't long before cyber criminals were attracted towards the MeTech honeypot and attempting to infiltrate it.

A few weeks after the honeypot went live, an attacker found their way into the network and installed cryptocurrency-mining malware in an effort to exploit the resources of the false factory to generate Bitcoin. Researchers note that this attacker repeatedly returned to the system to re-launch the miner over the course of the honeypot's life.

As more cyber criminals and hackers discovered the honeypot – under the impression it was a fully operational industrial environment – researchers saw the attacks being deployed get more advanced.

A number of attackers performed reconnaissance on the network, likely in an effort to see what could be taken control of or to uncover sensitive data to steal. Some of these attackers even went so far as to enter commands to shutdown systems, something that could have had a big impact in a real smart-factory environment. Shutdown attacks repeatedly happened during the duration of the honeypot.

By September, the honeypot was attracting large amounts of interest from malicious hackers and MeTech was targeted with a ransomware attack that allowed the researchers to monitor how such an incident unfolds.

This started with an attacker investigating the systems and conducting reconnaissance across the network in an effort to uncover what they were dealing with. Then, using remote desktop functions and access to TeamViewer, this attacker deployed a variant of Crysis ransomware onto the network, demanding $10,000 in Bitcoin to decrypt the network.

Under the guise of a MeTech employee, researchers actually went back and forth over email with the attacker – who eventually dropped the demand to $6,000. However, the ransom wasn't paid, as once they were done communicating with the attacker, researchers reset the system, returning it to its original state.

SEE: Sensor'd enterprise: IoT, ML, and big data (ZDNet special report) | Download the report as a PDF (TechRepublic)

But this wasn't the only ransomware campaign that the honeypot attracted; in October, hackers once again snooped around the network before deploying Phobos ransomware, which was removed when the systems were reset.

Just weeks after this, the honeypot also attracted a much less sophisticated ransomware attack from a hacker who researchers at Trend Micro note "fumbled around our system trying to get a PowerShell command to work".

This attacker eventually deployed a fake ransomware attack where they just changed the names of files and demanded a few hundred dollars to 'decrypt' the altered files via a note left on an altered desktop background. This attacker seemingly gave up a few days later, opening various adult websites on the browser before leaving the system.

Other hackers displayed more sophistication than this, taking time over scanning systems designed to look like they controlled industrial control systems, in one instance even gaining access to a workstation connected to what looked like MeTech's robotic systems. In a real environment, this level of access could potentially lead to physical disruption of factory environments.

The honeypot was shut down in December after providing researchers with a taste of how cyber criminals operate in industrial and factory environments with common security vulnerabilities. And in this case, it was common cyber criminals, not nation-state-backed hacking groups, that were tampering with systems.

SEE: Report: Chinese hacking group APT40 hides behind network of front companies

"Too often, discussion of cyberthreats to industrial control systems (ICS) has been confined to highly sophisticated, nation-state level attacks designed to sabotage key processes. While these do present a risk to Industry 4.0, our research proves that more commonplace threats are more likely," said Greg Young, vice president of cybersecurity for Trend Micro.

"Owners of smaller factories and industrial plants should therefore not assume that criminals will leave them alone. A lack of basic protections can open the door to a relatively straightforward ransomware or cryptojacking attack that could have serious consequences for the bottom line," he added.

In order to protect against cyber criminals and hackers, researchers recommend that industrial environments have the minimum number of open ports facing the internet as possible and that access control policies should be tightened with unique and strong passwords for each system. Two-factor authentication can also help prevent attackers from gaining access to environments.

Security experts also recommend that systems are regularly updated with relevant security patches in order to ensure that cyber criminals can't take advantage of known vulnerabilities to gain access to networks.


Editorial standards