Cybereason publishes findings from its newest honeypot

Cybereason has published findings from its newest honeypot that was created to analyze the tactics, techniques, and procedures used by hackers to target critical infrastructure providers. This project has shown hackers have adopted multistage ransomware attacks as part of hacking operations against industrial control systems (ICS).

The honeypot IT and OT (operational technology) environment was built to look like a large electricity company with operations in North America and Europe.

The report titled “Cybereason’s Newest Honeypot Shows How Multistage Ransomware Attacks Should Have Critical Infrastructure Providers on High Alert” is based on attacks to a network architecture masquerading as part of an electricity generation and transmission provider’s network, including an IT and OT environment and HMI (human-machine interface) management systems. The environment employed customary security controls including segmentation between the different environments.

Once the honeypot went live, hackers compromised the network within three days by brute forcing the admin password, which had medium complexity. Attackers placed ransomware on every compromised machine early in the process but didn’t detonate it immediately. After the other stages of the attack were completed (including data theft, user password stealing and propagation across the network), the attacker detonated the ransomware across all compromised endpoints simultaneously.

“Ransomware threats to critical infrastructure providers should be a top concern for security teams. In the ICS industry, we are seeing fewer strains of ransomware yet the existing strains rake in more gains. Hackers do this by better targeting and making more money from each target. We can expect to see an increase in multistage ransomware embedded into hacking operations in the foreseeable future,” said Israel Barak, Chief Information Security Officer, Cybereason.

“Attackers are succeeding in hacking operations against ICS operators by breaking in and debilitating the business and demanding huge ransoms. Because many organizations now purchase cyber insurance, we are seeing an increase in the number of ransoms being paid as opposed to patching the holes in the network that enabled the hackers to gain access in the first place. These brazen intrusions will continue until the cost of the insurance becomes comparable to the cost of fixing the problem,” added Barak.