May 30 Webinar | SOC Talk: Automating Threat Response
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
May 21, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Key Points
The term OT is used to describe the hardware and software used to monitor and control physical processes, devices, and infrastructure. These systems perform various tasks, like monitoring critical infrastructure and ICSs on manufacturing floors. OT underpins enterprises operating across numerous sectors, including energy, manufacturing, pharmaceuticals, utilities, and health care. Traditionally, OT has a decades-long lifecycle, is difficult to patch due to stability concerns, and lacks basic security features such as authentication or encryption.
Although there are publicized instances in which threat actors have targeted OT and ICSs, impacted organizations typically share scant details of such attacks, owing to the sensitive nature of the systems involved. The first in a series exploring threats to OT, this report discusses overarching threats to organizations that employ OT, describes a theoretical attack chain, and provides recommendations on how to mitigate such threats. Future reports will examine the tactics, techniques, and procedures (TTPs) of specific threat groups and malware known for targeting these organizations.
By analyzing these details and common TTPs used across such attacks, this series aims to increase visibility into these threats and provide our customers with practical, actionable advice on how to tackle them, with ReliaQuest’s help.
Once air-gapped, OT is now more integrated with traditional IT systems, bringing benefits like constant performance and system condition updates that simplify system management and ultimately reduce downtime. However, OT-associated risks that were once tolerated because of its isolation, coupled with this interconnectivity, increase an organization’s attack surface and vulnerability to cyber attacks.
Often difficult to predict, cyber threats to OT differ greatly from those affecting traditional IT systems.
Drivers and objectives: Cyber attacks on OT usually vary based on geopolitical events. Threat actors are likely to target OT to disrupt plant services, destabilize critical national services like water and electricity—in turn sowing distrust among citizens—or steal sensitive intellectual property.
Attack development: Rather than attacking OT directly, threat actors and groups often use more traditional methods, like phishing, to compromise IT systems first. Successful phishing emails enable the threat actors to gain initial access, deploy a malware payload, and establish persistence. Alternatively, threat actors may exploit vulnerabilities in public-facing endpoints to achieve initial access. Once inside a network, threat actors can then pivot, depending on the permissions obtained, to compromise the OT.
Knowing the risks their organizations face can help CISOs make decisions about where to focus their resources for cybersecurity defenses, build better security architecture, and avoid the wide-ranging consequences of cyber attacks affecting OT, including:
Arguably the most famous example of an attack on OT conducted by a nation-state occurred in 2010, when the “Stuxnet” worm exploited zero-day vulnerabilities to target and derail Iran’s then-emerging nuclear program. It was widely reported that Stuxnet was jointly developed as a cyber weapon by the US and Israel in a large, collaborative effort known as Operation Olympic Games. However, more recent examples, like the “Volt Typhoon” campaign described below, demonstrate that this is a continuing priority for nation-states. Recent physical attacks on critical infrastructure, such as the 2022 Nord Stream Pipeline attack, may be an indicator of when cyber attacks could occur, as kinetic and cyber activity have been used hand in hand in modern warfare.
Sophisticated nation-state–associated threat actors—or the states themselves—are most likely to deliberately attack OT, probably in espionage operations designed to steal intellectual property.
The APT groups at the disposal of these nation-states are highly skilled and can conduct long-term espionage campaigns using heavily obfuscated attack methods that focus on data theft and defense evasion. It is realistically possible that APT groups prioritize defense evasion to maintain long-term access in preparedness for future assignments involving acts of sabotage. Many APT groups develop their own tools, exploit zero-day vulnerabilities, and favor spearphishing emails to gain initial access. These groups are also well-known for their ability to successfully conduct complex supply-chain attacks.
The nation-states that are most likely to conduct attacks targeting OT are China and Russia.
The Chinese state frequently uses cyber operations to pursue its national interests, preferring to avoid direct confrontation. The primary motive for most Chinese-initiated cyber-threat activity is progress toward strategic goals related to two main state-led initiatives: the Belt and Road Initiative and Made in China 2025. China-linked APT groups are arguably the most sophisticated, technically capable, and persistent of all nation-state–associated groups. They are the pioneers of supply-chain attacks and continue to show a proclivity for such attacks.
Notable groups:
Russia’s external interests lie in economic development and reclaiming control over former Soviet nations. It is one of a few nations with proven offensive cyber capabilities, as well as an aggressive domestic surveillance policy. Several prominent APT groups operate in Russia, conducting external—and sometimes internal—espionage operations on behalf of the state. Typically, these activities focus on gathering strategic or valuable information deemed to be useful to the Russian government.
Preventing attacks by nation-state–associated threat actors is difficult, given their sophistication and frequent exploitation of zero-day vulnerabilities. Ensure vulnerabilities in IT systems are patched as soon as possible to prevent the possibility of a threat actor pivoting throughout a network to the OT. Also, ensure that abundant logging is in place across all systems to identify anomalous behavior.
Most cybercriminals are motivated by financial gain and are unlikely to target OT with the intention of causing health and safety issues or widespread public panic. However, threat actors involved in extortion will likely aim for disruption to business operations to increase the likelihood that an organization will pay a ransom.
Of the financially motivated threats, ransomware is highly likely to be the biggest threat to organizations using OT. In January 2024, two major water companies were targeted by ransomware attacks that led to data breaches. When Veolia, a North American water and wastewater systems operator, announced the attack, it confirmed the event did not affect its water treatment operations, only internal backend systems. Meanwhile, UK water supplier Southern Water confirmed it had suffered a ransomware attack after the “Black Basta” ransomware group claimed to leak the company’s data on its data-leak website.
Arguably, the most impactful and widely publicized ransomware attack on critical infrastructure was the May 2021 attack on Colonial Pipeline, the largest fuel pipeline in the US. Colonial Pipeline is responsible for transporting refined petroleum throughout the southern and eastern US, moving millions of barrels per day. The ransomware attack, which was conducted by the “DarkSide” group, resulted in a temporary halt to all pipeline operations, which lasted three days. This attack ultimately led to the demise of the DarkSide group, as the group’s operations shut down in May 2021, following law-enforcement action.
After this event, many ransomware groups changed the operating rules for their affiliates, introducing a ban on targeting organizations involved in critical infrastructure, health care, education, and charitable projects. Affiliates were also told to seek approval from operators before working on new targets. However, these rules have not prevented all ransomware attacks on such institutions. In August 2022, the “Alphv” ransomware group claimed responsibility for an attack on a European gas pipeline, and as recently as January 31, 2024, the “LockBit” ransomware group targeted a US hospital.
These events serve as a reminder that OT is not immune to financially motivated cyber activity. As with organizations running traditional IT, it is equally important for organizations operating OT to protect their systems against the threat of ransomware. Blocking initial access attempts or having procedures in place that prevent significant operational downtime is key.
Typically conducted for ideological purposes, hacktivism often takes the form of disruption or defacement of websites, using denial of service (DoS) or DDoS attacks. Hacktivist attacks are often unsophisticated, with a minimal impact; however, the threat should not be overlooked. Recent attacks have also involved exfiltration of sensitive data from targets, before data destruction, demonstrating that these threat actors have the capability to cause lasting damage to organizations.
Hacktivist groups prefer targeting entities that cannot afford significant downtime, particularly those involved in critical national infrastructure. These attacks are designed to disrupt business operations, for the purpose of promoting the group’s ideological cause—media attention is sought by these groups for this reason. Hacktivist groups like “Killnet” and “NoName057(16)” have thousands of followers on their affiliate Telegram channels, which can be directed to conduct DDoS attacks—there are even incentives for followers who conduct the most attacks. All of this serves to enhance the impact of the attacks.
Most hacktivist activity is driven by geopolitical events. We have previously observed pro-Russia hacktivist groups targeting organizations across multiple sectors within a single region following support by that region’s government for the Ukrainian war effort. We have also observed attacks targeting specific sectors, such as banking and health care. Attacks are typically conducted in line with this, rather than targeting companies with specific technologies; however, there have been limited examples of hacktivist groups directly targeting OT and ICSs.
In the context of the Israel-Hamas conflict, in late November 2023, the hacktivist group “SiegedSec” claimed to have breached Idaho National Laboratory, run by the US Department of Energy’s Office of Nuclear Energy. The group stole data that reportedly contained employees’ personal and financial information. SiegedSec also claimed to have breached the IT security of the North Atlantic Treaty Organization (NATO) on two occasions in 2023 and launched a series of attacks against IP addresses belonging to Israeli infrastructure and ICSs in October 2023.
SiegedSec is part of a wider group known as ThreatSec, which also encompasses “GhostSec,” “Stormous,” and “Blackforums.” In November 2023, ThreatSec claimed it was able to take full control of the IP routing for more than 5,000 servers in the Gaza region. Analysis following this claim showed that many ICSs are inadvertently exposed to the internet, leading threat actors to take advantage. Researchers found that some Israeli organizations had exposed a supervisory control and data acquisition (SCADA) communications protocol to the internet, as well as SCADA Message Queuing Telemetry Transport (MQTT) ports. Palestinian organizations were also reportedly exposing Siemens automation and Symantec systems to the internet. This highlights the importance of ensuring that ICSs are properly configured to prevent unsophisticated system compromises.
In addition to proper configuration, it is also advised that OT and ICSs are not exposed to the internet, especially those running on legacy systems that are no longer supported in terms of patch management. This will prevent threat actors from discovering these systems when performing scans to identify vulnerable instances.
Insider threats can usually be classified as either malicious or unwitting. Malicious insiders deliberately sabotage or steal proprietary information, whereas their unwitting counterparts unknowingly provide information or access to those who seek it for nefarious means. Motives vary between insider types, but they include revenge, financial, coercion, or a desire to be helpful.
Insiders can work alone, but they can also be contracted by independent or nation-state–associated threat actors who seek to use their insider knowledge to conduct cyber attacks. Because of this knowledge, and because such attacks often use valid credentials, insider threats can be more difficult to detect by EDR or antivirus software than other cyber threats.
Most insider-related events involve data breaches—stealing information is within the realm of most people’s technical expertise since they likely already have access to the required systems. Organizations running OT possess vast amounts of sensitive information, which will be valuable to cybercriminals looking to sell it and to nation-state–associated threat actors whose aim is to bring their host nation a strategic advantage. Therefore, organizations running OT should be alert to such threats to avoid substantial data breaches.
Insiders with technical competence can also cause changes to computer systems. Insiders may perform network reconnaissance or provide backdoor access for threat actors to support their campaigns. They may also add malicious code to software, encrypt valuable files, or change system configurations. For organizations running OT, this could result in machinery malfunctioning or ceasing to operate entirely, which could result in real-world consequences such as incorrect medicinal formulas or contaminated drinking water.
In June 2023, two former Tesla employees leaked information to the media about the car manufacturer’s employees, customers’ banking details, production secrets, and complaints about Tesla’s self-driving features. The media outlet was prohibited from publishing the data, but had that information landed in criminal hands, the outcome would likely have resulted in severe consequences for Tesla.
In January 2021, an employee fired from Stradis Healthcare pleaded guilty to breaching and temporarily disabling the US company’s shipping system. Although the employee’s credentials were revoked, the individual kept a secret account that provided him with access to the system. The insider’s action meant the distribution of lifesaving medical equipment during the COVID-19 pandemic was disrupted, demonstrating the potentially severe consequences of insider attacks.
To mitigate insider threats, it is recommended that all accounts used by or linked to ex-employees are disabled or that the credentials are rotated. Exercise the principle of least privilege to ensure access to sensitive information is granted only to those who need it. Finally, monitor and control remote access from all endpoints, including mobile devices.
Public reporting regarding attacks directly targeting OT is typically infrequent and comes with scant detail. Below, we outline a theoretical but realistic attack scenario mapped against MITRE ATT&CK TTPs. In this case, we considered a Russia-linked APT targeting SCADA systems to steal sensitive information and cause a power blackout in Ukraine.
Discovery: Network Service Scanning (T1046)
Initial Access: Spearphishing Attachment (T1566.001)
Execution: User Execution (T1204)
Persistence: Valid Accounts (T1078)
Privilege Escalation: Credential Dumping (T1003)
Lateral Movement: Pass the Hash (T1075)
Collection: Data from Information Repositories (T1213)
Collection: Data Staged (T1074)
Command and Control: Commonly Used Port (T1043)
Impact: Inhibit Response Function (T0832)
Impact: Loss of Control (T0836)
Exfiltration: Exfiltration over C2 Channel (T1041)
The ReliaQuest GreyMatter security operations platform empowers customers to investigate, detect, and respond to the threats that matter most. The platform increases visibility, to help customers get the most out of existing security investments, and reduces the complexity of the detection and incident response lifecycle. This ultimately allows ReliaQuest and our customers to efficiently counter known and emerging threats. We provide customers with detection capabilities and actionable intelligence to mitigate the efforts of espionage and financially motivated threat actors alike.
Get a live demo of our security operations platform, GreyMatter, and learn how you can improve visibility, reduce complexity, and manage risk in your organization.