Microsoft is emphasizing the need to secure operational technology (OT) devices following a series of cyber attacks targeting internet-exposed OT devices since the second half of 2023.
“These repeated attacks against OT devices highlight the need to improve the security posture of OT devices to prevent critical systems from being easily targeted,” Microsoft's threat intelligence team said.
The company noted that cyber attacks on OT systems could allow malicious actors to tamper with critical parameters used in industrial processes, either programmatically via programmable logic controllers (PLCs) or using graphical controls in human-machine interfaces (HMIs), causing malfunctions or system outages.
Moreover, he said, OT systems often lack proper security mechanisms and can be exploited by adversaries to carry out attacks that are “relatively easy to execute,” a fact that is exacerbated by the additional risks posed by directly connecting OT devices to the internet.
This allows attackers to not only discover devices through internet scanning tools, but also weaponize them to gain initial access by exploiting weak sign-in passwords or outdated software with known vulnerabilities.
Last week, Rockwell Automation issued an advisory urging customers to disconnect all industrial control systems (ICS) that are not intended to be connected to the public internet, citing “elevated geopolitical tensions and hostile cyber activity worldwide.”
The US Cybersecurity and Infrastructure Security Agency (CISA) also released a bulletin warning that pro-Russian hacktivists were targeting vulnerable industrial control systems in North America and Europe.
“Specifically, pro-Russian hacktivists manipulated the HMI to exceed normal operating parameters for water pumps and fans,” the agency said. “In each case, the hacktivists set the settings to maximum, changed other settings, turned off alarms, and changed administrative passwords to lock out WWS operators.”
Microsoft further stated that the outbreak of war between Israel and Hamas in October 2023 led to a surge in cyber attacks against internet-exposed and poorly secured OT assets developed by Israeli companies, many of which were carried out by Iran-linked groups such as the Cyber Avengers, Soldiers of Solomon and Abuna al-Saada.
Redmond said the attacks targeted OT equipment manufactured by international vendors deployed in various sectors in Israel, as well as OT equipment sourced from Israel and deployed in other countries.
These OT devices “are primarily internet-exposed OT systems that may have weak security postures, weak passwords and known vulnerabilities,” it added.
To mitigate the risks posed by such threats, organizations are encouraged to ensure security hygiene of their OT systems, specifically by reducing the attack surface and implementing zero trust practices to prevent attackers from moving laterally within a compromised network.
The development comes after OT security firm Claroty analyzed a destructive malware strain called Fuxnet that was allegedly used by the suspected Ukraine-backed Blackjack hacking group against Moscollector, a Russian company that owns a large network of sensors that monitors Moscow's groundwater and sewerage systems and provides emergency detection and response.
BlackJack, which published details of the attack early last month, described Fuxnet as “Stuxnet on steroids,” with Claroty noting that the malware was likely deployed remotely to targeted sensor gateways using protocols such as SSH and Sensor Protocol (SBK) over port 4321.
Fuxnet has the ability to permanently corrupt the filesystem, block access to the device, and continuously write and rewrite memory to physically destroy the NAND memory chips on the device, rendering it inoperable.
Additionally, it is designed to rewrite the UBI volume to prevent the sensor from rebooting, and ultimately to destroy the sensor itself by flooding it with false Meter-Bus (M-Bus) messages.
“The attackers developed and deployed malware targeted at the gateway, deleting file systems and directories, disabling remote access services and routing services on each device, rewriting flash memory, corrupting NAND memory chips and UBI volumes, and taking other actions to further disrupt the operation of the gateway,” Claroty noted.
According to data published earlier this week by Russian cybersecurity firm Kaspersky, the internet, email clients and removable storage devices emerged as the main sources of threats to computers within organizations' OT infrastructure in the first quarter of 2024.
“Malicious actors use scripts for a variety of purposes, including information gathering, tracking, redirecting browsers to malicious sites, and uploading various types of malware (such as spyware and silent crypto miners) to users' systems and browsers,” the company said. “They are spread over the internet and email.”