Study finds cyber-criminals are shifting tactics to favour multi-stage ransomware attacks that include stealing sensitive data to maximise damage and profits
A new study has added fresh urgency to concerns around the vulnerability of critical infrastructure to cyber-attacks.
Researchers at Cybereason said a fake industrial control network set up to lure attackers was quickly compromised by cyber-criminals who stole data and triggered a ransomware attack.
The network, set up earlier this year, followed up from a similar experiment in 2018.
It was made to look like an electricity company with operations in North America and Europe, and included common security vulnerabilities, as well as controls such as segmentation between different environments.
The network included an IT environment, operational technology and human-machine interfaces.
Cybereason found that attackers were able to quickly brute-force the administrator password used for publicly accessible remote administration interfaces and gain access to the network.
The attacker then executed a PowerShell script that created a backdoor user account, allowing them to continue their operations.
They stole login credentials, allowing them to move laterally across the network and compromise more machines, harvesting additional credentials along the way.
The compromised endpoints included data controllers, which can take up to several hours to infiltrate, Cybereason said.
While the systems were implanted with ransomware early on, it was activated only after the other data had been compromised, in order to maximise the attackers’ leverage over their target.
“This attack highlights an ongoing trend where ransomware attacks are no longer just deploying and detonating; they are taking their time to maximise their profit per targeted organisation by impacting the availability of multiple machines and the confidentiality of proprietary data,” Cybereason said in an advisory.
Ransomware attackers are expanding their hacking operations to include data breaches and damaging companies’ reputations by releasing sensitive data, the company added.
Israel Barak, Cybereason’s chief information security officer, said attackers are increasingly focusing on such multi-stage attacks.
“Given the results of this research, we conclude that multistage ransomware attacks on critical infrastructure providers are increasingly dangerous and more prevalent,” he said in an analysis of the findings.
He said critical infrastructure providers are particularly at risk from a “constant barrage” of cyber-attacks by “motivated and oftentimes well-funded groups” of cyber-criminals and state-sponsored actors.
The shift toward multi-stage attacks has occurred over the past two years, Barak said.
The change has come as hackers more closely target particular companies in order to make more money from each successful infection, he said.
But the more gradual approach also gives organisations an opportunity to detect and respond after their networks have been compromised, Barak said.
“This operational pattern… represents an opportunity for defenders with a rapid detection and response process to detect the attack at its early stages and respond effectively before ransomware is able to impact the environment,” he wrote in the study.